June 19, 2021

Missing Dots in Email Addresses Allows Security Researchers to Catch 120,000 Messages

(LiveHacking.Com) – Security researchers have captured thousands of emails by buying domains for commonly mistyped email addresses. Over six months they grabbed 20GB of data made up of 120,000 wrongly sent messages. These emails included trade secrets, business invoices, personal information about employees, network diagrams and passwords.

According to researchers Peter Kim and Garret Gee of the Godai Group around 30% of the top 500 companies in the US were vulnerable to this data leak.

The problem arises because of the way some organisations set up their email systems. Most companies use a single domain for all email, but some use subdomains. So rather than just user@bank.com the company has set up us.bank.com for its USA employees and uk.bank.com for its UK employees and so on.

By buying domains like usbank.com and ukbank.com the researchers where able to catch emails addressed to user@us.bank.com but due to a typing error were sent to user@usbank.com (without the dot after ‘us’).

Rather than getting an email back reporting the mistyped address, the email in fact went to the researchers. From there the email was forwarded to the correct address but with a bogus reply address so that the researchers could capture all the replies as well. This is what is known as a man-in-the-middle attack, or more specifically for email a man-in-the-mailbox attack.

Writing on the blog of security firm Sophos, Mark Stockley said: “It’s striking that the researchers managed to capture so much information by focusing on just one common mistake. A determined attacker with a modest budget could easily afford to buy domains covering a vast range of organisations and typos.”