Missing dots from email addresses opens 20GB data leak

Status
Not open for further replies.

Linuxfever

New Member
Thread author
Jan 11, 2011
131
Sophos said:
Security researchers have captured 120,000 emails intended for Fortune 500 companies by exploiting a basic typo. The emails included trade secrets, business invoices, personal information about employees, network diagrams and passwords.

Researchers Peter Kim and Garrett Gee did this by buying 30 internet domains they thought people would send emails to by accident (a practice known as typosquatting).

The domain names they chose were all identical to subdomains used by Fortune 500 companies save for a missing dot.

Having purchased the domains they simply sat back and watched as users mistakenly sent them over 120,000 emails in six months.

Kim and Garrett have not identified their targets but have revealed that they were chosen from a list of 151 Fortune 500 companies they regarded as vulnerable to their variation of typosquatting. The list is jam-packed with household names like Dell, Microsoft, Halliburton, PepsiCo and Nike.

The emails they collected included some worryingly sensitive corporate information, including:

  • Passwords for an IT firm's external Cisco routers
  • Precise details of the contents of a large oil company's oil tankers
  • VPN details and passwords for a system managing road tollways]

Read more
 

Tom172

Level 1
Feb 11, 2011
1,009
Bad spelling opens up security loophole

A missing dot in an email address might mean messages end up in the hands of cyber thieves, researchers have found.

By creating web domains that contained commonly mistyped names, the investigators received emails that would otherwise not be delivered.

Over six months they grabbed 20GB of data made up of 120,000 wrongly sent messages.

Some of the intercepted correspondence contained user names, passwords, and details of corporate networks.

http://www.bbc.co.uk/news/technology-14842691
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
RE: Bad spelling opens up security loophole

This is a must carefully type some websites caused misspelled websites could not only lead to non existent but it can produce security risk.

Example was a nightmare domain of goggle that said its installed a fake AV called Spysheriff.
 

Dejan

New Member
Mar 3, 2011
559
Eh, people can be dumb, sending sensitive info like that without even double-checking the email address..
 
D

Deleted member 178

if everybody was smart, the world will be a peaceful place.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top