Web users that accidentally spell an email address wrong may see their messages end up in the hand of cybercriminals, say security researchers.
Peter Kim and Garret Gee of the Godai Group created a number of web domains that featured commonly misspelt names or those that were missing a dot in specific places, known as doppelganger domains.
Over six months the pair got their hands on 120,000 emails that featured these common misspellings. Had the doppelganger domains not existed the messages, which equated to 20GB of data, would have been returned to the originally sender. However because these misspelt domains existed, the emails were delivered. Kim and Gee revealed that many of these messages contained user names, passwords, and even details of corporate networks.
"Doppelganger domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information," the pair said in a paper about the research.
Worryingly, just one of the firms involved noticed what was going on and tracked down the researchers. The pair believe some 30 percent of the top 500 US firm are vulnerable to this type of attack.
Furthermore, hackers could forward on the original emails they received, featuring a bogus return addresses that would enable the hacker to see the entire email conversation, a process which is known as a Man in the Middle attack.
Mark Stockley from security firm Sophos warned web users to encrypt and password protect sensitive data "so that if it does end up in the wrong hands it can't be used".
"Organisations can also prevent emails being sent to specific misspelled domains through their DNS or mail server configurations. Of course this approach won't prevent people outside your organisation from misspelling your domains," he said in a blog.
"It's striking that the researchers managed to capture so much information by focusing on just one common mistake."