We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Misspelt emails could end up in the hands of hackers

Researchers intercept 120,000 emails in six months through doppelganger domains

Web users that accidentally spell an email address wrong may see their messages end up in the hand of cybercriminals, say security researchers.

Peter Kim and Garret Gee of the Godai Group created a number of web domains that featured commonly misspelt names or those that were missing a dot in specific places, known as doppelganger domains.

Over six months the pair got their hands on 120,000 emails that featured these common misspellings. Had the doppelganger domains not existed the messages, which equated to 20GB of data, would have been returned to the originally sender. However because these misspelt domains existed, the emails were delivered. Kim and Gee revealed that many of these messages contained user names, passwords, and even details of corporate networks.

"Doppelganger domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information," the pair said in a paper about the research.

Worryingly, just one of the firms involved noticed what was going on and tracked down the researchers. The pair believe some 30 percent of the top 500 US firm are vulnerable to this type of attack.

Furthermore, hackers could forward on the original emails they received, featuring a bogus return addresses that would enable the hacker to see the entire email conversation, a process which is known as a Man in the Middle attack.

Mark Stockley from security firm Sophos warned web users to encrypt and password protect sensitive data "so that if it does end up in the wrong hands it can't be used".

"Organisations can also prevent emails being sent to specific misspelled domains through their DNS or mail server configurations. Of course this approach won't prevent people outside your organisation from misspelling your domains," he said in a blog.

"It's striking that the researchers managed to capture so much information by focusing on just one common mistake."

IDG UK Sites

Samsung Galaxy S6 launch as it happened: Galaxy S6 launch video and live blog - watch again as...

IDG UK Sites

5 things we hate about MWC: What it's like to be a journalist at a technology trade show

IDG UK Sites

Interview: Lauren Currie aims to help design students bridge skills gap

IDG UK Sites

12in Retina MacBook Air release date rumours: new MacBook Air to have fingerprint ID, could launch...