When Typos Lead to Trouble
If you’re like me, you’ve probably mistyped a URL or two. Maybe you were in a hurry or your fingers got ahead of your brain. So you ended up at Twiter.com or on Ghoogle instead of Google. Cybercriminals cash in on these typos by buying up domain names that are very close to legitimate URLs and setting up dummy sites to capture valuable personal information. This activity is known as typosquatting, i.e., squatting on sites that people reach through typos.
This poses a risk both to individuals and to organizations. For individuals, landing on a phony site that you think is real can lead to the divulging of passwords, credit card numbers, contact information, and other private details. The next thing you know, your email account has been hijacked, your friends are receiving phishing emails, and you’re the victim of identity theft.
A new form of typosquatting poses an even larger threat to organizations. Instead of misspelling a domain name, it involves leaving out the all important “dot” when entering an email address. The result is the email doesn’t reach its intended target, but is captured by cybercriminals who can then access whatever sensitive data is contained in the message.
Researchers Garrett Gee and Peter Kim of the Godai Group tested the efficacy of these “doppelganger domains” over a six-month period. They were able to intercept more than 120,000 individual emails representing 20GB of data, ranging from trade secrets to employees’ personal identifying information. Gee and Kim reported that 30 percent of Fortune 500 companies are susceptible to attacks from doppelgangers.
If this information doesn’t have executives sweating, it should. With our emphasis on cutting-edge technology and gadgets, we often overlook the fact that human negligence is still the leading cause of data breaches. The crooks know what your weaknesses are. Do you?
(Image: Mactitioner on Flickr)