20GB Data leak from missing dots!

Ed Borasky (@znmeb) pointed me out this article Missing dots from email addresses opens 20GB data leak.  In it, Mark Stockley explains a scheme easy to follow to obtain private information.  It is based on the errors users make when writing an email address.

Security researchers have captured 120,000 emails intended for Fortune 500 companies by exploiting a basic typo. The emails included trade secrets, business invoices, personal information about employees, network diagrams and passwords.Researchers Peter Kim and Garrett Gee did this by buying 30 internet domains they thought people would send emails to by accident (a practice known as typosquatting).

And in all this, they are not even doing something illegal!  But they could easily have gone further, crossing the line and exploiting this misspelled address to put themselves between the originator and the recipient (Man in the Middle attack).   In that way they would have been intercepting all courier.  How to do it? Sending the original mail to the correct intended recipient (correcting the email address) , and expecting him to simply click on ‘Reply’.  That would send them the answer, and for the originator not to be suspicious, they would send the answer back to them.

So when sending your next big idea, be sure to check your spelling!

Print Friendly, PDF & Email