Tuesday 13 September 2011

Spelling mistakes can lead to online security breaches

If you have a friend with a very complicated email address or even just a name you frequently misspell like mine, you have to be extra careful when typing out their addresses when you send them an email. Researchers have found that cyber thieves create commonly misspelled domains and usernames for email addresses. What this means is when you make a mistake in spelling the name of the intended recipient's email address, it could end up in the inbox of a cyber thief instead of just bouncing back to you. Investigators looking into this have grabbed 20GB from over 1,20,000 wrongly sent emails in the past six months. Of course, some of the intercepted emails contained private information like usernames and passwords, as well as private corporate information.

Usually, it's companies that fall victim to this practice. When a company has one domain for their website and multiple domains for their individual business units, they tend to differentiate between domains with the use of dots. So for instance, a multinational television company in the US would have the email address us.company.com, while in India they might have company.india.com. If a sender messes up the placement of the dots and the order of the words, chances are, the email will end up in the hands of thieves.

Some attackers that are actually clever will go unnoticed by being a middle man. The obvious way such a practice would be caught would be that recipients keep reporting that they're not receiving emails intended for them, but senders aren't getting emails bounced back. A clever thief would actually forward on the email to its intended sender. Of course, this means, that when the recipient hits reply and an email chain starts, that's more information that a thief receives. Mark Stockley wrote on the Sophos security firm's blog, "A determined attacker with a modest budget could easily afford to buy domains covering a vast range of organisations and typos."

No comments:

Post a Comment