• United States



The danger of missing dots

Sep 12, 20112 mins
Data and Information Security

More details have emerged regarding the security risks one creates from sloppy typing.

In this case, missing dots from email addresses can apparently open the victim up to a 20GB data leak.

Independent Web consultant Mark Stockley writes about the problem in the Sophos Naked Security blog:

Security researchers have captured 120,000 emails intended for Fortune 500 companies by exploiting a basic typo. The emails included trade secrets, business invoices, personal information about employees, network diagrams and passwords.

Researchers Peter Kim and Garrett Gee did this by buying 30 internet domains they thought people would send emails to by accident (a practice known as typosquatting).

The domain names they chose were all identical to subdomains used by Fortune 500 companies save for a missing dot.

Having purchased the domains they simply sat back and watched as users mistakenly sent them over 120,000 emails in six months.

This is another variation of the typosquatting I wrote about Friday. In that post, the folks at M86 Security Labs described an attack where the bad guys take advantage of people who end up typing in an incorrect domain name.

In that example, botched Youtube searches were the catalyst.

The simple lesson here is to be careful when typing, whether it’s an email or Web search.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a