Doppelganger Danger
How one small dot—if part of a typosquat—can lead to security breach
- By Ronnie Rittenberry
- Jan 01, 2012
In the world of literature, folklore and myth, the
appearance of a doppelganger is generally bad
news. Often depicted as ghostly doubles (and literally
meaning “double walkers” in German), doppelgangers
usually portend illness, danger or even death
when they show up in stories. Well, now the same is
pretty much true when they surface in the world of
e-commerce.
Doppelganger domains, as they’ve been dubbed,
are domains whose names are nearly identical to
those of legitimate companies except the doppelganger
version—registered for presumably nefarious purposes—
is strategically missing the dot that separates
the legitimate version’s subdomain from the domain.
For example, “ussecurity.com” would be a doppelganger
for “us.security.com.” E-mails intended for the
latter domain but sent without the initial dot would
be routed to the doppelganger site, potentially for malicious
use. Cyberthieves deploying the doppelganger
site could then cover the misdirection by redirecting
the original e-mail to the legitimate domain.
At the same time, the doppelganging ne’er-dowells
could also send out e-mails from their bogus
domains and hope that some recipients wouldn’t notice
the missing dot and open the e-mail. Malware
could ensue.
Squatter’s Rights?
Now, from one angle, doppelganger domains are
merely variations on a theme that has been playing on
the Internet for about as long as e-commerce has been
around. They are forms of the larger general practice
known as “typosquatting,” or URL hijacking, which
relies on the same principle of exploitation whereby
cyberthieves register domains with names that are deliberately
very close-sounding to legitimate names in
hopes that users will unwittingly arrive at the squatted
site by virtue of making a typo when entering the Web
address.
Usually, the variance in the squatted domain name
is the absence or presence of a single letter (“yuube.
com” instead of “youtube.com,” for example) or a different
top-level domain (“us.security.org” as opposed
to “us.security.com”). With the availability of generic
top-level domains set to expand this year (and, given
the necessary approval process, to actually start appearing
in 2013), the opportunities for mistakes and
malefaction associated with this ploy are likely to
increase. The only thing making doppelganger domains
distinct from other forms of cybersquatting is
the absence of their one tiny, potentially easy-to-miss,
subdomain-dividing dot.
Researchers at Godai Group, a San Franciscobased
“information security think tank,” coined the
term for the new breed of hacking misdeed in their
recently issued white paper on the subject (found at
http://godaigroup.net). In the paper, they note that
doppelganger domains “have a potent impact via
email as attackers could gather information such as
trade secrets, user names and passwords, and other
employee information.”
To prove their point, the researchers profiled every
Fortune 500 company and found 151 of them (or 30
percent) vulnerable to doppelganger domain danger.
By industry, specialty retailers were the most susceptible
to the fraud, followed closely by commercial
banks and telecommunications companies.
During its research, the group found that some
doppelganger domains for the companies had already
been registered to locations in China and to domains
associated with malware and phishing. According to
the report, “While it is unknown if these domains are
used in a malicious fashion, it is apparent that some
targeting is happening here.”
Further, the group set up 30 doppelganger accounts
itself for various firms just to see what would
happen. After a six-month test period, the accounts
had attracted 120,000 e-mails amounting to 20 gigabytes
of data, including potentially valuable information
such as contracts, invoices, reports, network diagrams
and more.
“Twenty gigs of data is a lot of data in six months
of really doing nothing,” said senior researcher Peter
Kim to Wired. “And nobody knows this is happening.”
Doppel Jeopardy
The Godai Group recommends several steps for
mitigating doppelganger danger, including purchasing
and registering any conceivable doppelganger
domain; internally configuring Domain Name System
(DNS) servers to not resolve any doppelganger
domains (which would protect internal-only e-mail
from being accidentally sent to one); and identifying
if attackers are already using a doppelganger domain
against your company and, if so, filing a Uniform
Domain Dispute Resolution Policy (UDRP) against
them with the Internet Corporation for Assigned
Names and Numbers (ICANN).
The obvious challenge of trying to proactively buy
up the doppelganger domains is that the number of
potential mistypings of a particular URL is not necessarily
fathomable, making it at the very least difficult
to acquire all of them so that a company would
not be vulnerable to this type of hacktivity.
For smaller companies, the time and expense of
preventing such potential typo-oriented security
breaches could be a factor and call into question how
significant a threat this type of attack really is. After
all, according to the Godai Group’s own results, most
companies—70 percent, in fact—were not deemed
susceptible to doppelganger jeopardy. Nevertheless,
the group noted that while its research focused on
Fortune 500 companies, the vulnerability could exist
for any organization that uses subdomains.
The group notes in the paper that it does free domain
scanning to determine doppelganger susceptibility.
For more information, visit http://godaigroup.
net/free-doppelganger-domain-scan/.
This article originally appeared in the January 2012 issue of Security Today.