A study into the impact of Doppelganger Domains has revealed that of the Fortune 500 companies, 151 companies (or 30%) were susceptible to attacks.Doppelganger Domains are a new type of typosquatting that takes advantage of an omission instead of a misspelling. They occur when the domain spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposes. Doppelganger Domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information.In their study, the Godai Group outlines two types of email based attacks that are possible with a Doppelganger Domain. These are where:
- the first attack vector is completely passive. Once the attacker purchases the Doppelganger Domain, they will configure an email server to receive all email addressed to that domain, regardless of the user it was destined to. This type of configuration is also known as a catch-all email account. As email is a high-volume, primary communication mechanism for many corporations, a small percentage of those emails will be sent to the wrong destination because of user error (a typo by the email’s sender). The attacker relies on this fact and will start collecting emails from both internal and external users.
- the second attack vector involves social engineering and is likely to be only used on specific individuals. As a Doppelganger Domain can be very similar to the legitimate email domain, an attacker will impersonate a person and attempt to obtain sensitive information via social engineering.
The Godai Group conducted a six month study where over 120,000 individual emails (or 20 gigabytes of data) were collected which included trade secrets, business invoices, employee PII, network diagrams, usernames and passwords, etc. Essentially, a simple mistype of the destination domain could send anything that is sent over email to an unintended destination.The most popular keywords used, with over 400 counts for each one, were “investigation”, “credit card”, “password”, “login” and “contract”.Examples of a Doppelganger Domain are where a company may have an email address of name@us.company.com or name@ru.bank.com. The attacker may use email addresses such as name@uscompany.com or name@rubank.com.Using the above scenario, which outlined diagrammatically in the report, an attacker could purchase both uscompany.com and rubank.com allowing them to capture the mistyped email domains. When an email is mis sent from us.company.com to rubank.com, the email arrives instead in the attacker’s mailbox. The attacker creates a script to auto‐forward those emails from his uscompany.com address to the legitimate ru.bank.com address.Most likely, the recipient at the ru.bank.com address will be unaware that the email sourced from a Doppelganger Domain. The ru.bank.com user will then reply to the Doppelganger Domain email address, with the pertinent information we requested.The ru.bank.com user then replies to the wrong email address, instead sending it to the uscompany.com address. When that response comes in to the attacker’s uscompany.com mailserver, the attacker again creates a script to auto‐forward that email out of our rubank.com email address to the valid us.company.com. If both parties are unaware of the mistyped address, the attacker now has a full Man‐in‐the‐MailBox scenario.The study outlines the issue in more detail, and also gives some “mitigation strategies” to defend against Doppelganger Domains and the two email-based attacks that stem from them, as well as offering to provide services to prevent the problem themselves.The mitigation strategies offered are:
- purchase and register the Doppelganger Domains. On the external DNS, configure those domains to not resolve anywhere so that the sender would receive a bounced email notification.
- Identify if attackers are already using a Doppelganger Domain against your company, and file a Uniform Domain Dispute Resolution Policy (UDRP) if they are.
- Internally configure the DNS to not resolve any Doppelganger Domains, even if your company does not own them. This will protect internal only email from being accidentally sent to a Doppelganger Domain.
- An alternative to configuring the internal DNS for Doppelganger Domains is to configure the mail server to not allow any outbound email destinations to Doppelganger Domains.
- Communicate the attack vector to your internal users, customers, and business partners. The more awareness they have on social engineering attacks, the less susceptible they will be.
To download and read the full report from the Godai Group, go to files.godaigroup.net/doppelganger/Doppelganger.Domains.pdf or see godaigroup.net for more information in general about the Godai Group.