Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.


Forgot your password?
Security IT

Researchers' Typosquatting Stole 20 GB of E-Mail 204

Posted by Soulskill
from the of-tips-and-icebergs dept.
NeverVotedBush writes "Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions."
This discussion has been archived. No new comments can be posted.

Researchers' Typosquatting Stole 20 GB of E-Mail

Comments Filter:
  • Re:Good test. (Score:2, Interesting)

    by Anonymous Coward on Friday September 09, 2011 @12:18PM (#37353426)

    "Delivered incorrectly" is different from "addressed incorrectly". One is an error of the Postal Service, the other is an error of the sender.

  • by Riceballsan (816702) on Friday September 09, 2011 @12:29PM (#37353580)
    Better question, why are high end companies sending top secrete confidential data over normal unencrypted e-mail. Even your bottom of the line MMORPG sends a note to it's users saying a GM will never ask for or send your password via e-mail, but our fortune 500 companies can't match that level of security? Typical e-mail passes unencrypted past so many hands it isn't funny, the typical e-mail from home to work, passes unencrypted across a wifi network, that may or may not be compromised if it was even bothered to be secured, to your ISP where low wage monkeys may or may not have access, accross the cloud where it will pass through unknown number of nodes, to the entery mailservers at said company, that may or may not be managed by medium wage contractors that know they only have the job for a few months at best anyway, finally to the person who it is intended to go to. Yeah I see no reason to think twice before sending my SSN CC# and confidential data through an e-mail.
  • Re:Good test. (Score:4, Interesting)

    by gstoddart (321705) on Friday September 09, 2011 @01:37PM (#37354702) Homepage

    It doesn't. It didn't work for real mail so why should it work for email?

    You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

    Well, in this case, you have to make the explicit step of setting up an alternate site, and having something there to get email. So you've explicitly put stuff in place to catch these messages.

    Under normal circumstances, the user would get a bounce-back of the message ... so, someone might be able to argue that it's not like something was delivered to you out of the blue. You've actually created the thing that it gets delivered to, and made it look as close as you could to the intended one.

    At a minimum, this might get into a gray area, and might be full on illegal, even if you were only passively receiving the mis-directed stuff thereafter.

    I don't think you can make the claim that you just happened to be receiving these emails.

Optimism is the content of small men in high places. -- F. Scott Fitzgerald, "The Crack Up"