The following story is just a big LOL: And once again a document of how ridiculously easy is to be a profitable cyber criminal today. Luckily for the prominent corporations that makes up the famous Fortune 500 list, these guys were not hackers – they are IT security researchers.
“If in six months we were able to collect 20 gigabytes of data, imagine what a malicious attacker could gain.”
Peter Kim – Garrett Gee
All they did was to by internet domain names that was almost identical to the well-known global corporations – just missing a dot. It wasn’t long before emails, containing everything from trade secrets, business invoices, personal information about employees, network diagrams and passwords, started to pour in…
Security researchers Peter Kim and Garrett Gee have captured 120,000 emails intended for Fortune 500 companies by exploiting a basic typo.
“The emails included trade secrets, personal information, network diagrams and passwords, started to pour in,” the website Naked Security (by security firm Sophos) writes.
The researchers did this by buying 30 internet domains they thought people would send emails to by accident (a practice known as typosquatting).
The domain names they chose were all identical to subdomains used by Fortune 500 companies save for a missing dot.
Having purchased the domains they simply sat back and watched as users mistakenly sent them over 120,000 emails in six months.
Kim and Garrett have not identified their targets but have revealed that they were chosen from a list of 151 Fortune 500 companies they regarded as vulnerable to their variation of typosquatting.
However, the list is jam-packed with household names like Dell, Microsoft, Halliburton, PepsiCo and Nike.
The emails they collected included the following sensitive corporate information:
- Passwords for an IT firm’s external Cisco routers
- Precise details of the contents of a large oil company’s oil tankers
- VPN details and passwords for a system managing road tollways
The researchers also warn of how easy it would have been to turn their passive typosquatting into an even more dangerous man-in-the-middle attack.
Such an attack would have allowed them to capture entire email conversations rather than just individual stray emails.
The two “White Hats” describe they’re metode as “passive email attack”.
And they write:
“During a six‐month span, over 120,000 individual emails (or 20 gigabytes of data) were collected which included trade secrets, business invoices, employee PII, network diagrams, usernames and passwords, etc. Essentially, a simple mistype of the destination domain could send anything that is sent over email to an unintended destination.”
“If in six months we were able to collect 20 gigabytes of data, imagine what a malicious attacker could gain.”
Well, I’m not sure that would be good for every CEO amongst the Fortune 500’s – it might be bad for their blood pressure, or something…
Because; the report by Kim and Gee do also indicate that they probably not is the first computer geeks who have thought of this:
“After reviewing the WHOIS information from all Fortune 500 companies, we noticed some of the largest companies were already registered to locations in China and to domains associated with malware and phishing. While it is unknown if these domains are used in a malicious fashion, it is apparent that some targeting is happening here.”
Peter Kim and Garrett Gee’s paper “Doppelganger Domains” is available to download from Wired.
Related by the EconoTwist’s:
- Major Security Problems at Baltic Bank Group
- Hackers: Wall Street Is An Easy Target
- Citibank Hacked: 200.000 Credit Card Numbers Stolen, May Affect 20 Million Customers
- The Cyber War: Complete Coverage (Part 1)
- A New Battlefield
- Online Banking Malware Has Surfaced
- US Stock Markets Infected By Malicious Software?
- Hackers Threaten To Attack The US Federal Reserve
- And Here We Go: Nasdaq Stock Exchange Hacked!
- Hackers Target The New York Stock Exchange
- Cyber Attacks Force EU to Close Emission Trading System
- Europe: Cyber Criminals Attack Critical Water, Oil and Gas Systems
- Anonymous Amateurs & Script Kiddies
- The REAL Weapon of Mass Destruction
US Government Seize 18 More Websites
The U.S. government seized 18 more internet domains Monday, bringing to at least 119 the number of seizures following the June commencement of the so-called “Operation in Our Sites” anti-piracy program.
“These counterfeits represent a triple threat by delivering shoddy, and sometimes dangerous, goods into commerce, by funding organized criminal activities and by denying Americans good-paying jobs.”
John Morton
The Immigration and Customs Enforcement seizure, in honor of Valentine’s Day, targeted sites hawking big-name brands like Prada and Tiffany & Co.
Customs agents had bought counterfeit bracelets, earrings, handbags, necklaces, rings, sunglasses, wallets and watches with “brand names” from Burberry to Nike and Timberland, the government says.
The seizures are based on the same law the government invokes to seize brick-and-mortar drug houses, for example.
When it comes to internet domain seizures, the US government has jurisdiction over top-level domains such as .com, .org and .net.
The latest seizures, which were done without advance warning to the sites, came nearly two weeks after the government seized 10 domains connected to pirating professional sports video streams.
Preet Bharara, the Manhattan US attorney, blamed such sports broadcasting piracy for “raising prices for tickets and pay-per-view events.”
Meanwhile, in November, the federal government targeted 82 websites, many bartering in counterfeited goods like scarves and golfing gear.
In June, when the seizure program was announced, the government took down nine sites that distributed pirated motion pictures.
Well, this is just getting more interesting by the day…
Related by the Econotwist’s:
Related Articles:
2 Comments
Filed under International Econnomic Politics, Laws and Regulations, Technology
Tagged as Burberry, Counterfeit, Domain name, Federal government of the United States, Health and Environment, International Econnomic Politics, International Politics, Law & Regulations, Macro Economics, National Politics, Sience and Technology, Technology, Tiffany & Co., U.S. Immigration and Customs Enforcement, United States, Valentine's Day, Views, commentaries and opinions