Tag Archives: Peter Kim

Fortune 500 Companies Leaked 20GB of Sensitive Information

The following story is just a big LOL: And once again a document of how ridiculously easy is to be a profitable cyber criminal today. Luckily for the prominent corporations that makes up the famous Fortune 500 list, these guys were not hackers – they are IT security researchers.

“If  in six months we were able to collect 20 gigabytes of data, imagine what a malicious attacker could gain.”

Peter Kim – Garrett Gee

All they did was to by internet domain names that was almost identical to the well-known global corporations – just missing a dot. It wasn’t long before emails, containing everything from trade secrets, business invoices, personal information about employees, network diagrams and passwords, started to pour in…

Security researchers Peter Kim and Garrett Gee have captured 120,000 emails intended for Fortune 500 companies by exploiting a basic typo.

“The emails included trade secrets, personal information, network diagrams and passwords, started to pour in,” the website Naked Security (by security firm Sophos) writes.

The researchers did this by buying 30 internet domains they thought people would send emails to by accident (a practice known as typosquatting).

The domain names they chose were all identical to subdomains used by Fortune 500 companies save for a missing dot.

Having purchased the domains they simply sat back and watched as users mistakenly sent them over 120,000 emails in six months.

Kim and Garrett have not identified their targets but have revealed that they were chosen from a list of 151 Fortune 500 companies they regarded as vulnerable to their variation of typosquatting.

However, the list is jam-packed with household names like Dell, Microsoft, Halliburton, PepsiCo and Nike.

The emails they collected included the following sensitive corporate information:

  • Passwords for an IT firm’s external Cisco routers
  • Precise details of the contents of a large oil company’s oil tankers
  • VPN details and passwords for a system managing road tollways

The researchers also warn of how easy it would have been to turn their passive typosquatting into an even more dangerous man-in-the-middle attack.

Such an attack would have allowed them to capture entire email conversations rather than just individual stray emails.

The two “White Hats” describe they’re metode as “passive email attack”.

And they write:

“During a six‐month span, over 120,000 individual emails (or 20 gigabytes of data) were collected which included trade secrets, business invoices, employee PII, network  diagrams, usernames and passwords, etc. Essentially, a simple mistype of the destination domain could send anything that is sent over email to an unintended destination.”

“If in six months we were able to collect 20 gigabytes of data, imagine what a malicious attacker could gain.”

Well, I’m not sure that would be good for every CEO amongst the Fortune 500’s – it might be bad for their blood pressure, or something…

Because; the report by Kim and Gee do also indicate that they probably not is the first computer geeks who have thought of this:

“After reviewing the WHOIS information from all Fortune 500 companies, we noticed some of the largest companies were already registered to locations in China and to domains associated with malware and phishing. While it is unknown if these domains are used in a malicious fashion, it is apparent that some targeting is happening here.”

Peter Kim and Garrett Gee’s paper “Doppelganger Domains” is available to download from Wired.

Related by the EconoTwist’s:




Filed under Laws and Regulations, National Economic Politics, Technology