The last time as you just clicked on the ‘Send’ button, and realised that you incorrectly spelt the alphabet ‘N’ in the email id with ‘M’, what did you do? Nothing. And, perhaps, there is nothing that could have been done, except for re-sending. Well, ignorance would certainly have been bliss, if you knew that the misspelt email could have a much worse fate than just bouncing back or landing up in the inbox of a harmless person who would have just deleted it.
‘Doppelganger Domains’, which are spelt almost identically to the legitimate ones but with very slight difference, are increasingly being used to capture misspelt/mis-sent emails to gain access to information and data residing in these intercepted emails. Well, Doppelganger Domains is just one form of typosquatting. Taking this a step further, typosquatting further exploits mistakes like typo errors when typing the URL, by registering a domain name similar to that of a legitimate website. As a result, the typo error directs the user to the squatter’s site instead of the legitimate site.
While data security as an umbrella term has long been on top of the CIOs’ list of priorities, there are still niche areas within that continue to elude awareness and at times even the CIO’s keen eye. And, as it turns out, sometimes it is the simplest of things that can be more elusive. Something as simple as a misaddressed email has the potential to trigger off far-reaching security ramifications beyond the obvious. A reality that CIOs and IT Heads are waking up to now.
If one really needs to imagine the extent of the damage that the menace can cause, then consider this: a practical heist undertaken by two researchers who created doppelganger domains similar to the legitimate ones of Fortune 500 companies managed to steal almost 20 GB of data from these misaddressed e-mails coming from various Fortune 500 companies. And, the worrying factor is that this included sensitive and confidential corporate data, including passwords, corporate plans, contracts, trade secrets, etc.
What’s an even bigger cause for worry for CIOs is that the research indicates that the Doppelganger Domains phenomena is already quite active with such domains for some of the largest companies already registered and active. The research paper further maintains that almost 30 percent of Fortune 500 companies were potentially vulnerable to the treat.
Low Awareness, Low Priority
As SR Balasubramanian, Independent Consultant - IT Strategy and Management, and ex-CIO, Hero Honda (now Hero MotoCorp) and Godfrey Philips, points out, there is no denying that the threat is ‘real’. Arun Gupta, CIO, Shoppers Stop further adds that with the number of domain names increasing and the continued dependence on email, this is indeed a major security threat.
While the threat seems to be spreading across in fast gear, awareness levels are ticking slow, unable to play catch. As per statistics and surveys no proactive measures are being taken at the moment to limit the reach of such domains and attacks. “It has received some attention of some of the CIOs. However, I am not sure if anything is seriously being done as I do not hear this being discussed widely or such concern expressed in public. People are largely complacent and it may perhaps take a while for this to become a mainstream item requiring our immediate attention,” says Balasubramanian. “There may be instances, but I am not aware of proactive measures taken by enterprises,” agrees Gupta.
Needless to say that with low awareness the Doppelganger Domain threat currently doesn’t figure among the mainstream and top security threats within organisations yet. It is still low on their list of security priorities and fails to figure in their security policies. According to Costin G. Raiu, Director, Global Research and Analysis, Kaspersky Lab, in general, handling of these domains is not included in security policies, which have a more general format and are designed to prevent most kind of attacks and securing all the entry points.
Gupta believes that currently it figures low on the priority list as awareness and the implications are not widely known or understood. Shoppers Stop’s security policy currently does not cover this threat. However, Gupta maintains that he will be addressing this in the future. And, there would be a majority that will fall under this category. Subramanian also maintains that he is not aware if any organisation in India has factored 'doppelganger' in their security policy. “May be some have, but in my opinion it has still to make its impact,” he adds.
Raiu doesn’t think these are considered top security threats by themselves; mostly because it takes another component for a successful attack to happen, for instance, a ‘0-day’ exploit. “As such, many of these domains are just a small part of the big picture, yet, extremely important,” he adds.
Taking The First Step
Not just in India, but globally, there is lack of clarity around who should be handling the problem. In fact, that’s part of aggravating the problem and contributing to the the low awareness. For instance, should registrars prevent somebody from registering a domain named cia-whitehousegov.org because it sounds strange? Or is it the responsibility of the users not to click on them? According to Raiu, the answer is probably somewhere in the middle – each party should be doing a little bit to increase the security of the system and try to watch after another.
The most fundamental question for CIOs to ask before delving into any preventive or defensive measures is: Are employees even aware of the risk their carelessness can put their company in? This is because employees, though unwittingly, are the source where the whole issue gets initiated. And, unfortunately, in majority of the enterprises employees are not even aware of the ramifications that a misspelt email can land up their company in.
In general, employees rarely think about the risk of their actions towards the company; this is because they expect the company to provide them with the absolute, perfect protection, feels Raiu. Additionally, many employees are aware of the fact that some security measures are in place and already feel protected and safe.
“I believe that the solution lies with the person and not technology. If I am sending an email to say network18online.com, I could make mistakes anywhere in the spelling,” says Gupta. Balasubramanian adds that it is impossible to prevent such attacks through technology.
Hence, the first step for any enterprise that is hoping to address the Doppelganger Domain threat is to tackle the ‘people’ issue before coming to the ‘technology’ challenge.
Addressing Weakest Link
The first onus lies on people, and hence the first priority is tackling the people issue. Security should be regarded as a chain that is as strong as its weakest link. Unfortunately, in many cases, humans are the weakest link and this can only be mitigated through education. This is why experts recommend companies to include security awareness training for their employees, in forms of regular e-mail newsletters, internal website/resources and security classes.
Both Gupta and Balasubramanian agree to the fact that regular communication to educate the employees can bring down such crucial incidences. While policies need to be defined and enforced – and this is where technology can help – user education is an important aspect of ensuring that people always double-check the addresses they type. It’s time to pay more attention to what we type and who we are addressing the emails to.
Experts further recommend that users should create bookmarks in their browsers for the most commonly visited websites (eg. E-banking) and use them instead of typing the address every time. By following some basic steps, such as bookmarks, traffic filtering, enforcing HTTPS connections, double checking URL, looking for trust seals on transaction sites can go a long way towards reducing the attack surface.
Gupta further suggests that CISOs should work with the risk management team to create awareness and recover the domains to safeguard such threats.
Tech To The Rescue
With a little help from technology the tendency for human error can be further reduced. Today, there are solutions available in the market that make it possible to identify if a domain is legitimate or malicious by checking if the address bar in many browsers turns green when the page loads. Furthermore, trust seals on the website also tell a user if the website he is visiting is safe.
“For now, the solution lies in helping the humans avoid these mistakes by either using bookmarks, or recognising fake pages. In the future, it would be very good if some enhanced security mechanisms are created which can allow for the easy identification of such fakes,” maintains Raiu.
At The Enterprise Level
Overall, the CIO’s responsibility spans across the individual user level and the enterprise level. While awareness drive is the answer at the individual user level, from an enterprise perspective, it is advisable to register domain names with common misspellings of the URL name and constantly monitor the internet landscape for any threats to the website.
Shantanu Ghosh, VP and MD, India Product Operations, Symantec, informs that many companies have begun registering domain names based on common typos in their actual names. For instance, if one types ‘symnatec.com’ they will be redirected to ‘symantec.com’. Unfortunately, as he adds, this works for typos within the domain name itself, but not if the users leave the ‘o’ out of .com and instead go to .cm. in such case they just land on the squatter’s site.
At The Registrar Level
As mentioned earlier, responsibility will need to span across the various stakeholders, including the registrar. A bit more could be done at that level. Many such domains are registered with fake details, such as fake name, address and stolen credit cards. “A simple method would be to scan domains which sound similar to ours and if its sounds fishy we can write to ICANN to de-register such domain names,” suggests Balasubramanian.
Recommendations have also been made for the creation of a “.bank” top domain with all online banking sites to be located in there. To register it, special rules would apply. Therefore, it would be a lot safer to go to such websites than say, any “.com” website that can be registered by anybody. For now these are only proposals.
“Robust security involves a combination of people, processes and technology. The right technology used by the wrong people or in the wrong processes can be ineffective and even harmful, and vice versa,” says Ghosh, drawing up a more holistic picture.
With inputs from Abhishek Raval and Revathi Raghavan.
Updated Date: Nov 03, 2011 15:23:25 IST