The humble period is the smallest character on a computer screen. But it appears it could also be a major security risk.
That’s the conclusion of security firm Sophos, which investigated a lesser-known risk from typosquatting. Most people think of this practice, which involves registering a website address that’s just a mistaken keystroke away from a popular domain, as a way to trick people into visiting a holding page with a photo of a backpack-clad girl.
However, Garrett Gee and Peter Kim decided to investigate the risks caused by typosquatting when it comes to e-mails. They selected 30 companies from the Fortune 500 list and registered domain names that were identical to sub-domain/domain combinations used by such firms, save for the removal of a period. To give an example (which was not necessarily part of the study), this could have included registering usbank.com and thus getting messages from people who missed the vital character in firstname.lastname@example.org
In the following six months, the researchers received more than 120,000 e-mails from people who’d missed out a period. The total amount of data received was 20GB, which works out at around double one estimate of the average e-mail size, suggesting the messages weren’t short of attachments.
Gee and Kim picked out some specific examples of misdirected messages they received, including:
• Passwords for an IT firm’s external Cisco routers
• Precise details of the contents of a large oil company’s oil tankers
• VPN details and passwords for a system managing road tollways
They also produced a list of keywords that appeared frequently including secret (425 times), credit card (402), password (405), login (495) and contract (417). Of course not all of those will have been from messages with sensitive information: “For access to the secret area of the site, just sign the contract and give us your credit number and we’ll send you your password and login” would tick all the boxes.
Indeed, the report doesn’t mention what proportion of the 120,000 e-mails were simply misdirected spam.
That said, as Gee and Kim point out, for the sake of the few extra bucks it would cost to buy up domains for the most likely typos, it seems well worthwhile for companies that deal in commercially or personally sensitive information to mitigate the risk.