Over six months they grabbed 20GB of data made up of 120,000 wrongly sent messages.
Some of the intercepted correspondence contained user names, passwords, and details of corporate networks.
About 30% of the top 500 companies in the US were vulnerable to this security shortcoming according to researchers Peter Kim and Garret Gee of the Godai Group.
The problem arises because of the way organisations set up their email systems. While most have a single domain for their website, many use sub-domains for individual business units, regional offices or foreign subsidiaries.
Dots or full stops are used to separate the words in that sub domain.
For example a large American financial group may take bank.com as its corporate home but internally use us.bank.com for staff email.
Usually, if an address is typed with one of the dots missing, ie usbank.com, then the message is returned to its sender.
But by setting up similar doppelganger domains, the researchers were able to receive messages that would otherwise be bounced back.
“Doppelganger domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information,” wrote the researchers in a paper detailing their work.
Only one of the companies being impersonated noticed that spoofing was taking place and tracked down the researchers.
Man in the middle
A clever attacker could cover their tracks by passing on the message to its correct recipient and relaying back any reply.
By acting as a middleman the likelihood of more messages being mis-sent using the “reply” function increases.
Follow-up work by the researchers revealed that some cyber criminals may already be exploiting keyboard errors.
A search uncovered many addresses resembling corporate sub-domains which were owned by individuals in China or linked to sites associated with malware or phishing.
Writing on the blog of security firm Sophos, Mark Stockley said: “It’s striking that the researchers managed to capture so much information by focusing on just one common mistake.
“A determined attacker with a modest budget could easily afford to buy domains covering a vast range of organisations and typos,” he said.
Source: BBC News