Image Credit: U.S. Air Force
You know about phishing and social attacks, but now we have to be concerned about fingers that are too big. Trade secrets exposed by 'stealthy' email typo attack tells that researchers have shown how much data can be captured from misspelled email addresses.
The researchers purchased 30 domain names which were misspelled variants of the largest corporations. They captured 120,000 emails and many of those contained trade secrets, insider marketing information, and other messages that would trouble corporate security managers.
The first error is human - someone types in goagle.com as the email address instead of google.com. Then technology compounds the error, because email programs such as Outlook 2010 will automatically fill in the erroneous email address. If you have a smart phone with a touch screen display, the probability of errors is even greater.
So how can you avoid the man-in-the mailbox? Purchase the domains for misspelled variants of the company's email address. Of course, that doesn't help if the email is going to another company - they would have to purchase that domain name. Perhaps white-listing of email addresses within a company. It would not be possible to send an email that is not registered with the corporate server.
Yet another method is to use email certificates that encrypt the message so that only the intended recipient can read the email. It requires discipline and coordination, but is probably the best solution.
Comments