Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers' Typosquatting Stole 20 GB of E-Mail

Posted by Soulskill on from the of-tips-and-icebergs dept.

NeverVotedBush writes "Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions."

5 of 204 comments (clear)

  1. Re:Good test. by bmo · · Score: 3, Informative

    >Let us see if that stupid boilerplate text has any legal standing

    It doesn't. It didn't work for real mail so why should it work for email?

    You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

    --
    BMO

  2. Re:Good test. by tomhudson · · Score: 3, Informative

    The boilerplate has no legal force. First, it's like someone sending you unsolicited snail mail - anyone who sends you, say, an unsolicited book by snailmail can't then send you a demand to pay for it - it's already yours.

    Additionally, boilerplate "contracts", even ones you agree to, are governed by different laws than regular contracts (search for "contract of adhesion" or "standard form contract").

  3. Stolen email? by bmo · · Score: 4, Insightful

    No mail was stolen. It was delivered exactly where it was addresst.

    It's the fault of the monkey behind the keyboard and nobody else.

    --
    BMO

  4. Re:Self funding research by Riceballsan · · Score: 3, Interesting

    Better question, why are high end companies sending top secrete confidential data over normal unencrypted e-mail. Even your bottom of the line MMORPG sends a note to it's users saying a GM will never ask for or send your password via e-mail, but our fortune 500 companies can't match that level of security? Typical e-mail passes unencrypted past so many hands it isn't funny, the typical e-mail from home to work, passes unencrypted across a wifi network, that may or may not be compromised if it was even bothered to be secured, to your ISP where low wage monkeys may or may not have access, accross the cloud where it will pass through unknown number of nodes, to the entery mailservers at said company, that may or may not be managed by medium wage contractors that know they only have the job for a few months at best anyway, finally to the person who it is intended to go to. Yeah I see no reason to think twice before sending my SSN CC# and confidential data through an e-mail.

  5. Re:Good test. by gstoddart · · Score: 3, Interesting

    It doesn't. It didn't work for real mail so why should it work for email?

    You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

    Well, in this case, you have to make the explicit step of setting up an alternate site, and having something there to get email. So you've explicitly put stuff in place to catch these messages.

    Under normal circumstances, the user would get a bounce-back of the message ... so, someone might be able to argue that it's not like something was delivered to you out of the blue. You've actually created the thing that it gets delivered to, and made it look as close as you could to the intended one.

    At a minimum, this might get into a gray area, and might be full on illegal, even if you were only passively receiving the mis-directed stuff thereafter.

    I don't think you can make the claim that you just happened to be receiving these emails.

    --
    Lost at C:>. Found at C.