Doppelganger domains a big hole in email security

Missing dot leads to 20GB store of mis-addressed email.

Researchers analysing the impact of domain typo-squatting on Fortune 500 companies found that 151 lost sensitive information by senders using mis-spelt email addresses.

The researchers from security firm, Godai Group, claimed to have collected 120,000 emails or 20 gigabytes of data over six months from the companies they profiled.

The exercise employed so-called “Doppelganger Domains” that exploit the common practice by large companies of using subdomains to identify regional offices.

Over the period it netted the researchers emails regarding trade secrets, invoices, employee information, network diagrams, usernames and passwords, according to Godai Group.

"Attackers are already taking advantage of this vulnerability and they can be harvesting sensitive information from your company already," Garrett Gee, founder of Godai Group, said in a statement.

Unlike earlier typo-squatting that relied on a misspelling a domain, such as to, the Doppelganger contained identical spelling to the real domain but omitted the dot between the host/subdomain and the domain. For example, instead of using, the fake domain would be

The researchers discovered that Doppelganger domains had already been registered in China for some of the largest companies, including Cisco (, Dell (, HP (, IBM (, seibm,com) and Intel ( 

“While it is unknown if these domains are used in a malicious fashion, it is apparent that some targeting is happening here.  If in six months we were able to collect 20 gigabytes of data, imagine what a malicious attacker could gain,” they said.

The missing dot domains were useful for passive attacks, where an attacker established an email server to catch every message containing the mis-spelled domain, or active socially engineered attacks against specific individuals.

One of the answers to mitigate these threats included the company registering Doppelganger Domains. Companies could also configure internal and external DNS serves not resolve the incorrectly spelt domain.  

Tags Fortune 500DNS serverssocially engineered attacksGodai GroupDoppleganger domainspassive attacksmalicious attacks

Show Comments