Friday, September 09, 2011

Man in the MailBox Mitigation Strategy

The Information Security Think Tank GodaiGroup recently released a report with a new form of Typosquatting they call Doppelganger Domains. A Doppelganger Domain is a domain spelled identical  to  a  legitimate  fully  qualified  domain  name  (FQDN)  but  missing  the  dot  between host/subdomain and domain, to be used for malicious purposes.

Over a 6 month period they have used a passive email attack to obtain 120.000 legitimate e-mails containing a total of 20 gigabytes of data from Fortune 500 companies. The data includes trade secret, invoices, usernames and passwords.

They describe an potential active email attack with an Man-In-The-MailBox (MITMB) method
Source: GodaiGroup

The mitigation strategy suggested for these potential threats include purchasing and registering doppelganger domains, block doppelganger domains in your DNS records and communicate this attack vector to your internal users, customers and business partners.

The man in the mailbox attack is successful as the attacker is able to place himself as a middle man in a mail transaction. What I really miss from this report is the focus on Information Security key concepts such as confidentiality, integrity, availability, authenticity and non-repudiation. The mitigation strategy should incorporate the use of technical protection mechanisms such as cryptography either on a user-to-user or server-to-server level. As we have seen lately from the DigiNotar-hack, PKI/SSL is not a perfect solution, but including the CIA triad in our strategy would complicate the attack.

Are there other mitigation strategies, did I forget anything?

1 comment:

  1. Some of my ramblings on the topic