Alert
Close

Multiemployer pension cuts and what you need to know about pension provisions in 2015. Learn more

Scam Alert

Missing Dot in Email Address Could Be a Costly Mistake

Typo might send personal data to crooks, not company

En español | First came "typosquatting."

In this common scam, cyber-criminals buy Internet addresses that differ from big-name ones by just a letter or two, then capitalize on sloppy typing. Someone who wants to go to xyxcorp.com but accidentally types xyzcorp.com ends up at the scammer's site.

Sign up for AARP's Money Newsletter.

Online scams to access personal information include doppelganger web sites and emails

Stay safe: Be careful what you type. — Photo by Rob Atkins/Getty Images

Now comes another trick to hook the fumble-fingered, courtesy of a keystroke omission rather than a misspelling: a missing dot in an email address.

The goal is the same: to glean personal information, infect the visitor's computer with a virus or sell worthless junk as a prized brand-name product.

This newly uncovered scheme, targeting the all-important dot in corporate communications systems, can route email into the hands of scammers, giving them any and all confidential information that the messages contain.

The scammers' key tool is a "doppelganger" domain, an Internet address that is spelled identically to a legitimate site but is missing the crucial dot, typically found between what's known as a subdomain and domain in the address.

Doppelganger domains would include "mailyahoo.com" instead of the correct "mail.yahoo.com," or "seibm.com" instead of the correct "se.ibm.com" that IBM uses for its division in Sweden.

Beware the doppelganger

Doppelganger is a German term for a "ghostly counterpart of a living person" — and it's an apt name for this scam.

The crooks purchase a doppelganger, then set it up on the Internet so that all mail that's mistakenly addressed without the dot comes to their server, note researchers of the security consulting firm Godai Group in an eye-opening report (PDF) released Sept. 6.

Godai's Peter Kim and Garrett Gee spent six months measuring the doppelganger danger by setting up dot-missing variations of legitimate email domains run by every Fortune 500 company.

Over that time they were able to collect more than 120,000 misaddressed emails, some containing trade secrets, contracts and invoices complete with credit card information. Users' email login information and employee data were also harvested.

Overall, the researchers concluded that nearly one-third of the Fortune 500 are susceptible to such attacks.

In fact, some of those companies, including Dell, Cisco, Yahoo and DuPont, had already been targeted by doppelgangers registered to addresses in China that were previously associated with scammer attacks. The doppelganger domain emailkohls.com, aimed at the Kohl's department store chain, was registered to a Canadian post office box.

The bounce-back solution

The take-home message of the study: Companies should themselves buy up doppelganger domains to prevent scammers from using them. To combat more traditional typosquatting, many companies already purchase Internet addresses that are misspelled versions of their legitimate websites.

And while mistyping an email address often (but not always) results in the message being bounced back to the sender, no bounce-back occurs if it goes to a doppelganger domain set up by a scammer.

Also of interest: Phone, online survey cons can cost you big. >>

Sid Kirchheimer is the author of Scam-Proof Your Life, published by AARP Books/Sterling.

Topic Alerts

You can get weekly email alerts on the topics below. Just click “Follow.”

Manage Alerts

Processing

Please wait...

progress bar, please wait

Tell Us WhatYou Think

Please leave your comment below.

The Cheap Life

Jeff Yeager Cheap Life Ultimate Cheapskate AARP YouTube web series save money

Catch the latest episode of The Cheap Life starring Jeff Yeager, AARP's Ultimate Cheapskate. Watch

Discounts & Benefits

From companies that meet the high standards of service and quality set by AARP.

Life insurance: you are covered rain or shine

Exclusive annuities for members from AARP Lifetime Income Program from New York Life.

AARP Credit card from Chase

Members can get cash back rewards on purchases with the AARP® Credit Card from Chase.

Homeowners Insurance
Member Benefits

Join or renew today! AARP members receive exclusive member benefits & affect social change.

Rewards for Good

Your Points Balance:

Learn More

Earn points for completing free online activities designed to enrich your life.

Find more ways to earn points

Redeem your points to save on merchandise, travel, and more.

Find more ways to redeem points

Advance your skills. Transform your career.

Explore your learning possibilities.