Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
BitsquattingExploiting Bit-Flips for Fun, or Profit?Nick Nikiforakis, Steven Van Acker, Wannes Meert, LievenDesmet. Frank ...
Humble beginnings• There was a time when the Internet wasn’t yet a big thingo Some sites existed, and people were starting...
Cybersquatters• In 1994, 2/3 of the Fortune 500 companies had notregistered the domains corresponding to theirtrademarks[1...
WWW2012.ORG
WWW2013.ORG
WWW2016.ORG
Cybersquatting evolves• Typosquattingo Keyboard users, even experienced ones, makemistakes while typingo Registration of m...
I heard some bits need help…• Dinaburg, in 2011, suggested that random bit-flips couldhappen in memory of hardware, storin...
Bitsquatting• To test his theory, Dinaburg registered 30 bitsquattingdomains, targeting popular domainso E.g. mic2osoft.co...
Our question…• Given the crowded typosquatting field, werecybersquatters convinced by Dinaburg’s attack?o i.e., did they s...
Results• In 9 months, wediscovered:o 5,366differentbitsquattingdomainso Targeting491/500Alexadomains
Bitsquatting vs. typosquattingTyposquatting Bitsquatting71.8%
How are bitsquatting domains used?• How does one explore 5,336 domains, with possibly 9months worth of data for each domai...
Detecting parkers• Used the hosts identified as large parking agencies byWang et al [17], together with a simple extra heu...
Detecting affiliate abuse• Abusers of affiliate programs gain money by productcommissions, with the help of unsuspecting u...
Bitsquatting experiments• Hypothesis: Dinaburg’s idea sounds improbable, thusthere must be people trying to recreate it• W...
Need for further classification• Using our automated methods, we were able to classifymore than half of all the bitsquatti...
ResultsCategory PercentageLegitimately owned 40.0%Parked 15.4%Redirect 15.0%For sale 10.0%Non-syndicated ads 6.8%Other 6.8...
ResultsCategory PercentageLegitimately owned 40.0%Parked 15.4%Redirect 15.0%For sale 10.0%Non-syndicated ads 6.8%Other 6.8...
Huffingtonpost.com Case Study
Defenses• Hardware Basedo Global use of ECC memory• Software Basedo Sanity checks by software to detect unexpectedmodifica...
Conclusion• As the web expands, domain names can only becomemore popular• Bitsquatting is a new type of domain squatting, ...
nick.nikiforakis@cs.kuleuven.behttp://www.securitee.org
Bitsquatting: Exploiting bit-flips for fun, or profit?
Upcoming SlideShare
Loading in …5
×

Bitsquatting: Exploiting bit-flips for fun, or profit?

2,332 views

Published on

Slides of the paper titled "Bitsquatting: Exploiting bit-flips for fun, or profit?" , presented at WWW2013

Published in: Technology, Business
  • Yes you are right. There are many research paper writing services available now. But almost services are fake and illegal. Only a genuine service will treat their customer with quality research papers. ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Great information about writing! If you ever need any help with proofreading, editing or research check out Writer’s Help. They are a great resource for personal, educational or business writing needs. The website is ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Bitsquatting: Exploiting bit-flips for fun, or profit?

  1. 1. BitsquattingExploiting Bit-Flips for Fun, or Profit?Nick Nikiforakis, Steven Van Acker, Wannes Meert, LievenDesmet. Frank Piessens, Wouter JoosenWWW 2013
  2. 2. Humble beginnings• There was a time when the Internet wasn’t yet a big thingo Some sites existed, and people were starting to registerdomain nameso But many were skeptical• Some, however, were registering domains by the dozenso Speculators• wine.com• cheapairlinetickets.com• traveltobrazil.com
  3. 3. Cybersquatters• In 1994, 2/3 of the Fortune 500 companies had notregistered the domains corresponding to theirtrademarks[13]o E.g. mcdonalds.com• Some of the speculators, decided to push it a bit byregistering such domains, hoping for profito This practice was named “cybersquatting”• In some cases, cybersquatters speculated the name offuture products and services:o iphone6.com
  4. 4. WWW2012.ORG
  5. 5. WWW2013.ORG
  6. 6. WWW2016.ORG
  7. 7. Cybersquatting evolves• Typosquattingo Keyboard users, even experienced ones, makemistakes while typingo Registration of mistypes of popular domains• foogle.com, ffacebook.com, twitte.com• Homograph domainso Registration of domains that look like, popular domains• tvvitter.com, paypa1.com, ⅿicrosoft.como Higher chances of maliciousness• Users arrive to these domains by clicking on malicious links
  8. 8. I heard some bits need help…• Dinaburg, in 2011, suggested that random bit-flips couldhappen in memory of hardware, storing a domain nameexample.com01100101 01111000 01100001…01100101 01111001 01100001…eyample.com
  9. 9. Bitsquatting• To test his theory, Dinaburg registered 30 bitsquattingdomains, targeting popular domainso E.g. mic2osoft.com and fbbdn.com• In 8 months, he received:o 52,317 requests from 12,949 unique IP addresseso Requests were:• From all over the world• All popular OSs and browsers• Some clearly not user-initiated, like “Windows Updates”
  10. 10. Our question…• Given the crowded typosquatting field, werecybersquatters convinced by Dinaburg’s attack?o i.e., did they started registering bitsquatting domains?• Bitsquatting-domain generator and crawlero Investigated all possible bitsquatting domains daily, fornine months.o Recorded, HTML, inline JavaScript, redirections anddestination IP addresses
  11. 11. Results• In 9 months, wediscovered:o 5,366differentbitsquattingdomainso Targeting491/500Alexadomains
  12. 12. Bitsquatting vs. typosquattingTyposquatting Bitsquatting71.8%
  13. 13. How are bitsquatting domains used?• How does one explore 5,336 domains, with possibly 9months worth of data for each domain?o Bitsquatting, typosquatting, cybersquatting are allbranches of the same tree• Prior research has shown that most “whitehat”cybersquatters use one of the following monetizationtechniques:o Parking pageso Affiliate abuse
  14. 14. Detecting parkers• Used the hosts identified as large parking agencies byWang et al [17], together with a simple extra heuristico If these hosts appeared in any place in the gatheredpages (HTML, JavaScript, redirections), the page wasflagged as parkedo 2,782 domains were flagged as parked (51.8%)• Domain-parking agencies are the biggest facilitators ofcybersquatters
  15. 15. Detecting affiliate abuse• Abusers of affiliate programs gain money by productcommissions, with the help of unsuspecting userso constintcontact.com -> constantcontact.com?pn=aff123• 311 (5.7%) of the domains redirected the user back to thecorrect authoritative siteo 211 belonged to the same companyo 58 were abusing affiliate programso 42 were unclassified
  16. 16. Bitsquatting experiments• Hypothesis: Dinaburg’s idea sounds improbable, thusthere must be people trying to recreate it• We searched each bitsquatting page for keywords thatwould give away the experimento bitsquatting, squatting, experiment• 61 of the 5,366 domains were classified as experimentso E.g. iozilla.org and wozdpress.com
  17. 17. Need for further classification• Using our automated methods, we were able to classifymore than half of all the bitsquatting pages• To estimate the classes of the rest, we chose a 10%random sample, which we manually analyzedo Check source, WHOIS records, DBs of malicious sites
  18. 18. ResultsCategory PercentageLegitimately owned 40.0%Parked 15.4%Redirect 15.0%For sale 10.0%Non-syndicated ads 6.8%Other 6.8%Malware 3.2%Empty 2.7%
  19. 19. ResultsCategory PercentageLegitimately owned 40.0%Parked 15.4%Redirect 15.0%For sale 10.0%Non-syndicated ads 6.8%Other 6.8%Malware 3.2%Empty 2.7%Overall:More than 73% of the discovered bitsquatting domains wereexploited for profit
  20. 20. Huffingtonpost.com Case Study
  21. 21. Defenses• Hardware Basedo Global use of ECC memory• Software Basedo Sanity checks by software to detect unexpectedmodificationso DNSSEC• Damage Controlo Companies register these domains before attackers do• Incentive Removalo Thousands of cybersquatters flock around tens ofdomain parking agencies
  22. 22. Conclusion• As the web expands, domain names can only becomemore popular• Bitsquatting is a new type of domain squatting, relying onhardware failures rather than user mistakes• Verdict is still out on the magnitute of the bitsquattingproblem and the practicality of the attack• Cybersquatters, however, are using it in exactly the sameway as other types of domain squatting
  23. 23. nick.nikiforakis@cs.kuleuven.behttp://www.securitee.org

×