More Related Content
Similar to Bitsquatting: Exploiting bit-flips for fun, or profit?
Similar to Bitsquatting: Exploiting bit-flips for fun, or profit? (20)
Recently uploaded
Recently uploaded (20)
Bitsquatting: Exploiting bit-flips for fun, or profit?
- 1. Bitsquatting Exploiting Bit-Flips for Fun, or Profit? Nick Nikiforakis, Steven Van Acker, Wannes Meert, Lieven Desmet. Frank Piessens, Wouter Joosen WWW 2013
- 2. Humble beginnings • There was a time when the Internet wasn’t yet a big thing o Some sites existed, and people were starting to register domain names o But many were skeptical • Some, however, were registering domains by the dozens o Speculators • wine.com • cheapairlinetickets.com • traveltobrazil.com
- 3. Cybersquatters • In 1994, 2/3 of the Fortune 500 companies had not registered the domains corresponding to their trademarks[13] o E.g. mcdonalds.com • Some of the speculators, decided to push it a bit by registering such domains, hoping for profit o This practice was named “cybersquatting” • In some cases, cybersquatters speculated the name of future products and services: o iphone6.com
- 4. WWW2012.ORG
- 5. WWW2013.ORG
- 6. WWW2016.ORG
- 7. Cybersquatting evolves • Typosquatting o Keyboard users, even experienced ones, make mistakes while typing o Registration of mistypes of popular domains • foogle.com, ffacebook.com, twitte.com • Homograph domains o Registration of domains that look like, popular domains • tvvitter.com, paypa1.com, ⅿicrosoft.com o Higher chances of maliciousness • Users arrive to these domains by clicking on malicious links
- 8. I heard some bits need help… • Dinaburg, in 2011, suggested that random bit-flips could happen in memory of hardware, storing a domain name example.com 01100101 01111000 01100001… 01100101 01111001 01100001… eyample.com
- 9. Bitsquatting • To test his theory, Dinaburg registered 30 bitsquatting domains, targeting popular domains o E.g. mic2osoft.com and fbbdn.com • In 8 months, he received: o 52,317 requests from 12,949 unique IP addresses o Requests were: • From all over the world • All popular OSs and browsers • Some clearly not user-initiated, like “Windows Updates”
- 10. Our question… • Given the crowded typosquatting field, were cybersquatters convinced by Dinaburg’s attack? o i.e., did they started registering bitsquatting domains? • Bitsquatting-domain generator and crawler o Investigated all possible bitsquatting domains daily, for nine months. o Recorded, HTML, inline JavaScript, redirections and destination IP addresses
- 11. Results • In 9 months, we discovered: o 5,366 different bitsquatting domains o Targeting 491/500 Alexa domains
- 12. Bitsquatting vs. typosquatting Typosquatting Bitsquatting 71.8%
- 13. How are bitsquatting domains used? • How does one explore 5,336 domains, with possibly 9 months worth of data for each domain? o Bitsquatting, typosquatting, cybersquatting are all branches of the same tree • Prior research has shown that most “whitehat” cybersquatters use one of the following monetization techniques: o Parking pages o Affiliate abuse
- 15. Detecting parkers • Used the hosts identified as large parking agencies by Wang et al [17], together with a simple extra heuristic o If these hosts appeared in any place in the gathered pages (HTML, JavaScript, redirections), the page was flagged as parked o 2,782 domains were flagged as parked (51.8%) • Domain-parking agencies are the biggest facilitators of cybersquatters
- 16. Detecting affiliate abuse • Abusers of affiliate programs gain money by product commissions, with the help of unsuspecting users o constintcontact.com -> constantcontact.com?pn=aff123 • 311 (5.7%) of the domains redirected the user back to the correct authoritative site o 211 belonged to the same company o 58 were abusing affiliate programs o 42 were unclassified
- 17. Bitsquatting experiments • Hypothesis: Dinaburg’s idea sounds improbable, thus there must be people trying to recreate it • We searched each bitsquatting page for keywords that would give away the experiment o bitsquatting, squatting, experiment • 61 of the 5,366 domains were classified as experiments o E.g. iozilla.org and wozdpress.com
- 18. Need for further classification • Using our automated methods, we were able to classify more than half of all the bitsquatting pages • To estimate the classes of the rest, we chose a 10% random sample, which we manually analyzed o Check source, WHOIS records, DBs of malicious sites
- 19. Results Category Percentage Legitimately owned 40.0% Parked 15.4% Redirect 15.0% For sale 10.0% Non-syndicated ads 6.8% Other 6.8% Malware 3.2% Empty 2.7%
- 20. Results Category Percentage Legitimately owned 40.0% Parked 15.4% Redirect 15.0% For sale 10.0% Non-syndicated ads 6.8% Other 6.8% Malware 3.2% Empty 2.7% Overall: More than 73% of the discovered bitsquatting domains were exploited for profit
- 22. Defenses • Hardware Based o Global use of ECC memory • Software Based o Sanity checks by software to detect unexpected modifications o DNSSEC • Damage Control o Companies register these domains before attackers do • Incentive Removal o Thousands of cybersquatters flock around tens of domain parking agencies
- 23. Conclusion • As the web expands, domain names can only become more popular • Bitsquatting is a new type of domain squatting, relying on hardware failures rather than user mistakes • Verdict is still out on the magnitute of the bitsquatting problem and the practicality of the attack • Cybersquatters, however, are using it in exactly the same way as other types of domain squatting