Bitsquatting Exploiting Bit-Flips for Fun, or Profit?

Nick Nikiforakis, Steven Van Acker, Wannes Meert, Lieven Desmet. Frank Piessens, Wouter Joosen

WWW 2013

Humble beginnings

• There was a time when the Internet wasn’t yet a big thingo Some sites existed, and people were starting to register

domain nameso But many were skeptical

• Some, however, were registering domains by the dozenso Speculators

• wine.com• cheapairlinetickets.com• traveltobrazil.com

Cybersquatters

• In 1994, 2/3 of the Fortune 500 companies had not registered the domains corresponding to their trademarks[13]o E.g. mcdonalds.com

• Some of the speculators, decided to push it a bit by registering such domains, hoping for profito This practice was named “cybersquatting”

• In some cases, cybersquatters speculated the name of future products and services:o iphone6.com

WWW2012.ORG

WWW2013.ORG

WWW2016.ORG

Cybersquatting evolves

• Typosquattingo Keyboard users, even experienced ones, make

mistakes while typingo Registration of mistypes of popular domains

• foogle.com, ffacebook.com, twitte.com

• Homograph domainso Registration of domains that look like, popular domains

• tvvitter.com, paypa1.com, icrosoft.comⅿo Higher chances of maliciousness

• Users arrive to these domains by clicking on malicious links

I heard some bits need help…

• Dinaburg, in 2011, suggested that random bit-flips could happen in memory of hardware, storing a domain name

example.com

01100101 01111000 01100001…

01100101 01111001 01100001…

eyample.com

Bitsquatting

• To test his theory, Dinaburg registered 30 bitsquatting domains, targeting popular domainso E.g. mic2osoft.com and fbbdn.com

• In 8 months, he received:o 52,317 requests from 12,949 unique IP addresseso Requests were:

• From all over the world• All popular OSs and browsers• Some clearly not user-initiated, like “Windows Updates”

Our question…

• Given the crowded typosquatting field, were cybersquatters convinced by Dinaburg’s attack?o i.e., did they started registering bitsquatting domains?

• Bitsquatting-domain generator and crawlero Investigated all possible bitsquatting domains daily, for

nine months.o Recorded, HTML, inline JavaScript, redirections and

destination IP addresses

Results

• In 9 months, we discovered:o 5,366

different bitsquatting domains

o Targeting 491/500 Alexa domains

Bitsquatting vs. typosquatting

Typosquatting Bitsquatting

71.8%

How are bitsquatting domains used?

• How does one explore 5,336 domains, with possibly 9 months worth of data for each domain?o Bitsquatting, typosquatting, cybersquatting are all

branches of the same tree

• Prior research has shown that most “whitehat” cybersquatters use one of the following monetization techniques:o Parking pageso Affiliate abuse

Detecting parkers

• Used the hosts identified as large parking agencies by Wang et al [17], together with a simple extra heuristico If these hosts appeared in any place in the gathered

pages (HTML, JavaScript, redirections), the page was flagged as parked

o 2,782 domains were flagged as parked (51.8%)

• Domain-parking agencies are the biggest facilitators of cybersquatters

Detecting affiliate abuse

• Abusers of affiliate programs gain money by product commissions, with the help of unsuspecting userso constintcontact.com -> constantcontact.com?pn=aff123

• 311 (5.7%) of the domains redirected the user back to the correct authoritative siteo 211 belonged to the same companyo 58 were abusing affiliate programso 42 were unclassified

Bitsquatting experiments

• Hypothesis: Dinaburg’s idea sounds improbable, thus there must be people trying to recreate it

• We searched each bitsquatting page for keywords that would give away the experimento bitsquatting, squatting, experiment

• 61 of the 5,366 domains were classified as experimentso E.g. iozilla.org and wozdpress.com

Need for further classification

• Using our automated methods, we were able to classify more than half of all the bitsquatting pages

• To estimate the classes of the rest, we chose a 10% random sample, which we manually analyzedo Check source, WHOIS records, DBs of malicious sites

Results

Category Percentage

Legitimately owned 40.0%

Parked 15.4%

Redirect 15.0%

For sale 10.0%

Non-syndicated ads 6.8%

Other 6.8%

Malware 3.2%

Empty 2.7%

Results

Category Percentage

Legitimately owned 40.0%

Parked 15.4%

Redirect 15.0%

For sale 10.0%

Non-syndicated ads 6.8%

Other 6.8%

Malware 3.2%

Empty 2.7%

Overall:

More than 73% of the discovered bitsquatting domains were exploited for profit

Huffingtonpost.com Case Study

Defenses

• Hardware Basedo Global use of ECC memory

• Software Basedo Sanity checks by software to detect unexpected

modificationso DNSSEC

• Damage Controlo Companies register these domains before attackers do

• Incentive Removalo Thousands of cybersquatters flock around tens of

domain parking agencies

Conclusion

• As the web expands, domain names can only become more popular

• Bitsquatting is a new type of domain squatting, relying on hardware failures rather than user mistakes

• Verdict is still out on the magnitute of the bitsquatting problem and the practicality of the attack

• Cybersquatters, however, are using it in exactly the same way as other types of domain squatting

nick.nikiforakis@cs.kuleuven.behttp://www.securitee.org