Bitsquatting: Exploiting bit-flips for fun, or profit?
-
Upload
nicknikiforakis -
Category
Technology
-
view
1.547 -
download
1
description
Transcript of Bitsquatting: Exploiting bit-flips for fun, or profit?
![Page 1: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/1.jpg)
Bitsquatting Exploiting Bit-Flips for Fun, or Profit?
Nick Nikiforakis, Steven Van Acker, Wannes Meert, Lieven Desmet. Frank Piessens, Wouter Joosen
WWW 2013
![Page 2: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/2.jpg)
Humble beginnings
• There was a time when the Internet wasn’t yet a big thingo Some sites existed, and people were starting to register
domain nameso But many were skeptical
• Some, however, were registering domains by the dozenso Speculators
• wine.com• cheapairlinetickets.com• traveltobrazil.com
![Page 3: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/3.jpg)
Cybersquatters
• In 1994, 2/3 of the Fortune 500 companies had not registered the domains corresponding to their trademarks[13]o E.g. mcdonalds.com
• Some of the speculators, decided to push it a bit by registering such domains, hoping for profito This practice was named “cybersquatting”
• In some cases, cybersquatters speculated the name of future products and services:o iphone6.com
![Page 4: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/4.jpg)
WWW2012.ORG
![Page 5: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/5.jpg)
WWW2013.ORG
![Page 6: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/6.jpg)
WWW2016.ORG
![Page 7: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/7.jpg)
Cybersquatting evolves
• Typosquattingo Keyboard users, even experienced ones, make
mistakes while typingo Registration of mistypes of popular domains
• foogle.com, ffacebook.com, twitte.com
• Homograph domainso Registration of domains that look like, popular domains
• tvvitter.com, paypa1.com, icrosoft.comⅿo Higher chances of maliciousness
• Users arrive to these domains by clicking on malicious links
![Page 8: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/8.jpg)
I heard some bits need help…
• Dinaburg, in 2011, suggested that random bit-flips could happen in memory of hardware, storing a domain name
example.com
01100101 01111000 01100001…
01100101 01111001 01100001…
eyample.com
![Page 9: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/9.jpg)
Bitsquatting
• To test his theory, Dinaburg registered 30 bitsquatting domains, targeting popular domainso E.g. mic2osoft.com and fbbdn.com
• In 8 months, he received:o 52,317 requests from 12,949 unique IP addresseso Requests were:
• From all over the world• All popular OSs and browsers• Some clearly not user-initiated, like “Windows Updates”
![Page 10: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/10.jpg)
Our question…
• Given the crowded typosquatting field, were cybersquatters convinced by Dinaburg’s attack?o i.e., did they started registering bitsquatting domains?
• Bitsquatting-domain generator and crawlero Investigated all possible bitsquatting domains daily, for
nine months.o Recorded, HTML, inline JavaScript, redirections and
destination IP addresses
![Page 11: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/11.jpg)
Results
• In 9 months, we discovered:o 5,366
different bitsquatting domains
o Targeting 491/500 Alexa domains
![Page 12: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/12.jpg)
Bitsquatting vs. typosquatting
Typosquatting Bitsquatting
71.8%
![Page 13: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/13.jpg)
How are bitsquatting domains used?
• How does one explore 5,336 domains, with possibly 9 months worth of data for each domain?o Bitsquatting, typosquatting, cybersquatting are all
branches of the same tree
• Prior research has shown that most “whitehat” cybersquatters use one of the following monetization techniques:o Parking pageso Affiliate abuse
![Page 14: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/14.jpg)
![Page 15: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/15.jpg)
Detecting parkers
• Used the hosts identified as large parking agencies by Wang et al [17], together with a simple extra heuristico If these hosts appeared in any place in the gathered
pages (HTML, JavaScript, redirections), the page was flagged as parked
o 2,782 domains were flagged as parked (51.8%)
• Domain-parking agencies are the biggest facilitators of cybersquatters
![Page 16: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/16.jpg)
Detecting affiliate abuse
• Abusers of affiliate programs gain money by product commissions, with the help of unsuspecting userso constintcontact.com -> constantcontact.com?pn=aff123
• 311 (5.7%) of the domains redirected the user back to the correct authoritative siteo 211 belonged to the same companyo 58 were abusing affiliate programso 42 were unclassified
![Page 17: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/17.jpg)
Bitsquatting experiments
• Hypothesis: Dinaburg’s idea sounds improbable, thus there must be people trying to recreate it
• We searched each bitsquatting page for keywords that would give away the experimento bitsquatting, squatting, experiment
• 61 of the 5,366 domains were classified as experimentso E.g. iozilla.org and wozdpress.com
![Page 18: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/18.jpg)
Need for further classification
• Using our automated methods, we were able to classify more than half of all the bitsquatting pages
• To estimate the classes of the rest, we chose a 10% random sample, which we manually analyzedo Check source, WHOIS records, DBs of malicious sites
![Page 19: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/19.jpg)
Results
Category Percentage
Legitimately owned 40.0%
Parked 15.4%
Redirect 15.0%
For sale 10.0%
Non-syndicated ads 6.8%
Other 6.8%
Malware 3.2%
Empty 2.7%
![Page 20: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/20.jpg)
Results
Category Percentage
Legitimately owned 40.0%
Parked 15.4%
Redirect 15.0%
For sale 10.0%
Non-syndicated ads 6.8%
Other 6.8%
Malware 3.2%
Empty 2.7%
Overall:
More than 73% of the discovered bitsquatting domains were exploited for profit
![Page 21: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/21.jpg)
Huffingtonpost.com Case Study
![Page 22: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/22.jpg)
Defenses
• Hardware Basedo Global use of ECC memory
• Software Basedo Sanity checks by software to detect unexpected
modificationso DNSSEC
• Damage Controlo Companies register these domains before attackers do
• Incentive Removalo Thousands of cybersquatters flock around tens of
domain parking agencies
![Page 23: Bitsquatting: Exploiting bit-flips for fun, or profit?](https://reader036.fdocuments.us/reader036/viewer/2022062405/55635f1ed8b42a2f508b4ce3/html5/thumbnails/23.jpg)
Conclusion
• As the web expands, domain names can only become more popular
• Bitsquatting is a new type of domain squatting, relying on hardware failures rather than user mistakes
• Verdict is still out on the magnitute of the bitsquatting problem and the practicality of the attack
• Cybersquatters, however, are using it in exactly the same way as other types of domain squatting