Otto
Advanced
- Joined
- 22.09.20
- Messages
- 104
- Reaction score
- 423
- Points
- 63
Bitsquatting is based on a concept known as bit manipulation or bit flipping.
A security researcher under the pseudonym Remy managed to successfully implement on the Microsoft domain (windows.com) an attack called bitsquatting.
Bitsquatting is an attack in which attackers register a fake domain name that differs from the original one by one bit. Bitsquatting resembles another attack, typesquatting, in which domain names are registered that are similar to the original resources, but differ from them by one or more characters. However, unlike typesquatting, which relies on the user typing an address and not noticing the error, bitsquatting does not require any action on the part of the user.
Bitsquatting is based on a concept known as bit manipulation or bit flipping, through which attackers can automate their attacks and steal traffic.
In the computer world, all data is stored as zeros and ones (bits). The same goes for domains. For example, in the volatile memory of a computer windows.com becomes 01110111 [...]. But what if for some reason one of the bits automatically switches from one state to another (1 turns into 0 or vice versa)?.
"Now let's imagine that an overheated computer, a solar flare, or cosmic radiation (a very real thing) turned the bit on the computer. Oh, no! Now the value stored in memory has become whndows.com instead of windows.com! What happens when it's time to connect to this domain? The domain will not resolve to an IP address, " the researcher said.
Detecting the possibility of" mutation "of the domain windows.com, Remy created a whole list of such domains with "inverted" bits. The researcher found that of the 32 valid domain names that represent variations windows.com with one" flipped " bit, 14 have not yet been registered.
"This is a bit strange, as they are usually bought by companies like Microsoft in order to prevent phishing attempts. So I bought them. Everything. For less than $126, " Remy said.
Much to the researcher's surprise, he recorded traffic intended for windows.com, but going to the domains he bought. In addition, it captured UDP traffic intended for the exact time server time.windows.com, and TCP traffic destined for Microsoft services such as Windows Push Notification Services (WNS) and SkyDrive (formerly OneDrive).
In addition to the traffic generated by bitsquatting, Remy also found a significant number of requests from users entering domain names incorrectly. Although some of these requests were clear cases of bitsquatting, the researcher was surprised to see that some of the traffic coming to his domains was intended for typesquatting domains.
A security researcher under the pseudonym Remy managed to successfully implement on the Microsoft domain (windows.com) an attack called bitsquatting.
Bitsquatting is an attack in which attackers register a fake domain name that differs from the original one by one bit. Bitsquatting resembles another attack, typesquatting, in which domain names are registered that are similar to the original resources, but differ from them by one or more characters. However, unlike typesquatting, which relies on the user typing an address and not noticing the error, bitsquatting does not require any action on the part of the user.
Bitsquatting is based on a concept known as bit manipulation or bit flipping, through which attackers can automate their attacks and steal traffic.
In the computer world, all data is stored as zeros and ones (bits). The same goes for domains. For example, in the volatile memory of a computer windows.com becomes 01110111 [...]. But what if for some reason one of the bits automatically switches from one state to another (1 turns into 0 or vice versa)?.
"Now let's imagine that an overheated computer, a solar flare, or cosmic radiation (a very real thing) turned the bit on the computer. Oh, no! Now the value stored in memory has become whndows.com instead of windows.com! What happens when it's time to connect to this domain? The domain will not resolve to an IP address, " the researcher said.
Detecting the possibility of" mutation "of the domain windows.com, Remy created a whole list of such domains with "inverted" bits. The researcher found that of the 32 valid domain names that represent variations windows.com with one" flipped " bit, 14 have not yet been registered.
"This is a bit strange, as they are usually bought by companies like Microsoft in order to prevent phishing attempts. So I bought them. Everything. For less than $126, " Remy said.
Much to the researcher's surprise, he recorded traffic intended for windows.com, but going to the domains he bought. In addition, it captured UDP traffic intended for the exact time server time.windows.com, and TCP traffic destined for Microsoft services such as Windows Push Notification Services (WNS) and SkyDrive (formerly OneDrive).
In addition to the traffic generated by bitsquatting, Remy also found a significant number of requests from users entering domain names incorrectly. Although some of these requests were clear cases of bitsquatting, the researcher was surprised to see that some of the traffic coming to his domains was intended for typesquatting domains.