CAPEC-611 BitSquatting

CAPEC ID: 611

CAPEC-611 Metadata

Likelihood of Attack

Low

Typical Severity

Medium

Overview

Summary

An adversary registers a domain name one bit different than a trusted domain. A BitSquatting attack leverages random errors in memory to direct Internet traffic to adversary-controlled destinations. BitSquatting requires no exploitation or complicated reverse engineering, and is operating system and architecture agnostic. Experimental observations show that BitSquatting popular websites could redirect non-trivial amounts of Internet traffic to a malicious entity.

Prerequisites

An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets.

Execution Flow

Step Phase Description Techniques
1 Explore [Determine target website] The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
  • Research popular or high traffic websites.
2 Experiment [Impersonate trusted domain] In order to impersonate the trusted domain, the adversary needs to register the BitSquatted URL.
  • Register the BitSquatted domain.
3 Exploit [Wait for a user to visit the domain] Finally, the adversary simply waits for a user to be unintentionally directed to the BitSquatted domain.
  • Simply wait for an error in memory to occur, redirecting the user to the malicious domain.

Potential Solutions / Mitigations

Authenticate all servers and perform redundant checks when using DNS hostnames. When possible, use error-correcting (ECC) memory in local devices as non-ECC memory is significantly more vulnerable to faults.

Related CAPECs

CAPEC ID Description
CAPEC-89 A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed.
CAPEC-543 Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.
CAPEC-616 An adversary provides a malicious version of a resource at a location that is similar to the expected location of a legitimate resource. After establishing the rogue location, the adversary waits for a victim to visit the location and access the malicious resource.

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.