CAPEC-611: BitSquatting
An adversary registers a domain name one bit different than a trusted domain. A BitSquatting attack leverages random errors in memory to direct Internet traffic to adversary-controlled destinations. BitSquatting requires no exploitation or complicated reverse engineering, and is operating system and architecture agnostic. Experimental observations show that BitSquatting popular websites could redirect non-trivial amounts of Internet traffic to a malicious entity.
Last updated
Overview
CAPEC-611 (BitSquatting) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine target website] The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
- Research popular or high traffic websites.
- Step 2Experiment
[Impersonate trusted domain] In order to impersonate the trusted domain, the adversary needs to register the BitSquatted URL.
- Register the BitSquatted domain.
- Step 3Exploit
[Wait for a user to visit the domain] Finally, the adversary simply waits for a user to be unintentionally directed to the BitSquatted domain.
- Simply wait for an error in memory to occur, redirecting the user to the malicious domain.
What the attacker needs
Prerequisites
- An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets.
Skills required
- Low skill: Adversaries must be able to register DNS hostnames/URL’s.
Consequences
What a successful CAPEC-611 attack can achieve.
Other
Affects: Other
Depending on the intention of the adversary, a successful BitSquatting attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials.
How to mitigate it
Defenses that reduce the risk of CAPEC-611.
- Authenticate all servers and perform redundant checks when using DNS hostnames.
- When possible, use error-correcting (ECC) memory in local devices as non-ECC memory is significantly more vulnerable to faults.
Frequently asked questions
Common questions about CAPEC-611.
- What is CAPEC-611?
- An adversary registers a domain name one bit different than a trusted domain. A BitSquatting attack leverages random errors in memory to direct Internet traffic to adversary-controlled destinations. BitSquatting requires no exploitation or complicated reverse engineering, and is operating system and architecture agnostic. Experimental observations show that BitSquatting popular websites could redirect non-trivial amounts of Internet traffic to a malicious entity.
- How does a BitSquatting attack work?
- It typically unfolds over 3 phases. It begins with: [Determine target website] The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
- How do you prevent CAPEC-611?
- Authenticate all servers and perform redundant checks when using DNS hostnames.
- How severe is CAPEC-611?
- MITRE rates CAPEC-611 as Medium severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-611
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.