Bitsquatting
Bitsquatting is a cybersecurity threat where an attacker registers a domain name that is a one-bit variation of a legitimate domain. This technique relies on the rare but possible occurrence of a "bit-flip" error during data transmission, which can change a single character in a domain name. If a user's DNS query for the legitimate domain experiences this error, they could be directed to the attacker's malicious domain instead.
How Bitsquatting Works
Every character is represented by a sequence of bits (zeros and ones) in a computer. A bit-flip error, which can happen due to hardware issues, network interference, or cosmic rays, changes one of these bits. For example, the character 'o' has a specific binary representation. If a single bit in that sequence is flipped, it could change the 'o' to another character, such as a 'q'.
An attacker will proactively register these one-bit-flipped domain names. For instance, if the legitimate domain is google.com, a bitsquatted domain might be gooqle.com or googke.com. The attacker then sets up a server at this malicious domain to host a phishing site or distribute malware.
Why It Is a Threat
Subtle and Hard to Detect: Bitsquatted domains often visually resemble the real domain, making them difficult for users to spot.
Targeted Attacks: Attackers can specifically target organizations known to have a high volume of DNS queries, increasing the probability of a bit-flip occurring for one of their users.
Bypasses Traditional Defenses: This type of attack bypasses many traditional security measures like email filters and web application firewalls because it doesn't rely on a user clicking a link in a malicious email. The user could be directed to the fraudulent site simply by a data transmission error.
ThreatNG helps with bitsquatting by performing an unauthenticated, external discovery and assessment to identify domains that are a one-bit variation of a legitimate domain. The platform's continuous monitoring and intelligence repositories enable it to detect and provide actionable intelligence on these subtle threats proactively.
ThreatNG's Capabilities for Bitsquatting
ThreatNG uses several of its core functions to address bitsquatting.
External Discovery and Assessment
ThreatNG performs external, unauthenticated discovery to identify a brand's digital assets and potential threats. Its external attack surface and digital risk intelligence are
used to assess an organization's susceptibility to various risks, including those related to bitsquatting.
BEC & Phishing Susceptibility: The platform calculates this score based on Domain Intelligence, which includes the identification of Domain Name Permutations and Web3 domains that are either available or taken. Bitsquatting is a specific type of domain name permutation that ThreatNG can detect.
Brand Damage Susceptibility: This score is directly influenced by Domain Intelligence, specifically by its ability to find domain name permutations that could be used to damage a brand's reputation.
Data Leak Susceptibility: This assessment also considers Domain Intelligence, including its ability to find domain name permutations, to determine if fraudulent domains are being used to facilitate data leaks.
The Domain Intelligence investigation module is the primary tool for bitsquatting detection. Within this module, the
DNS Intelligence capability is specifically designed to detect and group various manipulations of a domain.
Domain Name Permutations: This feature explicitly lists bitsquatting as one of the manipulations it detects. ThreatNG can identify a one-bit variation of a domain, such as gooqle.com instead of google.com. For each detected permutation, ThreatNG provides associated mail records and IP addresses, which is crucial for understanding the potential malicious
use of the domain.Authentication and Derogatory Term Analysis: ThreatNG analyzes the detected permutations for the presence of "Authentication" terms (e.g., login, verify) and "Derogatory" terms (e.g., sucks, boycott). This helps identify specific threats, such as a bitsquatted domain being
used to host a fake login page.
Reporting and Continuous Monitoring
ThreatNG provides comprehensive reports, including Prioritized (High, Medium, Low, and Informational) and Security Ratings (A through F). These reports would highlight any discovered bitsquatting domains and their associated risks, allowing an organization to prioritize remediation efforts. The platform's continuous monitoring capability ensures that it is constantly tracking an organization's external attack surface and will detect new bitsquatted domains as they appear.
ThreatNG's intelligence repositories, branded as DarCache, provide valuable information that can support the bitsquatting detection process. The DarCache Dark Web repository, for instance, tracks mentions of an organization on the dark web, which can be an early indicator of a planned phishing or impersonation campaign that may use bitsquatted domains.
Complementary Solutions
ThreatNG's bitsquatting detection can be enhanced by working with other security solutions.
ThreatNG and a DNS Firewall: ThreatNG could identify a bitsquatted domain like gooqle.com and its associated IP address. This information could then be provided to a DNS firewall to automatically block internal network traffic from accessing that fraudulent site.
ThreatNG and an Email Security Gateway: If ThreatNG detects that a bitsquatted domain has active mail records, this intelligence can be shared with an email security gateway. The gateway could then proactively block any emails originating from that domain, preventing a phishing campaign from reaching employees' inboxes.
ThreatNG and a Website Takedown Service: Once ThreatNG identifies a bitsquatted domain impersonating a brand, the information about the malicious domain and its hosting provider could be shared with a website takedown service. This would enable the service to act quickly and have the fake site removed, minimizing the window of opportunity for attackers.
