Industrial control systems vendors get careless about domain squatting

Researchers found 433 domains similar to those of 11 industrial control systems manufacturers

Many companies protect their brands by registering domain names that are slight variations on their own, but manufacturers of industrial control systems don't seem to have followed suit, potentially leaving customers open to attack.

Researchers from security consultancy Digital Bond have found 433 so-called "squat" domains whose names are similar to those of 11 industrial manufacturers, and which have been registered by unknown third parties. Some of the domains have been hosting scams, malicious redirects and malware.

Attackers engage in domain squatting for various reasons: to host phishing pages in order to steal credentials, direct accidental visitors to malware, profit from the brand's popularity by displaying ads, or sell the domain to the brand owner for a large fee.

By impersonating the domain names of industrial control systems vendors, attackers could trick factories, public utilities and oil and gas refineries into downloading malware or modified firmware, putting critical assets at risk. Supervisory control and data acquisition (SCADA) systems, which are a component of ICS, are an increasingly interesting target for hackers, particularly those looking to do physical damage.

Squat domain names include those that result from typos, such as "," or that rely on homoglyphs -- similar looking characters -- such as a zero instead of a capital "o."

Attackers also use a technique known as bitsquatting, which involves registering domain names that differ by a single bit from the original, and then relying on memory corruption errors in hardware to lead users to them.

During every DNS lookup or HTTP request, domain names are stored in a computer's RAM as binary code -- sequences of 0s and 1s. If the computer's memory is corrupted, for example due to a faulty memory module, one or more bits can accidentally be flipped.

For example, between and there's a 1 bit difference -- the representation of the letter "l" in binary is 01101100, and that of "m" is 01101101. So a bit error on a computer where is loaded in memory could lead a user's browser to instead.

From the viewpoint of a single computer, bit errors are rare. But there are many devices on the Internet, and there are typically multiple instances of a domain name in memory at any time. So the likelihood of a bitsquatting domain attracting accidental visitors is not negligible. 

Attackers appear to be aware of this. According to Reid Wightman, the director of the Digital Bond Labs who performed the ICS domain survey, bitsquatting was the third most common technique used to generate the identified squat domains, accounting for 20 percent of the 433 domains.

Wightman presented his findings Thursday at the S4xEurope conference in Vienna.

He also found that 193 of the 433 domain names had an mail exchange (MX) record configured, which means that they were able to receive email.

Of those 193 domains, 22 accepted email for any user, even if the recipient addresses didn't exist. This means that, at least in principle, their owners could intercept private email sent to the real ICS vendor.

In one case, Wightman received a phishing email from (SLEMENS.COM) a few months after he tested sending email to a made-up email address under that domain. At some point, the same domain hosted malware.

Another domain,, was found hosting, at different times, a tech support scam leading to a remote access Trojan installer, adware in the form of a browser extension and a rogue survey.

In fact, Wightman found 254 live hosts configured on the 433 squat domains. Almost half of them hosted advertising or for-sale pages, but twenty-eight of them performed suspicious redirects and 10 hosted malware.

The researcher didn't find any malicious programs that specifically targeted industrial control systems, but he found malware for Windows and OS X, including a previously unknown OS X threat that had zero detection rate among antivirus products.

"Someone is going to get nasty with this" and specifically target ICS owners, Wightman said.

Attackers could, for example, register a squat domain and mimic the deep linking structure for a firmware update from a real vendor's website. If such a link is then distributed to users it could make the domain name mismatch harder to spot, he said.

Legally, it can be hard and costly for companies to deal with domain squatting once it happens, because they need to file a complaint and prove trademark infringement, or buy the squat domain from its existing owner for a substantial amount of money. In fact, many squatters register such domains in order to later sell them to brand owners for a significant profit.

It's much easier and cheaper for companies to register potential squat domains early on and protect their brands from potential abuse. There are tools such as dnstwist that companies can use to identify potential squat domains that could affect them.

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place