Why Bitsquatting Attacks Are Here to Stay

Seth Rosenblatt

Typos have a long history, by turns serious and silly, going back to the dawn of the printed page. But thanks to the peculiarities of computer technology and the ingenuity of hackers, correctly typing website locations into your browser is no guarantee that they will show you the site you intended to view. When machines make typos even with correct human input, the errors can lead to an unusual form of cyber attack known as bitsquatting. The younger sibling of typosquatting, bitsquatting is hard to stop—and appears to be here to stay for the foreseeable future.

Typosquatting is when hackers register websites with incredibly similar names to popular sites, such as “cnm.com” instead of “cnn.com,” set up malicious activity on the typoed website they control, and hope that users mistype the website name they were trying to visit. It sounds like a lot of effort in order to grab accidental traffic, but it’s proven to be an effective method for malicious hackers to target unsuspecting victims. It was a serious enough problem in the early days of the commercial internet for the U.S. to pass the AntiCybersquatting Consumer Protection Act in 1999, which contained measures to allow for prosecution of typosquatters.

Bitsquatting is similar to typosquatting, but without the human element. As implausible as it may sound, it’s not just humans who can make typos—computers can do it too. Bitsquatting is when a hacker relies on computer error—a one-bit (binary digit) error known as a bit flip—in the device’s attempt to access a nonmalicious website to redirect the device to a website controlled by the hacker.

How bitsquatting works

In bitsquatting, the malicious hacker registers a website that is one bit different from the one that an unsuspecting user intends to visit, such as amczon.com (the letter “c” is one bit different from the letter “a”). Once the victim reaches the malicious website, the hacker controlling it can spread malware, carry out cyber espionage, or phish for personal or business information from the victim.

Bitsquatting is essentially DNS hijacking without exploitation, says Artem Dinaburg, a security researcher at cyber security company Trail of Bits who discovered bitsquatting in 2011. He says that the complicated nature of how bitsquatting works plays a big role in why it’s hard to stop.

“More and more devices are connecting to the internet every day. And in such a large number of devices, sometimes a value in a bit changes. It happens often enough to be detectable,” Dinaburg says. Those value changes, or bit flips, can sometimes lead devices to IP addresses that they weren’t instructed to access. “It’s hard to measure how prevalent bitsquatting is because it affects not just domain names that are frequently looked up, but backend sites as well.”

Knowing that bitsquatting is happening is a far cry from gauging how often it occurs, although there’s some scientific research into what causes bit flips. One source of bit flips is the hardware itself overheating, although a 2009 study by the University of Toronto and Google found that while there’s some correlation between heat and hardware error rates, CPU utilization is a much stronger indication of when a hardware error (and potentially a bit flip) will occur.

Another known source of bit flips are manufacturing defects in the silicon itself, as explained in this 2010 study by University of Rochester and Ask.com.

And as preposterously science-fiction-y as it may sound, even cosmic rays in the form of neutron radiation can lead to bit flips. Neutron particles forcing planes to crash has been a serious concern of the aviation industry for more than a decade, and researchers have been reporting cosmic ray-induced hardware errors since at least 1994, and investigating the phenomenon since the late 1970s. It’s even possible to force bit flips under rare circumstances, according to a 2016 report.

Although it is nearly impossible to target bitsquatting at specific individuals, Dinaburg and other cyber security researchers familiar with bitsquatting say that it’s hard to detect, which makes it hard to stop. With an estimated 31 billion devices connecting to the internet in 2020, even if 0.1 percent of devices are affected by bit flips, that’s potentially 31 million devices vulnerable to bitsquatting.

One of the most straightforward ways that organizations can stop bitsquatting (and typosquatting) is to buy as many misspellings of their website domain names as possible. Rob Ragan, a researcher at cyber security company BishopFox, found in a 2019 study that some of the biggest internet companies don’t own enough permutations of their domains. Amazon, for example, only owns 61 percent of the Amazon.com permutations that are susceptible to bitsquatting, he says.

“If you’re a big tech company and you get millions of requests everyday from mobile phones, getting a handle on all your variations is important,” says Ragan, who cautions that sites frequently visited by computers, phones, and other devices without direct human interaction are also at risk of bitsquatting. “What are the top 1 million sites that machines visit? Your machine is making thousands of requests each day. That includes the websites that power the sites we go to, and those powering website analytics. Opportunistic cyber crime becomes a big factor here.”

Ragan says that in his investigations of bitsquatting, he saw “thousands” of requests to sites per week that he controlled. He says he was able to create domain bit flip variants for mission-critical sites including microsoftonline.com, which is an essential domain for Microsoft’s Office365.com Single Sign-On process. There is great potential for cyber criminals here, Ragan says, because of the risks to the software supply chain.

“It would be a huge supply chain trust violation if a software-distributing site like GitHub were to be exploited by bitsquatting,” Ragan says. After redirecting legitimate attempts at software downloads to a site controlled by the attacker, the attacker “could get a remote code execution in the download. The downloader would be none the wiser.”

How to stop bitsquatting

There’s no simple solution to bitsquatting, and the ones that exist are unlikely to be implemented because they’re resource and labor intensive, say Dinaburg, Ragan, and other experts. There are some automated ways to check for domain permutations, including a bitsquatting detector created by Jack Barradell-Johns.

When asked if the obvious way to solve to bitsquatting is to simply buy up domain permutations, Ragan says that solution is playing a domain-owning game of whack-a-mole, since subtle domain name changes include not only alphanumeric characters but ANSI and ASCII characters as well. Given how easy it is to create a bitsquatting site, it’s a “great technique” for hackers to exploit, he says.

Another solution, suggests Dinaburg, would mean making changes to devices of all kinds at the hardware level. Mandating that manufacturers use error checking and correcting DRAM in all devices, including trivial ones like keyboard controllers, might help stop hardware bit flips from leading to bitsquatted websites, but it would also increase the manufacturing cost of hardware—a price bump consumers are not likely to be willing to pay, says Dinaburg.

“There might be better solutions out there,” says Dinaburg. “While the phenomenon and its second-order effects are absolutely fascinating, I do not expect anything to be done about it.”

Seth Rosenblatt
Editor-in-chief at The Parallax

Seth is the founder and lead reporter for The Parallax, a consumer-focused cybersecurity and privacy news site that specializes in explaining the news behind the headlines, with a focus on news features and explainers.