Bitsquatting is a way of launching a potential attack against a trusted website. It is reliant on the fact that, in some cases, the binary-string representation of the requested URL can become corrupted in transit, with a ‘1’ being flipped to a ‘0’ (or vice-versa). Ordinarily this would result in an invalid URL being produced, but in cases where the corrupted version is a valid URL in its own right, bad actors can register these variant domain names as a way of intercepting traffic intended for the legitimate site. This is analogous to cybersquatting or typosquatting, with no requirement to compromise the site explicitly.
In a new study, we consider the bitsquat variants of each of the top 50 most popular websites, as of March 2024. Of the 1,553 valid domain names which could be used to launch bitsquatting attacks, only 125 appear explicitly to be under the ownership of the brand in question (or under other legitimate usage). Only 43 of these have been configured to re-direct to the official website in question.
Of the remainder, at least 87% appear to be registered by third parties. Although some represent legitimate usage of the brand-name variant in question, many appear to have been registered with malicious intent. One active example of a lookalike site was identified in the dataset, in addition to many more misdirecting web traffic to similar content, or which have been monetised through the inclusion of pay-per-click links or offers to sell the domain names. Many of these present the potential to be ‘weaponised’ for use in attacks at a later date.
There are a number of options available to brand owners to mitigate these risks. The first is the defensive registration of the bitsquat variants of their primary domain names, and active monitoring for – and enforcement against – identified infringements. Other possibilities include the use of domain extensions which are not amenable to bitsquat attacks, appropriate use of subdomains, and increased use of relative (rather than absolute) hyperlinks in the HTML of their websites.
In practice, bitsquatting is not an attack vector which has been extensively exploited by bad actors to date. Nevertheless, it does raise some significant risks in the limited instances where it occurs, and is of particular concern in cases where a carefully selected registration can allow an attacker to target all domains on a specific extension. Realistically, some of the suggested remediative actions will only be appropriate in limited instances, and are often likely to be superseded by other branding considerations. However, the most advanced domain management and registration policies should certainly bear the issue in mind as a potential risk factor, and some simple steps (such as also registering the variant .tk version to accompany a .uk domain) can easily be made to improve the risk profile for brands.
You can read the full study here,