Detailed attack pattern

Draft

CAPEC-611: BitSquatting

An adversary registers a domain name one bit different than a trusted domain. A BitSquatting attack leverages random errors in memory to direct Internet traffic to adversary-controlled destinations. BitSquatting requires no exploitation or complicated reverse engineering, and is operating system and architecture agnostic. Experimental observations show that BitSquatting popular websites could redirect non-trivial amounts of Internet traffic to a malicious entity.

Last updated June 1, 2026

Medium

Typical severity

Per MITRE

Low

Likelihood of attack

Per MITRE

0

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

CAPEC-611 (BitSquatting) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Determine target website] The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
- Research popular or high traffic websites.
Step 2
Experiment
[Impersonate trusted domain] In order to impersonate the trusted domain, the adversary needs to register the BitSquatted URL.
- Register the BitSquatted domain.
Step 3
Exploit
[Wait for a user to visit the domain] Finally, the adversary simply waits for a user to be unintentionally directed to the BitSquatted domain.
- Simply wait for an error in memory to occur, redirecting the user to the malicious domain.

What the attacker needs

Prerequisites

An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets.

Skills required

Low skill: Adversaries must be able to register DNS hostnames/URL’s.

Consequences

What a successful CAPEC-611 attack can achieve.

Other

Affects: Other

Depending on the intention of the adversary, a successful BitSquatting attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials.

How to mitigate it

Defenses that reduce the risk of CAPEC-611.

Authenticate all servers and perform redundant checks when using DNS hostnames.
When possible, use error-correcting (ECC) memory in local devices as non-ECC memory is significantly more vulnerable to faults.

Frequently asked questions

Common questions about CAPEC-611.

What is CAPEC-611?

An adversary registers a domain name one bit different than a trusted domain. A BitSquatting attack leverages random errors in memory to direct Internet traffic to adversary-controlled destinations. BitSquatting requires no exploitation or complicated reverse engineering, and is operating system and architecture agnostic. Experimental observations show that BitSquatting popular websites could redirect non-trivial amounts of Internet traffic to a malicious entity.

How does a BitSquatting attack work?

It typically unfolds over 3 phases. It begins with: [Determine target website] The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.

How do you prevent CAPEC-611?

Authenticate all servers and perform redundant checks when using DNS hostnames.

How severe is CAPEC-611?

MITRE rates CAPEC-611 as Medium severity with low likelihood of attack.

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-611

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing

Log in