Someone who bought typos of Windows.com ended up with 200,000 visitors in two weeks

Windows blue screen of death

There was an interesting story on arstechnica today that I thought was worth sharing with all of you. Before I share the story I’ll just mention that I’m not a fan of typo domains, don’t own any, don’t plan to. And as you’ll see, this story isn’t about a typo-squatter per-say, instead it’s about a researcher who decided to run an experiment and got some pretty interesting results.

The idea was a simple one – register variants of windows.com that were one bit flip away from the actual domain. Here’s the general reason why this happens and what it means:

arstechnica

An independent researcher recently demonstrated how bitflips can come back to bite Windows users when their PCs reach out to Microsoft’s windows.com domain. Windows devices do this regularly to perform actions like making sure the time shown in the computer clock is accurate, connecting to Microsoft’s cloud-based services, and recovering from crashes.

(Source – arstechnica)

There are 32 possible bitflipped domains and the researcher here, who decided to go by “Remy” found that 14 of the 32 were actually just sitting out there available to hand register.

I was surprised to hear this because normally companies scoop up these names, especially companies like Microsoft…and especially when their computers can perform tasks that send traffic to them. But that wasn’t the case, and Remy got them and with it came a surprising amount of traffic:

Over the course of two weeks, Remy’s server received 199,180 connections from 626 unique IP addresses that were trying to contact ntp.windows.com. By default, Windows machines will connect to this domain once per week to check that the time shown on the device clock is correct. What the researcher found next was even more surprising.

“The NTP client for windows OS has no inherent verification of authenticity, so there is nothing stopping a malicious person from telling all these computers that it’s after 03:14:07 on Tuesday, 19 January 2038 and wreaking unknown havoc as the memory storing the signed 32-bit integer for time overflows,” he wrote in a post summarizing his findings. “As it turns out though, for ~30% of these computers doing that would make little to no difference at all to those users because their clock is already broken.”

(Source – arstechnica)

I don’t want to re-write the whole article here so I’ll leave it for you to read more if you find it interesting. One additional piece of data that seems to come in after the article was written is that there’s no real way to prove the traffic Remy got on these domains came from bitflips. The reality is, these are typos of Windows.com and well, there are a lot of people typing Windows.com and probably code out there with it spelled wrong as well.

Either way, it’s crazy to think that someone went out and hand registered 14 domains for $126 and suddenly had 400,000 visitors a month coming his way 🤯

{ 2 comments… add one }

  • Ray Bivin March 5, 2021, 6:15 am

    I just read the article. They are not 400,000 type-in human visitors. Most of the visits to the sites were from bots from Microsoft programs trying to visit windows.com to find out the current time or other activities.

    Reply
  • Logan March 5, 2021, 7:27 am

    But, 400,000 visits a month is meaningless if the QUALITY of the traffic is worthless. I’d rather have 1,000 QUALIFIED visits a month than 400,000 UNQUALIFIED visits a month. I see this in my own affiliate marketing initiatives using domain names that I forward to affiliate offers. I can forward 10 gambling domain names to the exact same gambling offer and only 1 domain name will send traffic that consistently converts to paying customers at the gambling site. All 9 other gambling domain names send traffic that never converts even though those 9 domain names send 50x the traffic as the 1 domain name with converting traffic. The 1 domain name is the one that makes all the money with 1/50th the traffic volume. It’s all about QUALITY not QUANTITY.

    Reply

Leave a Comment