In October 2019, Digital Shadows (now ReliaQuest)’ Photon Research Team embarked on an adventure involving election typosquats that could potentially affect the presidential election and its candidates. If you haven’t read our original report, I’ll fill you in on a brief recap:
We detected over 550 typosquats for the 34 candidate- and election-related domains from open-source research. Not every single domain was interesting; most of the time, the typosquat was parked and not hosting content. Still, there were some worthwhile areas to dig into deeper: Misconfigured or illegitimate sites, non-malicious sites, and website redirects.
When monitoring for specific domains that impersonate our clients’ brand or are capable of potentially misleading client employees or their respective clients, we see it as an issue to which they should be alerted. When it comes to these domains affecting the general voting public, the same concern is present: Are people tricked into entering their personally identifiable information or sensitive details, is their device infected with malware, are the domains redirecting to an across-the-aisle candidate’s website, or are they redirected to potentially misleading information?
In terms of social sway, these domains are unlikely to highly affect a voter’s individual opinion, but still, typosquats can aid in confusion and misinformation.
Let’s take a look at our most updated election-related typosquat data and findings.
Preparing the podium.
No, I’m not really going to speak to you from a podium, but before we get into the meat and potatoes of this blog, I want to highlight why we’re writing about this, what we searched for, where we got our data from, and what we did with it.
Initially, we were planning to post a blog like this later in the year, when we got closer to the election. Then we began researching the recent bulletin by the Department of Homeland Security (DHS), which warned Internet users of potentially malicious domains related to the United States election. Since our research seemed to be relevant to current reporting, we figured it may be beneficial to update our data to see if the landscape has changed.
Digital Shadows (now ReliaQuest) used Shadow Search to identify domains that included the following text within their WHOIS data:
- Kamala OR Kamala Harris
After collecting our data, we scrubbed through and identified the true positives by gauging the likelihood of the domains being candidate- or election-related. We ended up with 225 potentially malicious domains – exactly half of the sample we used in October. Considering the primary Republican and Democratic party candidates are identified at this point, it makes sense that our sample size is smaller than it was when we first began this journey.
Okay, everyone’s primed, and we’re on the same page. Here’s what we found.
Are we fighting a fake domain campaign?
While we can’t confirm who is setting up these websites and why they’re doing it, it has become clear that domain squatting has become a popular method among threat actors and zealous voters alike.
Just as we classified our data in our first election typosquatting blog, we decided to classify the different types of typosquats we detected into three distinct categories, which are replete with examples:
- Misconfigured or illegitimate sites: Typosquats that were not correctly configured when initially created and aren’t hosting anything but an index page, as well as typosquats that likely are not legitimate but look like they could be
- Non-malicious: By far the largest category we detected, mainly consisting of typosquatted domains that are either not hosting content or are hosting content that includes a small amount of brand-damaging content
- Redirect: Typosquats that redirect the user to a different website
The following chart shows the breakdown of relevant typosquatted sites we uncovered, by category.
Non-malicious sites have a 67% majority.
Digital Shadows (now ReliaQuest) found that 67% of the 225 sites related to presidential candidates or the election were non-malicious. Compared to an 8% minority in 2019, that’s good news, right? Well, kind of. Most of the non-malicious sites that we detected were parked domains, which can act as a false sense of safety; sure, it’s not hosting right now, but that can change within an instant and without warning. Additionally, if a parked domain has an MX (Mail eXchange) record, it could potentially be leveraged in a phishing campaign, which we know is bad news all around.
As we said, many of the non-malicious domains were parked, but some showed negative sentiment. This is slightly more on the brand-damaging side of things. For example, biden2020[.]com displayed anti-Biden content, specifically underlining, “the dangers of voting for Biden.”
Another website we came across, donaldtrumpjr[.]net, didn’t directly involve a presidential candidate in the domain name; however, its contents could negatively affect Donald Trump’s brand.
Illegitimate sites can still affect your brand.
We assessed that 21% of our sample data involved illegitimate or misconfigured sites, increasing from 2019’s 8%. While many of the domains we identified were associated with DNS errors, others seemed to be hosting websites that weren’t malicious in nature, but probably weren’t created by a presidential candidate’s team. An example is listed below – the sentiment of the site appears to be neutral, but it’s highly unlikely that Joe Biden’s team set up mamalaharris[.]com.
Similarly, don-trump2020[.]com doesn’t appear to be owned and operated by Donald Trump’s campaign, and it doesn’t look malicious in nature, either. If I were to guess, I’d think that this page was created by a fan of the candidate, looking to spread their message by selling some pro-Trump merchandise.
Typosquat redirects have a 12% minority.
Redirecting domains accounted for 12% of our sample data during this round of analysis, compared to 68% in 2019. The redirecting domains that we found included a “healthy” mix of brand protection and negative sentiment.
Some domains appeared to be leveraged to redirect to legitimate sites, including bidenharrislive[.]com and presidentjoebiden[.]live, which resolved to joebiden[.]com. This method is a form of brand protection; many site owners choose to buy similar domains so other users can’t use them to mislead visitors or impersonate their brand (we’ll touch more on this later). Other sites, such as trump-is-bad-for-us[.]com and biden[.]exposed (unsurprisingly) redirected to content disagreeing with the candidates, respectively.
A few instances of redirects resolved to legitimate presidential candidate websites, but probably not the candidate a user intended to support or read about. For example, biden4freedom[.]com redirected to Jo Jorgensen’s page, jo20.com, while another domain, ceosagainsttrump[.]com, redirected to Joe Biden’s page. Tricky, tricky!
Shady Chrome extensions
Redirection can come in different varieties, including the shady kind. We found one typosquatted domain that redirected to a “secure browsing” Google Chrome extension – trump-donald[.]com.
The domain eventually resolved to Donald Trump’s dedicated Wiki page. Occasionally, bad actors will lure users into downloading Chrome extensions, and they’re rarely legitimate. In June 2020, Google removed 106 Chrome extensions for collecting sensitive user data.
What I’m really trying to say here is be critical, and if nothing else, make sure you’re only using extensions you need.
A note on election and voting websites.
As we get closer to the election, it’s highly likely that malicious actors will register and leverage election and voting websites to mislead users. We identified 47 potentially malicious domains that were either parked, redirected to a different website, or were illegitimate or misconfigured. For example, register2vote2020[.]com and register2vote2020[.]net, are not currently hosting content; however, the potential for these sites to gather sensitive voter details is something to consider, especially as we’re approaching the cutoff for 2020 voter registration.
Another site, real2020poll[.]com, does not appear to be malicious in nature, but I think it’s safe to say that it’s probably not operated by a legitimate United States polling organization.
Stay safe out there, Voters.
In times where disinformation, manipulation, and shady websites are at an all-time high, users must remain vigilant. Are you sure that the website you’re visiting is legitimate? Do you really need to download that Chrome extension? Are your sensitive details being submitted to a legitimate database? These are all things to seriously consider while surfing the web.
To keep yourself safe, we recommend that you corroborate the website’s legitimacy by looking at the candidate’s social media networks. Typically, candidates will share their official domains in their biography sections or highlighted within their feed―if you’re looking to donate to one of the campaigns, try looking there first for information. We don’t recommend visiting linked websites sent via unsolicited emails, as this is a common tactic of threat actors employing phishing pages.
From an organizational point of view, here are our recommendations on avoiding possible brand impersonation or damage:
- Buy Domains Similar To Yours. For practitioners, if we look at typosquats in a timeline, one of the initial things you can do is buy domains that appear to be similar to yours. Obvious options would be domains that are one or two letters off from your legitimate domains. Using a tool like DNSTwister, you can generate a list of currently active domains that could already be impersonating your brand or give ideas for where to start purchasing domains.
- Monitor Domain Registration Activity. You should also start monitoring registration activity. This is hard enough for one domain, but if you have several it may be a bit unmanageable. At that stage we would suggest getting help; part of our core service at Digital Shadows (now ReliaQuest) is monitoring for domain impersonations and providing a variety of alerts: when a new typosquatted domain is available to register, when someone has added an MX record that is required to send emails (read: PHISHING emails), when a domain is actively hosting impersonating content, and more.
To learn more about typosquat and phishing protection, check out our Phishing Protection resources center page.
|joe-biden.com||Misconfigured or illegitimate|
|biden-klobuchar-2020.com||Misconfigured or illegitimate|
|biden2020coin.com||Misconfigured or illegitimate|
|biden-potus2020.com||Misconfigured or illegitimate|
|2020biden.com||Misconfigured or illegitimate|
|biden2020shirt.com||Misconfigured or illegitimate|
|Nextgendems4biden.com||Misconfigured or illegitimate|
|biden2020shirts.net||Misconfigured or illegitimate|
|innovators4biden2020.com||Misconfigured or illegitimate|
|nextgendems4biden.com||Misconfigured or illegitimate|
|kamala-harris2020.com||Misconfigured or illegitimate|
|kamala-harris2020.net||Misconfigured or illegitimate|
|mamalaharris.com||Misconfigured or illegitimate|
|joe-bidden.com||Misconfigured or illegitimate|
|biden-harris-2024.net||Misconfigured or illegitimate|
|biden-harris-2020.net||Misconfigured or illegitimate|
|biden2020clothes.com||Misconfigured or illegitimate|
|nursesforbiden.org||Misconfigured or illegitimate|
|beardsfortrump.us||Misconfigured or illegitimate|
|trump-gop-retreat-got-real-donald-trump.com||Misconfigured or illegitimate|
|therealdonaldrtump.info||Misconfigured or illegitimate|
|president-donald-trump.site||Misconfigured or illegitimate|
|president-donald-trump.website||Misconfigured or illegitimate|
|donald-j-trump.love||Misconfigured or illegitimate|
|donald-trump-wtf.site||Misconfigured or illegitimate|
|magasec.us||Misconfigured or illegitimate|
|donald-trump-tweets.blog||Misconfigured or illegitimate|
|donald-trump-us-president.info||Misconfigured or illegitimate|
|trump2020thegobconvention.com||Misconfigured or illegitimate|
|don-trump2020.com||Misconfigured or illegitimate|
|cowboys4trump.com||Misconfigured or illegitimate|
|trump4u2020shop.com||Misconfigured or illegitimate|
|trump.how||Misconfigured or illegitimate|
|trumpforgetsvets.org||Misconfigured or illegitimate|
|potus.review||Misconfigured or illegitimate|
|lets-go-vote.com||Misconfigured or illegitimate|
|howcani.vote||Misconfigured or illegitimate|
|weneedyou.vote||Misconfigured or illegitimate|
|was-my-vote-counted.com||Misconfigured or illegitimate|
|ellectoral-vote.com||Misconfigured or illegitimate|
|vote1proud.com||Misconfigured or illegitimate|
|postyour.vote||Misconfigured or illegitimate|
|forum.vote||Misconfigured or illegitimate|
|millennial-vote.com||Misconfigured or illegitimate|
|real2020poll.com||Misconfigured or illegitimate|
|nc-poll.com||Misconfigured or illegitimate|