WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
In October 2019, Digital Shadows (now ReliaQuest)’ Photon Research Team embarked on an adventure involving election typosquats that could potentially affect the presidential election and its candidates. If you haven’t read our original report, I’ll fill you in on a brief recap:
We detected over 550 typosquats for the 34 candidate- and election-related domains from open-source research. Not every single domain was interesting; most of the time, the typosquat was parked and not hosting content. Still, there were some worthwhile areas to dig into deeper: Misconfigured or illegitimate sites, non-malicious sites, and website redirects.
When monitoring for specific domains that impersonate our clients’ brand or are capable of potentially misleading client employees or their respective clients, we see it as an issue to which they should be alerted. When it comes to these domains affecting the general voting public, the same concern is present: Are people tricked into entering their personally identifiable information or sensitive details, is their device infected with malware, are the domains redirecting to an across-the-aisle candidate’s website, or are they redirected to potentially misleading information?
In terms of social sway, these domains are unlikely to highly affect a voter’s individual opinion, but still, typosquats can aid in confusion and misinformation.
Let’s take a look at our most updated election-related typosquat data and findings.
No, I’m not really going to speak to you from a podium, but before we get into the meat and potatoes of this blog, I want to highlight why we’re writing about this, what we searched for, where we got our data from, and what we did with it.
Initially, we were planning to post a blog like this later in the year, when we got closer to the election. Then we began researching the recent bulletin by the Department of Homeland Security (DHS), which warned Internet users of potentially malicious domains related to the United States election. Since our research seemed to be relevant to current reporting, we figured it may be beneficial to update our data to see if the landscape has changed.
Digital Shadows (now ReliaQuest) used Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection) to identify domains that included the following text within their WHOIS data:
After collecting our data, we scrubbed through and identified the true positives by gauging the likelihood of the domains being candidate- or election-related. We ended up with 225 potentially malicious domains – exactly half of the sample we used in October. Considering the primary Republican and Democratic party candidates are identified at this point, it makes sense that our sample size is smaller than it was when we first began this journey.
Okay, everyone’s primed, and we’re on the same page. Here’s what we found.
While we can’t confirm who is setting up these websites and why they’re doing it, it has become clear that domain squatting has become a popular method among threat actors and zealous voters alike.
Just as we classified our data in our first election typosquatting blog, we decided to classify the different types of typosquats we detected into three distinct categories, which are replete with examples:
The following chart shows the breakdown of relevant typosquatted sites we uncovered, by category.
Digital Shadows (now ReliaQuest) found that 67% of the 225 sites related to presidential candidates or the election were non-malicious. Compared to an 8% minority in 2019, that’s good news, right? Well, kind of. Most of the non-malicious sites that we detected were parked domains, which can act as a false sense of safety; sure, it’s not hosting right now, but that can change within an instant and without warning. Additionally, if a parked domain has an MX (Mail eXchange) record, it could potentially be leveraged in a phishing campaign, which we know is bad news all around.
As we said, many of the non-malicious domains were parked, but some showed negative sentiment. This is slightly more on the brand-damaging side of things. For example, biden2020[.]com displayed anti-Biden content, specifically underlining, “the dangers of voting for Biden.”
Another website we came across, donaldtrumpjr[.]net, didn’t directly involve a presidential candidate in the domain name; however, its contents could negatively affect Donald Trump’s brand.
We assessed that 21% of our sample data involved illegitimate or misconfigured sites, increasing from 2019’s 8%. While many of the domains we identified were associated with DNS errors, others seemed to be hosting websites that weren’t malicious in nature, but probably weren’t created by a presidential candidate’s team. An example is listed below – the sentiment of the site appears to be neutral, but it’s highly unlikely that Joe Biden’s team set up mamalaharris[.]com.
Similarly, don-trump2020[.]com doesn’t appear to be owned and operated by Donald Trump’s campaign, and it doesn’t look malicious in nature, either. If I were to guess, I’d think that this page was created by a fan of the candidate, looking to spread their message by selling some pro-Trump merchandise.
Redirecting domains accounted for 12% of our sample data during this round of analysis, compared to 68% in 2019. The redirecting domains that we found included a “healthy” mix of brand protection and negative sentiment.
Some domains appeared to be leveraged to redirect to legitimate sites, including bidenharrislive[.]com and presidentjoebiden[.]live, which resolved to joebiden[.]com. This method is a form of brand protection; many site owners choose to buy similar domains so other users can’t use them to mislead visitors or impersonate their brand (we’ll touch more on this later). Other sites, such as trump-is-bad-for-us[.]com and biden[.]exposed (unsurprisingly) redirected to content disagreeing with the candidates, respectively.
A few instances of redirects resolved to legitimate presidential candidate websites, but probably not the candidate a user intended to support or read about. For example, biden4freedom[.]com redirected to Jo Jorgensen’s page, jo20.com, while another domain, ceosagainsttrump[.]com, redirected to Joe Biden’s page. Tricky, tricky!
Redirection can come in different varieties, including the shady kind. We found one typosquatted domain that redirected to a “secure browsing” Google Chrome extension – trump-donald[.]com.
The domain eventually resolved to Donald Trump’s dedicated Wiki page. Occasionally, bad actors will lure users into downloading Chrome extensions, and they’re rarely legitimate. In June 2020, Google removed 106 Chrome extensions for collecting sensitive user data.
What I’m really trying to say here is be critical, and if nothing else, make sure you’re only using extensions you need.
As we get closer to the election, it’s highly likely that malicious actors will register and leverage election and voting websites to mislead users. We identified 47 potentially malicious domains that were either parked, redirected to a different website, or were illegitimate or misconfigured. For example, register2vote2020[.]com and register2vote2020[.]net, are not currently hosting content; however, the potential for these sites to gather sensitive voter details is something to consider, especially as we’re approaching the cutoff for 2020 voter registration.
Another site, real2020poll[.]com, does not appear to be malicious in nature, but I think it’s safe to say that it’s probably not operated by a legitimate United States polling organization.
In times where disinformation, manipulation, and shady websites are at an all-time high, users must remain vigilant. Are you sure that the website you’re visiting is legitimate? Do you really need to download that Chrome extension? Are your sensitive details being submitted to a legitimate database? These are all things to seriously consider while surfing the web.
To keep yourself safe, we recommend that you corroborate the website’s legitimacy by looking at the candidate’s social media networks. Typically, candidates will share their official domains in their biography sections or highlighted within their feed―if you’re looking to donate to one of the campaigns, try looking there first for information. We don’t recommend visiting linked websites sent via unsolicited emails, as this is a common tactic of threat actors employing phishing pages.
From an organizational point of view, here are our recommendations on avoiding possible brand impersonation or damage:
To learn more about typosquat and phishing protection, check out our Phishing Protection resources center page.