Short Summary:
The WhoisXML API research team has identified thousands of election-related cybersquatting domains that could be exploited for profit or malicious purposes. Their study revealed over 3,300 domains linked to presidential candidates, with many being unattributable and potentially harmful. The investigation highlights the need for vigilance in the face of election-related cyber threats.
Key Points:
- Discovery of 2,320 unattributable election-related domains.
- 197 election-related subdomains identified.
- 541 email-connected domains and 1,165 IP addresses, with 775 deemed malicious.
- Cybersquatting domains can be used for profit or to spread misinformation.
- GoDaddy.com LLC is the top registrar for these domains, managing 650 of them.
- Majority of domains (1,568) registered in the U.S., followed by Iceland (510) and Canada (93).
- WHOIS information for many domains was privacy-protected, complicating attribution efforts.
MITRE ATT&CK TTPs – created by AI
- Domain Generation Algorithms (T1071)
- Used to create domains that can be used for malicious purposes.
- Phishing (T1566)
- Cybersquatting domains may be used to host phishing sites targeting voters.
- Credential Dumping (T1003)
- Potential for harvesting credentials through impersonation tactics.
- Impersonation (T1583)
- Nation-state actors may use cybersquatting domains to impersonate candidates.
As if the attention surrounding the upcoming U.S. presidential elections is not enough, the WhoisXML API research team may have unveiled thousands of potential sources of disarray—election-related cybersquatting domains. These domains may be a lucrative source of income for some people. Case in point? The domain HarrisWalz[.]com was recently sold for US$15,000 at a 99.94% profit margin.
Cybersquatting domains may also be used for more nefarious purposes. For example, the same cybersquatter who sold HarrisWalz[.]com also sold ClintonKaine[.]com to an anonymous buyer back in 2016. The domain was ultimately used to publish anti-Clinton news during the election period.
Recently, Microsoft warned that nation-state attackers employ impersonation and other tactics, techniques, and procedures (TTPs) to sow discord and undermine elections. Cybersquatting domains can be among their tools.
Our study focused on domains and subdomains that contain the names of presidential candidates and other election-related strings. We discovered:
- 2,320 unattributable election-related domains
- 197 election-related subdomains (yielding 121 unattributable root domains)
- 541 email-connected domains
- 1,165 IP addresses, 775 of which were malicious
A sample of the additional artifacts obtained from our analysis is available for download from our website.
Uncovering Election-Related Cyber Resources
To begin our investigation, we used Domains & Subdomains Discovery to search for election-related web properties. Specifically, we looked for domains and subdomains added from 1 January to 15 August 2024 that contained these strings:
- Kamala + Harris
- Tim + Walz
- Harris + Walz
- Vote + Harris
- Donald + Trump
- JD + Vance
- Trump + Vance
- vote + Trump
- Starts with US + election
We found a total of 3,314 domains and 197 subdomains, after removing duplicates, with the distribution shown in the chart below.
Attribution of the Election-Related Domains
We then sought to determine if any of the web properties in the study were under the control of the candidates or the U.S. government. To do that, we first obtained the WHOIS record details of the relevant official domain names, namely:
- donaldjtrump[.]com
- kamalaharris[.]com
- walzflanagan[.]org
- usa[.]gov
We did not find any official domain dedicated to vice presidential candidate JD Vance. We also included usa[.]gov since it hosted the official website for the U.S. elections.
Our bulk WHOIS lookup for the four domains revealed they all had privacy-protected WHOIS information. That means we could not publicly attribute any election-related domain to the email addresses or names of the entities managing the official domains.
However, the WHOIS information includes other vital data points, such as name servers and registrant telephone numbers.
Running a bulk WHOIS lookup on 3,511 election-related domains and subdomains revealed that 70 did not have current WHOIS details.
After checking for overlaps between the WHOIS information of the four official domains and the 3,441 election-related domains with current WHOIS data, we were able to exclude 1,000 unique domains from further analysis since they shared the exact name servers of kamalaharris[.]com (i.e., seven domains) and the registrant telephone numbers of donaldjtrump[.]com (i.e., 986 domains) and kamalaharris[.]com (i.e., seven domains).
We were left with 2,441 domains comprising 2,320 election-related domains and 121 root domains of the election-related subdomains that could not be attributed with high confidence to the same entities managing the official domains. These can be potentially considered cybersquatting domains and so were subjected to further analysis.
Unmasking Who’s behind the Election-Related Domains
The WHOIS information of the 2,441 potentially cybersquatting domains revealed that:
- GoDaddy.com LLC was the top registrar, administering 650 domains. It was followed by Namecheap, Inc. (509 domains); Squarespace Domains LLC (106 domains); Tucows, Inc. (94 domains); Hostinger Operations UAB (90 domains); Porkbun LLC (76 domains); NameSilo LLC (73 domains); Network Solutions LLC (56 domains); IONOS SE (43 domains); and SAV.COM LLC (36 domains). 591 domains were distributed across more than 100 registrars, while 117 did not have current registrar data.
-
A majority of the domains, 1,568 to be exact, were registered in the U.S. The rest of the top 10 geolocation countries included Iceland (510 domains), Canada (93 domains), the U.K. (20 domains), China (eight domains), Vietnam (eight domains), Australia (six domains), the Netherlands (six domains), Germany (five domains), and Hungary (four domains). 56 domains were registered across 25 other countries, while 157 domains did not have current registrant country information.
In the following steps of our investigation, we delved deeper into the ownership of the election-related domains, uncovered further connections leading to more web properties potentially linked to cybersquatting, and explored possible malicious ties to these election-related domains.
Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Source: Original Post