Co-authored by CSC’s Sue Watts and Quinn Taggart.

The risks of fraud and disinformation in the U.S. election process have been hiding in plain sight. CSC’s new research finds that a large majority of web domains closely linked to the campaign websites for Joe Biden and Donald Trump lack basic domain security protocols and are prone to domain spoofing tactics. This makes them a potential target for hackers looking to spread disinformation ahead of the election, and criminals who want to take advantage of voter intentions through domain spoofing, domain name and domain name system (DNS) hijacking, and phishing. Our findings show major risks that potentially lead to manipulation of web properties that voters rely on for information and donations. Additionally, the websites joebiden.com and donaldjtrump.com fit into this same risk profile.

When a bad actor takes advantage of these vulnerabilities, below are some of the things that can happen:

• Subdomains (domain shadowing) can be used to launch phishing and misinformation scams.
• Nameservers can be modified (DNS hijacking) to launch phishing and misinformation scams.
• Existing subdomains can be used at cloud providers to launch phishing and misinformation scams.
• Email can be intercepted, then used for gaining intelligence, or network infiltration.
• New secure sockets layer (SSL) digital certificates can be created by bad actors to legitimize their efforts.

In June, CSC revealed in the 2020 Domain Security Report that 83% of Forbes Global 2000 companies are at greater risk of domain name and DNS hijacking because they have not adopted basic domain security measures like registry lock. We thought it would be valuable to see if these same security issues were magnified for U.S. election-related web properties.

Using SimilarWeb, CSC identified close to 1,000 “outgoing” and “referral” domains for the period of August 1 – August 30, 2020 associated with joebiden.com and donaldjtrump.com. Essentially, we observed which websites are part of the presidential election ecosystem. These types of websites include:

• Major global news media sites
• Political websites
• Political donation websites

CSC then applied its proprietary tools to identify the adoption of key domain security measures across the presidential election ecosystem. Highlights from our findings include:

• Over 90% of these web properties are not using registry locks to protect their domains from domain and DNS hijacking that can lead to phishing attacks, network breaches, email compromise, and other malicious activity.
• The above mentioned is likely because over 75% of these election-related domains are registered with retail-grade domain registrars (vs enterprise-level registrars) that generally do not provide this advanced security protocol or a defense in depth approach.

We also researched misspelled .COM domains (i.e., typo domains), related to joebiden.com and donaldjtrump.com. As part of our process, we checked to see which of these domains were registered, and we analyzed their registrant and registrar details and domain registration dates. Last, we observed whether they were configured for email and how they were being used.

Our research also showed that, of the typo domains related to joebiden.com and donaldjtrump.com:

• 60% are still available for registration, thereby posing future threats.
• Additionally, more than a third of those presidential candidate typo domains are linked to third parties. Therefore, it is our interpretation that only a handful of typo domains are legitimately owned by the campaigns themselves.
• What is concerning is that, of the of domains linked to third parties, nearly 70%:
  • Are configured to send and receive emails (have MX records configured)
  • Were registered in January of 2020 or after [This trend is typical with high profile global events, and CSC often sees a surge in domain spoofing leading up to and during an event (e.g., COVID-19-related domain spoofing).]
• Are using privacy protection [As a point of reference, CSC’s managed corporations only use privacy or proxy services for about 2% of their domain portfolio. This tells us that the true owners of these misspelled domains may have some nefarious intentions.]

Furthermore, in terms of the domains being used by third parties:

• Nearly 40% are pointing to advertising-related pages
• 20% are pointing to what appears to be destinations that have malware associated with them
• 10% appear to be promoting campaign-related content and materials

NTT’s September Monthly Threat Report spoke of similar concerns related to ransomware being a significant U.S. election threat. DNS, domains, and email are the means of malware distribution, so more oversight in these areas could help reduce the impact. Companies like Spamhaus have also discussed the increased threat of domain name hijacking, and have been advocating for increased oversight in holding domain name registrars to a higher standard.