Even as the world continues to tackle the coronavirus pandemic, essential events just can’t be delayed. The U.S. presidential elections will continue to take place on 3 November 2020.

Although it is still months away, discussions are heating up. In parallel, as with other newsworthy events, dozens of election-related domain names are being detected.

Election-Related Domain Name Registration Trends

We started detecting U.S. election-related domain names on 2 June. That day, primaries were also held in Washington, D.C., and seven states, namely, Indiana, Maryland, Montana, New Mexico, Pennsylvania, Rhode Island, and South Dakota.

We tracked election-related typosquatting domain names within the period 2—13 June, particularly those containing the following strings:

• “bide”
• “trump”
• “electio”
• “presiden”

Within 12 days, we saw a total of 216 election-related domain names that appeared on the Domain Name System (DNS).

Spike in Domain Name Registrations After a Big Election-Related Event

The chart above plots the number of domains that contain each string as well as the total. It shows that the number of election-related domain names peaked on the following dates:

• 3 June: A day after the primaries in Washington D.C and seven states were held. A total of 30 domain names were detected.
• 5–6 June: The Virgin Islands presidential caucuses were held. Twenty-five domain names were seen on each day.
• 10 June: Primaries were held in Georgia and West Virginia a day before. Some 29 domain names were detected.

Other election-related events that could shape domain registration are the Kentucky and New York primaries slated on 23 June. With the emerging trend, domain registrations can spike on or after that date. We saw the same thing happen with the coronavirus-themed domain names.

The Anatomy of “Biden” and “Trump” Domain Names

While the tally of “Biden” and “Trump” typosquatting domains seem close (73 and 87, respectively), the themes vary. “Biden” domain names, for instance, hint at who people may want to be his running mate. A few examples are:

• bidenrice[.]org
• bidenrice[.]website
• biderice[.]org
• bidendemings-us[.]com
• bidendemings4us[.]com
• bidendemings-usa[.]com
• bidenriamondo[.]org
• bidenriamondo[.]net
• bidenriamondo[.]com
• bidenharrisforpresident[.]net
• bidenharrisforpresident[.]org
• bidenharrisforpresident[.]com

Some domain names also hint at support for Biden coming from the Ukrainian-American community. We saw 24 domain names on that theme registered in just two days:

The WHOIS records of the Ukrainian-American domain names seemed to have the same registrant when ran through a bulk WHOIS lookup. All of them use the same privacy services, pointing to the address 96 Mowat Ave., Ontario, Canada.

On the other hand, typosquatting domain names that contain the string “trum” had slightly different themes. For one, only the Owen-Trump tandem seemed to be promoting a running mate, although they bear the 2024 and 2028 tags:

• owenstrump2024[.]org
• owenstrump2028[.]com
• owenstrump2028[.]org
• owenstrump2024[.]com

Some domain names also appeared to show support for Trump, such as:

• whytrumpiagreat[.]com
• whyrrumpisgreat[.]com
• whytrumpisgrear[.]com
• armyfortrump[.]club
• armyfortrump[.]live
• armyfortrump[.]org
• supporttrumpsleadership[.]com
• supporttrumpsleadership[.]org
• supporttrumpsleadership[.]info
• liberalsfortrumpactioncommittee[.]info
• liberalsfortrumpactioncommittee[.]org
• liberalsfortrumpactioncommittee[.]com
• electrumv[.]org
• electrumo[.]org

Others also seemed to be against the incumbent president:

• donaldtrumpisajoke[.]net
• donaldtrumpisajoke[.]org
• donaldtrumpisajoke[.]com
• death2trump[.]golf
• death2trump[.]org
• death2trump[.]party
• donaldtrumpvsthepeople[.]net
• donaldtrumpvsthepeople[.]org
• donaldtrumpvsthepeople[.]info
• pucktrump[.]com
• fuctrump[.]org
• fucktrump[.]site

What Election-Related Typosquatting Domains Could Be Up To

It’s a known fact that typosquatting domains can be used in nefarious activities such as phishing campaigns, scams, and malware attacks. So what kind of content could these domains possible host?

We can get a glimpse of the domains without having to visit the websites using a screenshot capture tool.

The Biden-inspired domain names that promote running mates, for example, are mostly parked, with some hosting ads.

The same is true for domain names that express support for Trump, although some pages promise to have contents soon.

Other screenshots show that most election-related domains follow the same patterns.They are either parked or under construction, save for a few that are already up and running.

The rise in election-related domain names reinforces the point that new registrations typically follow newsworthy events. While most of these domain may currently be parked or the object of speculative domain investments, they too could turn into phishing entities in the near future.