Home / Industry

Hundreds of Election-Related Domain Names Seen as 2020 U.S. Elections Nears

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

Even as the world continues to tackle the coronavirus pandemic, essential events just can’t be delayed. The U.S. presidential elections will continue to take place on 3 November 2020.

Although it is still months away, discussions are heating up. In parallel, as with other newsworthy events, dozens of election-related domain names are being detected.

Election-Related Domain Name Registration Trends

We started detecting U.S. election-related domain names on 2 June. That day, primaries were also held in Washington, D.C., and seven states, namely, Indiana, Maryland, Montana, New Mexico, Pennsylvania, Rhode Island, and South Dakota.

We tracked election-related typosquatting domain names within the period 2—13 June, particularly those containing the following strings:

  • “bide”
  • “trump”
  • “electio”
  • “presiden”

Within 12 days, we saw a total of 216 election-related domain names that appeared on the Domain Name System (DNS).

Spike in Domain Name Registrations After a Big Election-Related Event

The chart above plots the number of domains that contain each string as well as the total. It shows that the number of election-related domain names peaked on the following dates:

  • 3 June: A day after the primaries in Washington D.C and seven states were held. A total of 30 domain names were detected.
  • 5–6 June: The Virgin Islands presidential caucuses were held. Twenty-five domain names were seen on each day.
  • 10 June: Primaries were held in Georgia and West Virginia a day before. Some 29 domain names were detected.

Other election-related events that could shape domain registration are the Kentucky and New York primaries slated on 23 June. With the emerging trend, domain registrations can spike on or after that date. We saw the same thing happen with the coronavirus-themed domain names.

The Anatomy of “Biden” and “Trump” Domain Names

While the tally of “Biden” and “Trump” typosquatting domains seem close (73 and 87, respectively), the themes vary. “Biden” domain names, for instance, hint at who people may want to be his running mate. A few examples are:

  • bidenrice[.]org
  • bidenrice[.]website
  • biderice[.]org
  • bidendemings-us[.]com
  • bidendemings4us[.]com
  • bidendemings-usa[.]com
  • bidenriamondo[.]org
  • bidenriamondo[.]net
  • bidenriamondo[.]com
  • bidenharrisforpresident[.]net
  • bidenharrisforpresident[.]org
  • bidenharrisforpresident[.]com

Some domain names also hint at support for Biden coming from the Ukrainian-American community. We saw 24 domain names on that theme registered in just two days:

The WHOIS records of the Ukrainian-American domain names seemed to have the same registrant when ran through a bulk WHOIS lookup. All of them use the same privacy services, pointing to the address 96 Mowat Ave., Ontario, Canada.

On the other hand, typosquatting domain names that contain the string “trum” had slightly different themes. For one, only the Owen-Trump tandem seemed to be promoting a running mate, although they bear the 2024 and 2028 tags:

  • owenstrump2024[.]org
  • owenstrump2028[.]com
  • owenstrump2028[.]org
  • owenstrump2024[.]com

Some domain names also appeared to show support for Trump, such as:

  • whytrumpiagreat[.]com
  • whyrrumpisgreat[.]com
  • whytrumpisgrear[.]com
  • armyfortrump[.]club
  • armyfortrump[.]live
  • armyfortrump[.]org
  • supporttrumpsleadership[.]com
  • supporttrumpsleadership[.]org
  • supporttrumpsleadership[.]info
  • liberalsfortrumpactioncommittee[.]info
  • liberalsfortrumpactioncommittee[.]org
  • liberalsfortrumpactioncommittee[.]com
  • electrumv[.]org
  • electrumo[.]org

Others also seemed to be against the incumbent president:

  • donaldtrumpisajoke[.]net
  • donaldtrumpisajoke[.]org
  • donaldtrumpisajoke[.]com
  • death2trump[.]golf
  • death2trump[.]org
  • death2trump[.]party
  • donaldtrumpvsthepeople[.]net
  • donaldtrumpvsthepeople[.]org
  • donaldtrumpvsthepeople[.]info
  • pucktrump[.]com
  • fuctrump[.]org
  • fucktrump[.]site

What Election-Related Typosquatting Domains Could Be Up To

It’s a known fact that typosquatting domains can be used in nefarious activities such as phishing campaigns, scams, and malware attacks. So what kind of content could these domains possible host?

We can get a glimpse of the domains without having to visit the websites using a screenshot capture tool.

The Biden-inspired domain names that promote running mates, for example, are mostly parked, with some hosting ads.

The same is true for domain names that express support for Trump, although some pages promise to have contents soon.

Other screenshots show that most election-related domains follow the same patterns.They are either parked or under construction, save for a few that are already up and running.


The rise in election-related domain names reinforces the point that new registrations typically follow newsworthy events. While most of these domain may currently be parked or the object of speculative domain investments, they too could turn into phishing entities in the near future.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign