|
Elections and other events related to the government typically drive a great amount of Internet activity. Considering the domain name space, we found 4,197 subdomains related to the U.S. elections and the government in general. These were uncovered by our subdomains discovery tool. The following terms were used during the subdomains search:
Using WHOIS, domain, and IP intelligence tools, we discovered that the 4,197 subdomains can be traced back to 1,097 root domains that resolved to 1,083 unique IP addresses. With this data, we were able to answer these questions:
Threat actors are known to use newly registered domains (NRDs) in different malicious campaigns. However, when it comes to the election- and government-related subdomains, a combination of new and old domains was observed.
Domains that are five years old and above accounted for 57% of the total number of subdomains. About 30% were more than 10 years old, while only 6% were less than a year old.
Threat actors could exploit old domains by adding malicious subdomains or taking over unused ones. Subdomain protection should, therefore, be part of the overall cybersecurity strategy of enterprises.
The chart below shows the top 10 TLDs used by the election- and government-related subdomains.
The subdomains search revealed that the .com TLD was most frequently used. Six of the top 10 TLDs were country-code TLDs (ccTLDs) pointing to origins from other countries:
Subdomains that use these ccTLDs are quite suspicious since they are related to the U.S. elections and governmental entities.
The majority of the root domains were registered in the U.S. (44%) and France (18%). Panama and Czech Republic accounts for 3%, while Canada has 2% of the root domains. A total of 70% can be attributed to the top five registrant countries, while the remaining 30% were distributed across 41 other registrant countries.
Those root domains registered in other countries require special attention. But for the utmost security of organizations and end-users, even domains registered in the U.S. should be treated with caution.
Bulk IP Geolocation GUI allowed us to look up the subdomains’ IP geolocation details. The IP intelligence source revealed that most of the IP addresses the subdomains resolved to were U.S.-based (43%), coinciding with the top registrant country.
Around 35% of the IP addresses were located in Canada, 12% in Japan, 3% in Germany, and 2% in Russia. The remaining 6% were spread across 36 other countries.
Only 12 subdomains used the .gov TLD, but it is the most common text string that appeared alongside the related terms. In fact, the word “gov” tops the list, as it was used by about 31% of the subdomains. Some examples are:
The string “com” also appeared, making it the second most common word among the subdomains. Below are a few examples of subdomains that contain the string:
Some random-looking text strings also repeatedly appeared in the subdomains. The long string “2v8wa6govgwlkmtpcu43237ymvpacmrfibnuhvld,” for example, was used in 365 subdomains, making it the fifth most common text string. The string “ig3rdenz,” on the other hand, appeared 165 times, making it seventh on the list. These random-looking strings could be automatically generated.
Meanwhile, words like “socialsecurity,” “admin,” and “irs,“could make subdomains appear trustworthy in the eyes of potential cybercrime victims.
The U.S. elections may be over, but these election- and government-related subdomains could still be active. While some of them may be used legitimately, several could figure in malicious activities, such as phishing and smear and disinformation campaigns.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byIPv4.Global