Home / Industry

A Look Back at the 2016 U.S. Elections-Related Attacks

Thanks to Dancho Danchev, WhoisXML API’s DNS Threat Researcher, for the original investigation available here and that led to the creation of this post.

The 2016 U.S. elections sparked a lot of controversies, as several law enforcement agents and security researchers believed countries like Russia may have greatly influenced its turnout. We sought to find out more about it via an OSINT analysis using various domain and IP intelligence tools.

What’s Been Found in the Original Investigation

The original investigation began with obtaining lists of indicators of compromise (IoCs) related to the attacks. These include:

  • 95 command-and-control (C&C) server domains
  • 38 email addresses
  • 104 connected domains

What the Further Analysis Revealed

The C&C server domains were first subjected to a bulk WHOIS query to find out if any of them had identifiable country-specific ties. The results revealed that only 22 of the 95 C&C server domains had WHOIS records identified, and most of them (50%) claimed to be from the U.S.

Chart 1: Registrant countries of the C&C server domains

Note, however, that domain owners can register their web properties in any country even that where they don’t actually reside in. But since the attackers were targeting the U.S., it may also have made sense that they would use domains registered there.

The connected domains were subjected to a bulk WHOIS query as well just in case the attackers left clues behind. 54 of the 104 connected domains had WHOIS records identified, and most of them were registered in Indonesia, Malaysia, and Nigeria.

Chart 2: Registrant countries of the connected domains

Using the email addresses as inputs for advanced historical reverse WHOIS searches, an additional 13,379 domains (excluding those already in the C&C and connected domains lists) were uncovered. Notable examples that contained popular brands include the following:

  • apple-security-team[.]com
  • maybankegreetings[.]com
  • netflix-swedish[.]com
  • bancodeevenezuela[.]com
  • swarovskishop-site[.]com
  • sunglasshut-site[.]net
  • neimanmarcus-site[.]com
  • hollister-style[.]biz
  • google-settings[.]com
  • jeepgrandtour[.]net

These could serve as good hosts for phishing sites targeting the brands’ customers. Many domains could also serve as home to generic phishing pages, such as:

  • localisation-security[.]com
  • localisation-support[.]com
  • account-redirect[.]net
  • security-verification[.]net
  • software-update[.]org

Subdomains containing famous brands could easily be added to these to lure victims into unknowingly handing their credentials to cybercriminals.

A 10% sample of the additional domains were subjected to malware database checks via Threat Intelligence Platform (TIP), and a total of 516 out of 1,378 of the additional domains had ties to malware. Examples of these are:

  • apple-security-team[.]com
  • support-security-icloud[.]com
  • security-icloud-apple[.]com
  • onpeutlefaire[.]com
  • account-redirect[.]net

Note that many of the malicious domains identified seem to have been randomly generated. Examples include:

  • vgperknqlqdwpkbk[.]com
  • yhmpwhsxifmpe[.]com
  • vsxszchunolely[.]com
  • rijcfwnmlmlqzqnoz[.]com
  • ktgtmdchshgbwlepwb[.]com
  • hgvmfufotczwbu[.]com

Going by the law of averages, as many as 39% of the additional domains or 5,160 domains could be malicious. And while not all of them may be related to the 2016 U.S. election attacks, individuals and organizations alike would do well to avoid visiting the sites they host. Many of the domains are still live to date.

What’s more, the additional 13,379 domains were subjected to a bulk WHOIS lookup. Only 8,477 of them turned out to have WHOIS records. Most of the domains were registered in China (63%), followed by the U.S. (18%) and Malaysia (2%). The rest (4%) were scattered across 39 other countries while 12% didn’t identify their registrant countries.

Chart 3: Top 10 countries identified as the additional domains’ registrant countries

It is interesting to note that out of the 13,578 domains identified as IoCs and artifacts for this campaign, only five identified Russia as their registrant country. While we can’t definitely say that is proof of anything, leaving the country out of domain registrations (malicious or otherwise) could also be a tactic to throw the scent off it.

If you wish to further expand the list of IoCs and artifacts we’ve already identified in this post or would like to collaborate with our researchers on similar studies, feel free to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global