Home / Industry

Hunting for U.S. Presidential Election-Related Domain Threats in the DNS

As if the attention surrounding the upcoming U.S. presidential elections is not enough, the WhoisXML API research team may have unveiled thousands of potential sources of disarray—election-related cybersquatting domains. These domains may be a lucrative source of income for some people. Case in point? The domain HarrisWalz[.]com was recently sold for US$15,000 at a 99.94% profit margin.

Cybersquatting domains may also be used for more nefarious purposes. For example, the same cybersquatter who sold HarrisWalz[.]com also sold ClintonKaine[.]com to an anonymous buyer back in 2016. The domain was ultimately used to publish anti-Clinton news during the election period.

Recently, Microsoft warned that nation-state attackers employ impersonation and other tactics, techniques, and procedures (TTPs) to sow discord and undermine elections. Cybersquatting domains can be among their tools.

Our study focused on domains and subdomains that contain the names of presidential candidates and other election-related strings. We discovered:

  • 2,320 unattributable election-related domains
  • 197 election-related subdomains (yielding 121 unattributable root domains)
  • 541 email-connected domains
  • 1,165 IP addresses, 775 of which were malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Uncovering Election-Related Cyber Resources

To begin our investigation, we used Domains & Subdomains Discovery to search for election-related web properties. Specifically, we looked for domains and subdomains added from 1 January to 15 August 2024 that contained these strings:

  • Kamala + Harris
  • Tim + Walz
  • Harris + Walz
  • Vote + Harris
  • Donald + Trump
  • JD + Vance
  • Trump + Vance
  • vote + Trump
  • Starts with US + election

We found a total of 3,314 domains and 197 subdomains, after removing duplicates, with the distribution shown in the chart below.

Attribution of the Election-Related Domains

We then sought to determine if any of the web properties in the study were under the control of the candidates or the U.S. government. To do that, we first obtained the WHOIS record details of the relevant official domain names, namely:

  • donaldjtrump[.]com
  • kamalaharris[.]com
  • walzflanagan[.]org
  • usa[.]gov

We did not find any official domain dedicated to vice presidential candidate JD Vance. We also included usa[.]gov since it hosted the official website for the U.S. elections.

Our bulk WHOIS lookup for the four domains revealed they all had privacy-protected WHOIS information. That means we could not publicly attribute any election-related domain to the email addresses or names of the entities managing the official domains.

However, the WHOIS information includes other vital data points, such as name servers and registrant telephone numbers.

Running a bulk WHOIS lookup on 3,511 election-related domains and subdomains revealed that 70 did not have current WHOIS details.

After checking for overlaps between the WHOIS information of the four official domains and the 3,441 election-related domains with current WHOIS data, we were able to exclude 1,000 unique domains from further analysis since they shared the exact name servers of kamalaharris[.]com (i.e., seven domains) and the registrant telephone numbers of donaldjtrump[.]com (i.e., 986 domains) and kamalaharris[.]com (i.e., seven domains).

We were left with 2,441 domains comprising 2,320 election-related domains and 121 root domains of the election-related subdomains that could not be attributed with high confidence to the same entities managing the official domains. These can be potentially considered cybersquatting domains and so were subjected to further analysis.

Unmasking Who’s behind the Election-Related Domains

The WHOIS information of the 2,441 potentially cybersquatting domains revealed that:

  • GoDaddy.com LLC was the top registrar, administering 650 domains. It was followed by Namecheap, Inc. (509 domains); Squarespace Domains LLC (106 domains); Tucows, Inc. (94 domains); Hostinger Operations UAB (90 domains); Porkbun LLC (76 domains); NameSilo LLC (73 domains); Network Solutions LLC (56 domains); IONOS SE (43 domains); and SAV.COM LLC (36 domains). 591 domains were distributed across more than 100 registrars, while 117 did not have current registrar data.
  • A majority of the domains, 1,568 to be exact, were registered in the U.S. The rest of the top 10 geolocation countries included Iceland (510 domains), Canada (93 domains), the U.K. (20 domains), China (eight domains), Vietnam (eight domains), Australia (six domains), the Netherlands (six domains), Germany (five domains), and Hungary (four domains). 56 domains were registered across 25 other countries, while 157 domains did not have current registrant country information.

In the following steps of our investigation, we delved deeper into the ownership of the election-related domains, uncovered further connections leading to more web properties potentially linked to cybersquatting, and explored possible malicious ties to these election-related domains.

Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC