|
As if the attention surrounding the upcoming U.S. presidential elections is not enough, the WhoisXML API research team may have unveiled thousands of potential sources of disarray—election-related cybersquatting domains. These domains may be a lucrative source of income for some people. Case in point? The domain HarrisWalz[.]com was recently sold for US$15,000 at a 99.94% profit margin.
Cybersquatting domains may also be used for more nefarious purposes. For example, the same cybersquatter who sold HarrisWalz[.]com also sold ClintonKaine[.]com to an anonymous buyer back in 2016. The domain was ultimately used to publish anti-Clinton news during the election period.
Recently, Microsoft warned that nation-state attackers employ impersonation and other tactics, techniques, and procedures (TTPs) to sow discord and undermine elections. Cybersquatting domains can be among their tools.
Our study focused on domains and subdomains that contain the names of presidential candidates and other election-related strings. We discovered:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
To begin our investigation, we used Domains & Subdomains Discovery to search for election-related web properties. Specifically, we looked for domains and subdomains added from 1 January to 15 August 2024 that contained these strings:
We found a total of 3,314 domains and 197 subdomains, after removing duplicates, with the distribution shown in the chart below.
We then sought to determine if any of the web properties in the study were under the control of the candidates or the U.S. government. To do that, we first obtained the WHOIS record details of the relevant official domain names, namely:
We did not find any official domain dedicated to vice presidential candidate JD Vance. We also included usa[.]gov since it hosted the official website for the U.S. elections.
Our bulk WHOIS lookup for the four domains revealed they all had privacy-protected WHOIS information. That means we could not publicly attribute any election-related domain to the email addresses or names of the entities managing the official domains.
However, the WHOIS information includes other vital data points, such as name servers and registrant telephone numbers.
Running a bulk WHOIS lookup on 3,511 election-related domains and subdomains revealed that 70 did not have current WHOIS details.
After checking for overlaps between the WHOIS information of the four official domains and the 3,441 election-related domains with current WHOIS data, we were able to exclude 1,000 unique domains from further analysis since they shared the exact name servers of kamalaharris[.]com (i.e., seven domains) and the registrant telephone numbers of donaldjtrump[.]com (i.e., 986 domains) and kamalaharris[.]com (i.e., seven domains).
We were left with 2,441 domains comprising 2,320 election-related domains and 121 root domains of the election-related subdomains that could not be attributed with high confidence to the same entities managing the official domains. These can be potentially considered cybersquatting domains and so were subjected to further analysis.
The WHOIS information of the 2,441 potentially cybersquatting domains revealed that:
A majority of the domains, 1,568 to be exact, were registered in the U.S. The rest of the top 10 geolocation countries included Iceland (510 domains), Canada (93 domains), the U.K. (20 domains), China (eight domains), Vietnam (eight domains), Australia (six domains), the Netherlands (six domains), Germany (five domains), and Hungary (four domains). 56 domains were registered across 25 other countries, while 157 domains did not have current registrant country information.
In the following steps of our investigation, we delved deeper into the ownership of the election-related domains, uncovered further connections leading to more web properties potentially linked to cybersquatting, and explored possible malicious ties to these election-related domains.
Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byDNIB.com