|
As with any high-stakes event, elections have become a prime target for cybercriminals seeking to exploit public trust through impersonation, misinformation, and scams. CSC’s comprehensive research about the 2024 U.S. Election reveals the alarming role of dormant domains, which have the potential to be exploited for launching cyber attacks against political campaigns, organizations, and constituents.
CSC researched election-themed domain registrations from January 2023 to September 2024 and observed 59,000 unique domain names that were not owned by the candidates, political parties, or voting organizations. These third-party domain registrations spiked considerably in the wake of key events during the election, as seen in figure 1.
Out of the 59,000 domains, 40,157 domains were still registered in September 2024. Out of this new total, we had found that more than 7,000 could be classified as “dormant domains.”
Dormant domains are inactive, meaning if you attempt to type in their URL, you won’t reach a website, but likely an error message. The issue that may arise is when one of these dormant domains is suddenly activated for malicious purposes, such as a phishing or malware attack. Bad actors could make these dormant domains active during or immediately after Election Day, with the goal of seeding disinformation and distrust in election results.
Aside from dormant domains, about 43% of the domains were “parked,” which means they do resolve to live content, but don’t present a typical online user experience. You’ll usually see a “coming soon” page or a pay-per-click page. Third parties may hold parked domains with the purpose of reselling them at a higher price or using them for a future business investment.
To make an educated guess about the motive behind registering a domain, our research team looked at several clues based on the domain’s infrastructure, such as their secure sockets layer (SSL) certificates, mail exchange (MX) records, proxy services, and hosting providers.
For example, a domain with active SSL certificates and MX records suggests some level of intention towards use. Below is a chart of the 40,000+ domains that were still registered and their infrastructure activity trends.
Many spoofed domains use words related to a brand or topic that may bring traffic, such as the election or its candidates, combined with prefixes and suffixes. Prefixes that appear before the domain in a URL were wide ranging, such as, “the,” “vote,” “president,” “2024,” and “MAGA.”
Common suffixes that appear after the domain names and are also known as top-level domains included “2024,” “sol,” “coin,” “merch,” and “store.” Notably, cryptocurrency has become a popular keyword theme. For example, SOL is the abbreviated name for Solana, a type of cryptocurrency.
Another technique is typosquatting, which tricks visitors who accidentally mistype their intended destination online. We also saw that about half of these domains were issued SSL certificates by a free and open-source certificate authority (CA). Working with this type of CA would lower the barriers for cybercriminals trying to set up fake websites and emails. Additionally, 66.3% of the domain registrars were the same three consumer-grade companies.
If dormant domains were to be unleashed, they could become fraudulent websites. Below are a few examples of what a harmful site could look like.
doonaldjtrump.com
Note the misspelled name. A donation link went to another fake domain (pay.coingaete.com). When we investigated, it held an active MX record and an SSL issued by a free and open-source certificate authority.
kamala.ltd
When we visited the site, the browser flashed a warning that the security certificate expired 163 days ago. But the domain had active text (TXT), MX, domain-based message authentication, reporting, and conformance (DMARC), and sender policy framework (SPF) records associated with it, which indicates an intent to use.
donaldjtrumpcampaign.us
Registered at Registrar.eu (based in Europe), this appeared to be a fake donation site, with a link to a cryptocurrency account instead of an official WinRed website. It also had active MX records and an SSL from a free and open-source certificate authority.
Criminals won’t think twice about abusing your brand for deceptive purposes, so maintaining a domain portfolio and protecting your digital assets should be top business priorities.
Here are some recommendations to help you stay secure:
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byVerisign
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byDNIB.com