Revisiting Typosquatting and the 2020 US Presidential Election

Revisiting Typosquatting and the 2020 US Presidential Election
Kacey C
Read More From Kacey C
September 2, 2020 | 11 Min Read

In October 2019, Digital Shadows’ Photon Research Team embarked on an adventure involving election typosquats that could potentially affect the presidential election and its candidates. If you haven’t read our original report, I’ll fill you in on a brief recap:

We detected over 550 typosquats for the 34 candidate- and election-related domains from open-source research. Not every single domain was interesting; most of the time, the typosquat was parked and not hosting content. Still, there were some worthwhile areas to dig into deeper: Misconfigured or illegitimate sites, non-malicious sites, and website redirects.

When monitoring for specific domains that impersonate our clients’ brand or are capable of potentially misleading client employees or their respective clients, we see it as an issue to which they should be alerted. When it comes to these domains affecting the general voting public, the same concern is present: Are people tricked into entering their personally identifiable information or sensitive details, is their device infected with malware, are the domains redirecting to an across-the-aisle candidate’s website, or are they redirected to potentially misleading information?

In terms of social sway, these domains are unlikely to highly affect a voter’s individual opinion, but still, typosquats can aid in confusion and misinformation.

Let’s take a look at our most updated election-related typosquat data and findings. 

Preparing the podium.

No, I’m not really going to speak to you from a podium, but before we get into the meat and potatoes of this blog, I want to highlight why we’re writing about this, what we searched for, where we got our data from, and what we did with it. 

Initially, we were planning to post a blog like this later in the year, when we got closer to the election. Then we began researching the recent bulletin by the Department of Homeland Security (DHS), which warned Internet users of potentially malicious domains related to the United States election. Since our research seemed to be relevant to current reporting, we figured it may be beneficial to update our data to see if the landscape has changed. 

Digital Shadows used Shadow Search to identify domains that included the following text within their WHOIS data:

  • Trump
  • Pence
  • Biden
  • Kamala OR Kamala Harris 
  • Vote
  • Elect
  • Poll

After collecting our data, we scrubbed through and identified the true positives by gauging the likelihood of the domains being candidate- or election-related. We ended up with 225 potentially malicious domains – exactly half of the sample we used in October. Considering the primary Republican and Democratic party candidates are identified at this point, it makes sense that our sample size is smaller than it was when we first began this journey. 

Okay, everyone’s primed, and we’re on the same page. Here’s what we found. 

Are we fighting a fake domain campaign?

While we can’t confirm who is setting up these websites and why they’re doing it, it has become clear that domain squatting has become a popular method among threat actors and zealous voters alike. 

Just as we classified our data in our first election typosquatting blog, we decided to classify the different types of typosquats we detected into three distinct categories, which are replete with examples:

  1. Misconfigured or illegitimate sites: Typosquats that were not correctly configured when initially created and aren’t hosting anything but an index page, as well as typosquats that likely are not legitimate but look like they could be
  2. Non-malicious: By far the largest category we detected, mainly consisting of typosquatted domains that are either not hosting content or are hosting content that includes a small amount of brand-damaging content
  3. Redirect: Typosquats that redirect the user to a different website

The following chart shows the breakdown of relevant typosquatted sites we uncovered, by category.

Typosqatted sites by category
Figure 1: Breakdown of relevant typosquatted sites uncovered by category

Non-malicious sites have a 67% majority. 

Digital Shadows found that 67% of the 225 sites related to presidential candidates or the election were non-malicious. Compared to an 8% minority in 2019, that’s good news, right? Well, kind of. Most of the non-malicious sites that we detected were parked domains, which can act as a false sense of safety; sure, it’s not hosting right now, but that can change within an instant and without warning. Additionally, if a parked domain has an MX (Mail eXchange) record, it could potentially be leveraged in a phishing campaign, which we know is bad news all around. 

As we said, many of the non-malicious domains were parked, but some showed negative sentiment. This is slightly more on the brand-damaging side of things. For example, biden2020[.]com displayed anti-Biden content, specifically underlining, “the dangers of voting for Biden.”

Negative Typosquat toward Joe Bidden
Figure 2: Typosquat hosting negative sentiment toward Joe Biden

Another website we came across, donaldtrumpjr[.]net, didn’t directly involve a presidential candidate in the domain name; however, its contents could negatively affect Donald Trump’s brand. 

Negative Typosquat toward Donald Trump
Figure 3: Typosquat hosting negative sentiment toward Donald Trump

Illegitimate sites can still affect your brand.

We assessed that 21% of our sample data involved illegitimate or misconfigured sites, increasing from 2019’s 8%. While many of the domains we identified were associated with DNS errors, others seemed to be hosting websites that weren’t malicious in nature, but probably weren’t created by a presidential candidate’s team.  An example is listed below – the sentiment of the site appears to be neutral, but it’s highly unlikely that Joe Biden’s team set up mamalaharris[.]com. 

Illegitimate US  election site
Figure 4: Illegitimate site relating to the 2020 US election

Similarly, don-trump2020[.]com doesn’t appear to be owned and operated by Donald Trump’s campaign, and it doesn’t look malicious in nature, either. If I were to guess, I’d think that this page was created by a fan of the candidate, looking to spread their message by selling some pro-Trump merchandise. 

Illegitimate US 2020 Election Site
Figure 5: Illegitimate site regarding the 2020 election

Typosquat redirects have a 12% minority.

Redirecting domains accounted for 12% of our sample data during this round of analysis, compared to 68% in 2019. The redirecting domains that we found included a “healthy” mix of brand protection and negative sentiment. 

Some domains appeared to be leveraged to redirect to legitimate sites, including bidenharrislive[.]com and presidentjoebiden[.]live, which resolved to joebiden[.]com. This method is a form of brand protection; many site owners choose to buy similar domains so other users can’t use them to mislead visitors or impersonate their brand (we’ll touch more on this later). Other sites, such as trump-is-bad-for-us[.]com and biden[.]exposed (unsurprisingly) redirected to content disagreeing with the candidates, respectively. 

Trump-is-bad-for-us
Figure 6: Site that redirected from trump-is-bad-for-us[.]com
biden[.] exposed
Figure 7: Site that redirected from biden[.]exposed

A few instances of redirects resolved to legitimate presidential candidate websites, but probably not the candidate a user intended to support or read about. For example, biden4freedom[.]com redirected to Jo Jorgensen’s page, jo20.com, while another domain, ceosagainsttrump[.]com, redirected to Joe Biden’s page. Tricky, tricky! 

Shady Chrome extensions

Redirection can come in different varieties, including the shady kind. We found one typosquatted domain that redirected to a “secure browsing” Google Chrome extension – trump-donald[.]com. 

The domain eventually resolved to Donald Trump’s dedicated Wiki page. Occasionally, bad actors will lure users into downloading Chrome extensions, and they’re rarely legitimate. In June 2020, Google removed 106 Chrome extensions for collecting sensitive user data. 

What I’m really trying to say here is be critical, and if nothing else, make sure you’re only using extensions you need.

A note on election and voting websites.

As we get closer to the election, it’s highly likely that malicious actors will register and leverage election and voting websites to mislead users. We identified 47 potentially malicious domains that were either parked, redirected to a different website, or were illegitimate or misconfigured. For example, register2vote2020[.]com and register2vote2020[.]net, are not currently hosting content; however, the potential for these sites to gather sensitive voter details is something to consider, especially as we’re approaching the cutoff for 2020 voter registration. 

Another site, real2020poll[.]com, does not appear to be malicious in nature, but I think it’s safe to say that it’s probably not operated by a legitimate United States polling organization. 

Illegitimate 2020 US election site
Figure 8: Illegitimate site regarding the 2020 election

Stay safe out there, Voters.

In times where disinformation, manipulation, and shady websites are at an all-time high, users must remain vigilant. Are you sure that the website you’re visiting is legitimate? Do you really need to download that Chrome extension? Are your sensitive details being submitted to a legitimate database? These are all things to seriously consider while surfing the web. 

To keep yourself safe, we recommend that you corroborate the website’s legitimacy by looking at the candidate’s social media networks. Typically, candidates will share their official domains in their biography sections or highlighted within their feed―if you’re looking to donate to one of the campaigns, try looking there first for information. We don’t recommend visiting linked websites sent via unsolicited emails, as this is a common tactic of threat actors employing phishing pages.

From an organizational point of view, here are our recommendations on avoiding possible brand impersonation or damage:

  1. Buy Domains Similar To Yours. For practitioners, if we look at typosquats in a timeline, one of the initial things you can do is buy domains that appear to be similar to yours. Obvious options would be domains that are one or two letters off from your legitimate domains. Using a tool like DNSTwister, you can generate a list of currently active domains that could already be impersonating your brand or give ideas for where to start purchasing domains.
  2. Monitor Domain Registration Activity. You should also start monitoring registration activity. This is hard enough for one domain, but if you have several it may be a bit unmanageable. At that stage we would suggest getting help; part of our core service at Digital Shadows is monitoring for domain impersonations and providing a variety of alerts: when a new typosquatted domain is available to register, when someone has added an MX record that is required to send emails (read: PHISHING emails), when a domain is actively hosting impersonating content, and more.

To learn more about typosquat and phishing protection, check out our Phishing Protection resources center page.

Researched domains

DomainBehavior
joe-biden.com Misconfigured or illegitimate
joe-biden.comNon-malicious
joe-biden2020.netNon-malicious
bw2020.orgNon-malicious
joe46biden.comNon-malicious
joe-biden-kamala-harris.comNon-malicious
joe-biden46.comNon-malicious
joe-biden-for-president.comNon-malicious
barack-obama-and-joe-biden.comNon-malicious
bidenwarren2020ticket.comNon-malicious
imjoebiden.comNon-malicious
biden-klobuchar-2020.comMisconfigured or illegitimate
biden2020faceshield.comNon-malicious
biden2020.comNon-malicious
biden2020usa.comNon-malicious
biden2020s.comNon-malicious
joe-biden2020.netNon-malicious
biden2020coin.comMisconfigured or illegitimate
biden-obama-2020.comNon-malicious
biden-sanders2020.comNon-malicious
harris-biden2020.comNon-malicious
biden-potus2020.comMisconfigured or illegitimate
biden2020ppe.comRedirect
biden4prez2020.comNon-malicious
biden2020signs.comNon-malicious
biden-winfrey2020.comNon-malicious
biden2020flags.comNon-malicious
biden2020shirts.comNon-malicious
2020biden.comMisconfigured or illegitimate
biden2020win.comNon-malicious
biden2020shirt.comMisconfigured or illegitimate
joseph-biden2020.comNon-malicious
biden-harris2020.netNon-malicious
Nextgendems4biden.comMisconfigured or illegitimate
biden-orourke2020.comNon-malicious
biden2020shirts.netMisconfigured or illegitimate
biden-buttigieg-2020.comNon-malicious
biden2020masks.comNon-malicious
trump-biden2020.comNon-malicious
biden-warren2020.comNon-malicious
bw2020.orgNon-malicious
innovators4biden2020.comMisconfigured or illegitimate
dogs4biden.comNon-malicious
outforbiden.orgNon-malicious
biden4freedom.comRedirect
sayno2biden.comNon-malicious
biden4muslims.comNon-malicious
smes4biden.comNon-malicious
independententrepreneurs4biden.comNon-malicious
entrepreneurs4biden.comNon-malicious
nextgendems4biden.comMisconfigured or illegitimate
joe-biden-kamala-harris.comNon-malicious
kamala-harris2020.comMisconfigured or illegitimate
kamala-harris2020.netMisconfigured or illegitimate
BIDEN2020ONLINESTORE.COMNon-malicious
biden-harrismerchandise.comNon-malicious
biden.exposedRedirect
biden-harris-election.comNon-malicious
biden.sexyRedirect
biden.icuRedirect
biden.monsterNon-malicious
kamala.clubNon-malicious
joe-and-kamala.comNon-malicious
kammalaharris.comNon-malicious
mamalaharris.comMisconfigured or illegitimate
kamalaaharris.comNon-malicious
kamallaharris.comNon-malicious
kamalharris.comNon-malicious
kampalaharris.comNon-malicious
kamulaharris.comRedirect
kamelaharris.comRedirect
kamalaharriss.comRedirect
kamalaharis.comNon-malicious
kamala-harris.comRedirect
kamlaharris.comNon-malicious
joe-hiden.comNon-malicious
joe-bidden.comMisconfigured or illegitimate
joe-bidens.comNon-malicious
biden-harris-team.comRedirect
harris-biden.netNon-malicious
biden-harris-20.comNon-malicious
biden-harris-ticket.comNon-malicious
joe-biden2020.comNon-malicious
biden-brindisi2020.comNon-malicious
biden-harris-2024.netMisconfigured or illegitimate
biden-harris2024.comNon-malicious
biden-harris-2020.netMisconfigured or illegitimate
2020biden-harris.comRedirect
biden-harris.comNon-malicious
joe-and-kamala.comNon-malicious
joe-kamala.netNon-malicious
bidenharrislive.comRedirect
vicepresidentkamalaharrislive.comRedirect
presidentjoebidenlive.comRedirect
vicepresidentharrislive.comRedirect
vicepresidentkamalaharris.liveRedirect
presidentjoebiden.liveRedirect
vicepresidentharris.liveRedirect
biden2020clothes.comMisconfigured or illegitimate
biden.designNon-malicious
biden.holdingsNon-malicious
biden.galleryNon-malicious
biden.llcNon-malicious
biden.miamiNon-malicious
biden.ninjaNon-malicious
biden.campNon-malicious
biden.schoolNon-malicious
biden.cyouNon-malicious
vets4biden.comNon-malicious
biden-harrisbus.comNon-malicious
biden.tubeNon-malicious
ok-biden.comNon-malicious
nursesforbiden.orgMisconfigured or illegitimate
elect-biden2020.comRedirect
kamala-biden2020.comRedirect
vote4harris.comNon-malicious
harris2024.voteNon-malicious
bidenharristicket2020election.comNon-malicious
byedon2020.voteNon-malicious
byedon.voteNon-malicious
the-donald-trump.comNon-malicious
beardsfortrump.usMisconfigured or illegitimate
trump-gop-retreat-got-real-donald-trump.comMisconfigured or illegitimate
therealdonaldrtump.infoMisconfigured or illegitimate
donald-trump.websiteNon-malicious
president-donald-trump.siteMisconfigured or illegitimate
president-donald-trump.website Misconfigured or illegitimate
donald-j-trump.loveMisconfigured or illegitimate
donald-trump-wtf.siteMisconfigured or illegitimate
donald-j-trump.comNon-malicious
trump-donald.comRedirect
donald-trump45.comNon-malicious
donald666trump.comNon-malicious
donaldjoketrump.usNon-malicious
magasec.usMisconfigured or illegitimate
donaldtrumpjr.netNon-malicious
donald-trump-tweets.blogMisconfigured or illegitimate
donald-trump-us-president.infoMisconfigured or illegitimate
donald-j-trump-presidential-library.net
Non-malicious
trump-tight.onlineNon-malicious
trump.consultingNon-malicious
trump2020trainwhistle.comNon-malicious
trump2020thegobconvention.comMisconfigured or illegitimate
trump-is-bad-for-us.comRedirect
trump4thepeople.comNon-malicious
latam4trumpRedirect
serbs4trump.comNon-malicious
don-trump2020.comMisconfigured or illegitimate
trump2020promos.comNon-malicious
reelect-trump-pence.comNon-malicious
trump-ees.comNon-malicious
alt-trump.comNon-malicious
trump-pence-maga.comNon-malicious
trump2020fanclub.comNon-malicious
trump.associatesNon-malicious
ceosagainsttrump.comRedirect
trumpaccountability.orgNon-malicious
trump-19virus.comNon-malicious
trump-keep-america-great-2020.comNon-malicious
cowboys4trump.comMisconfigured or illegitimate
trump4u2020shop.comMisconfigured or illegitimate
trump2020payperview.comNon-malicious
trump.howMisconfigured or illegitimate
trump20hat.comNon-malicious
trump.footballNon-malicious
trump2020co.comNon-malicious
trump–2020.comNon-malicious
trump2020supportmerch.comNon-malicious
trump-right.comNon-malicious
yo-trump.comNon-malicious
trump.bargainsNon-malicious
trump2020merch.netNon-malicious
trump-stuff.comNon-malicious
putin-pence.comNon-malicious
pence.cmNon-malicious
trumpforgetsvets.orgMisconfigured or illegitimate
maga-election.comNon-malicious
potus.reviewMisconfigured or illegitimate
america2020election.comNon-malicious
america-2020-election.comNon-malicious
electionsecurity.usRedirect
webex.voteNon-malicious
oakland.voteNon-malicious
progressivevote.usNon-malicious
progressive.voteNon-malicious
vote.centerNon-malicious
directionsto.voteNon-malicious
activate.voteNon-malicious
ballottracker.voteRedirect
nvregistration.voteRedirect
sendit.voteNon-malicious
vote4better.orgNon-malicious
vote4better.comNon-malicious
womenvoteflorida.voteNon-malicious
workthepolls.usNon-malicious
usps.voteNon-malicious
lets-go-vote.comMisconfigured or illegitimate
howcani.voteMisconfigured or illegitimate
weneedyou.voteMisconfigured or illegitimate
countmein2020.voteNon-malicious
electorate.voteNon-malicious
elector.voteNon-malicious
vote2saveamerica.comNon-malicious
moderateamerica.voteNon-malicious
vote.todayNon-malicious
texaswomen.voteNon-malicious
miami.voteRedirect
the2020.voteNon-malicious
unitedwe.voteNon-malicious
was-my-vote-counted.comMisconfigured or illegitimate
ellectoral-vote.comMisconfigured or illegitimate
vote1proud.comMisconfigured or illegitimate
postyour.voteMisconfigured or illegitimate
forum.voteMisconfigured or illegitimate
millennial-vote.comMisconfigured or illegitimate
real2020poll.comMisconfigured or illegitimate
nc-poll.comMisconfigured or illegitimate
24-7poll.comNon-malicious
register2vote2020.netNon-malicious
register2vote2020.comNon-malicious
web-election.comNon-malicious
election-vote.comNon-malicious
election2020masks.comNon-malicious
electionworkercorps.orgNon-malicious

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

SeachLight’s Exposed Document Alerts: Uncover the Critical, Faster

SeachLight’s Exposed Document Alerts: Uncover the Critical, Faster

November 23, 2020 | 5 Min Read

BACKING UP...INTO A DITCH I am a terrible...
Holiday Cybercrime: Retail Risks and Dark Web Kicks

Holiday Cybercrime: Retail Risks and Dark Web Kicks

November 19, 2020 | 7 Min Read

The holidays are right around the corner,...
ShadowTalk Update: RegretLocker, OceanLotus, Millions Seized in Cryptocurrency, and more!

ShadowTalk Update: RegretLocker, OceanLotus, Millions Seized in Cryptocurrency, and more!

November 16, 2020 | 2 Min Read

ShadowTalk hosts Stefano, Kim, Dylan, and...
To Code or Not to Code? Cybercriminals and the world of programming

To Code or Not to Code? Cybercriminals and the world of programming

November 12, 2020 | 9 Min Read

If you keep a pulse on the technology sector...