In October 2019, Digital Shadows (now ReliaQuest)’ Photon Research Team embarked on an adventure involving election typosquats that could potentially affect the presidential election and its candidates. If you haven’t read our original report, I’ll fill you in on a brief recap:

We detected over 550 typosquats for the 34 candidate- and election-related domains from open-source research. Not every single domain was interesting; most of the time, the typosquat was parked and not hosting content. Still, there were some worthwhile areas to dig into deeper: Misconfigured or illegitimate sites, non-malicious sites, and website redirects.

When monitoring for specific domains that impersonate our clients’ brand or are capable of potentially misleading client employees or their respective clients, we see it as an issue to which they should be alerted. When it comes to these domains affecting the general voting public, the same concern is present: Are people tricked into entering their personally identifiable information or sensitive details, is their device infected with malware, are the domains redirecting to an across-the-aisle candidate’s website, or are they redirected to potentially misleading information?

In terms of social sway, these domains are unlikely to highly affect a voter’s individual opinion, but still, typosquats can aid in confusion and misinformation.

Let’s take a look at our most updated election-related typosquat data and findings. 

Preparing the podium.

No, I’m not really going to speak to you from a podium, but before we get into the meat and potatoes of this blog, I want to highlight why we’re writing about this, what we searched for, where we got our data from, and what we did with it. 

Initially, we were planning to post a blog like this later in the year, when we got closer to the election. Then we began researching the recent bulletin by the Department of Homeland Security (DHS), which warned Internet users of potentially malicious domains related to the United States election. Since our research seemed to be relevant to current reporting, we figured it may be beneficial to update our data to see if the landscape has changed. 

Digital Shadows (now ReliaQuest) used Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection) to identify domains that included the following text within their WHOIS data:

  • Trump
  • Pence
  • Biden
  • Kamala OR Kamala Harris 
  • Vote
  • Elect
  • Poll

After collecting our data, we scrubbed through and identified the true positives by gauging the likelihood of the domains being candidate- or election-related. We ended up with 225 potentially malicious domains – exactly half of the sample we used in October. Considering the primary Republican and Democratic party candidates are identified at this point, it makes sense that our sample size is smaller than it was when we first began this journey. 

Okay, everyone’s primed, and we’re on the same page. Here’s what we found. 

Are we fighting a fake domain campaign?

While we can’t confirm who is setting up these websites and why they’re doing it, it has become clear that domain squatting has become a popular method among threat actors and zealous voters alike. 

Just as we classified our data in our first election typosquatting blog, we decided to classify the different types of typosquats we detected into three distinct categories, which are replete with examples:

  1. Misconfigured or illegitimate sites: Typosquats that were not correctly configured when initially created and aren’t hosting anything but an index page, as well as typosquats that likely are not legitimate but look like they could be
  2. Non-malicious: By far the largest category we detected, mainly consisting of typosquatted domains that are either not hosting content or are hosting content that includes a small amount of brand-damaging content
  3. Redirect: Typosquats that redirect the user to a different website

The following chart shows the breakdown of relevant typosquatted sites we uncovered, by category.

Typosqatted sites by category
Figure 1: Breakdown of relevant typosquatted sites uncovered by category

Non-malicious sites have a 67% majority. 

Digital Shadows (now ReliaQuest) found that 67% of the 225 sites related to presidential candidates or the election were non-malicious. Compared to an 8% minority in 2019, that’s good news, right? Well, kind of. Most of the non-malicious sites that we detected were parked domains, which can act as a false sense of safety; sure, it’s not hosting right now, but that can change within an instant and without warning. Additionally, if a parked domain has an MX (Mail eXchange) record, it could potentially be leveraged in a phishing campaign, which we know is bad news all around. 

As we said, many of the non-malicious domains were parked, but some showed negative sentiment. This is slightly more on the brand-damaging side of things. For example, biden2020[.]com displayed anti-Biden content, specifically underlining, “the dangers of voting for Biden.”

Negative Typosquat toward Joe Bidden
Figure 2: Typosquat hosting negative sentiment toward Joe Biden

Another website we came across, donaldtrumpjr[.]net, didn’t directly involve a presidential candidate in the domain name; however, its contents could negatively affect Donald Trump’s brand. 

Negative Typosquat toward Donald Trump
Figure 3: Typosquat hosting negative sentiment toward Donald Trump

Illegitimate sites can still affect your brand.

We assessed that 21% of our sample data involved illegitimate or misconfigured sites, increasing from 2019’s 8%. While many of the domains we identified were associated with DNS errors, others seemed to be hosting websites that weren’t malicious in nature, but probably weren’t created by a presidential candidate’s team.  An example is listed below – the sentiment of the site appears to be neutral, but it’s highly unlikely that Joe Biden’s team set up mamalaharris[.]com. 

Illegitimate US  election site
Figure 4: Illegitimate site relating to the 2020 US election

Similarly, don-trump2020[.]com doesn’t appear to be owned and operated by Donald Trump’s campaign, and it doesn’t look malicious in nature, either. If I were to guess, I’d think that this page was created by a fan of the candidate, looking to spread their message by selling some pro-Trump merchandise. 

Illegitimate US 2020 Election Site
Figure 5: Illegitimate site regarding the 2020 election

Typosquat redirects have a 12% minority.

Redirecting domains accounted for 12% of our sample data during this round of analysis, compared to 68% in 2019. The redirecting domains that we found included a “healthy” mix of brand protection and negative sentiment. 

Some domains appeared to be leveraged to redirect to legitimate sites, including bidenharrislive[.]com and presidentjoebiden[.]live, which resolved to joebiden[.]com. This method is a form of brand protection; many site owners choose to buy similar domains so other users can’t use them to mislead visitors or impersonate their brand (we’ll touch more on this later). Other sites, such as trump-is-bad-for-us[.]com and biden[.]exposed (unsurprisingly) redirected to content disagreeing with the candidates, respectively. 

Trump-is-bad-for-us
Figure 6: Site that redirected from trump-is-bad-for-us[.]com
biden[.] exposed
Figure 7: Site that redirected from biden[.]exposed

A few instances of redirects resolved to legitimate presidential candidate websites, but probably not the candidate a user intended to support or read about. For example, biden4freedom[.]com redirected to Jo Jorgensen’s page, jo20.com, while another domain, ceosagainsttrump[.]com, redirected to Joe Biden’s page. Tricky, tricky! 

Shady Chrome extensions

Redirection can come in different varieties, including the shady kind. We found one typosquatted domain that redirected to a “secure browsing” Google Chrome extension – trump-donald[.]com. 

The domain eventually resolved to Donald Trump’s dedicated Wiki page. Occasionally, bad actors will lure users into downloading Chrome extensions, and they’re rarely legitimate. In June 2020, Google removed 106 Chrome extensions for collecting sensitive user data. 

What I’m really trying to say here is be critical, and if nothing else, make sure you’re only using extensions you need.

A note on election and voting websites.

As we get closer to the election, it’s highly likely that malicious actors will register and leverage election and voting websites to mislead users. We identified 47 potentially malicious domains that were either parked, redirected to a different website, or were illegitimate or misconfigured. For example, register2vote2020[.]com and register2vote2020[.]net, are not currently hosting content; however, the potential for these sites to gather sensitive voter details is something to consider, especially as we’re approaching the cutoff for 2020 voter registration. 

Another site, real2020poll[.]com, does not appear to be malicious in nature, but I think it’s safe to say that it’s probably not operated by a legitimate United States polling organization. 

Illegitimate 2020 US election site
Figure 8: Illegitimate site regarding the 2020 election

Stay safe out there, Voters.

In times where disinformation, manipulation, and shady websites are at an all-time high, users must remain vigilant. Are you sure that the website you’re visiting is legitimate? Do you really need to download that Chrome extension? Are your sensitive details being submitted to a legitimate database? These are all things to seriously consider while surfing the web. 

To keep yourself safe, we recommend that you corroborate the website’s legitimacy by looking at the candidate’s social media networks. Typically, candidates will share their official domains in their biography sections or highlighted within their feed―if you’re looking to donate to one of the campaigns, try looking there first for information. We don’t recommend visiting linked websites sent via unsolicited emails, as this is a common tactic of threat actors employing phishing pages.

From an organizational point of view, here are our recommendations on avoiding possible brand impersonation or damage:

  1. Buy Domains Similar To Yours. For practitioners, if we look at typosquats in a timeline, one of the initial things you can do is buy domains that appear to be similar to yours. Obvious options would be domains that are one or two letters off from your legitimate domains. Using a tool like DNSTwister, you can generate a list of currently active domains that could already be impersonating your brand or give ideas for where to start purchasing domains.
  2. Monitor Domain Registration Activity. You should also start monitoring registration activity. This is hard enough for one domain, but if you have several it may be a bit unmanageable. At that stage we would suggest getting help; part of our core service at Digital Shadows (now ReliaQuest) is monitoring for domain impersonations and providing a variety of alerts: when a new typosquatted domain is available to register, when someone has added an MX record that is required to send emails (read: PHISHING emails), when a domain is actively hosting impersonating content, and more.

To learn more about typosquat and phishing protection, check out our Phishing Protection resources center page.

Researched domains

Domain Behavior
joe-biden.com Misconfigured or illegitimate
joe-biden.com Non-malicious
joe-biden2020.net Non-malicious
bw2020.org Non-malicious
joe46biden.com Non-malicious
joe-biden-kamala-harris.com Non-malicious
joe-biden46.com Non-malicious
joe-biden-for-president.com Non-malicious
barack-obama-and-joe-biden.com Non-malicious
bidenwarren2020ticket.com Non-malicious
imjoebiden.com Non-malicious
biden-klobuchar-2020.com Misconfigured or illegitimate
biden2020faceshield.com Non-malicious
biden2020.com Non-malicious
biden2020usa.com Non-malicious
biden2020s.com Non-malicious
joe-biden2020.net Non-malicious
biden2020coin.com Misconfigured or illegitimate
biden-obama-2020.com Non-malicious
biden-sanders2020.com Non-malicious
harris-biden2020.com Non-malicious
biden-potus2020.com Misconfigured or illegitimate
biden2020ppe.com Redirect
biden4prez2020.com Non-malicious
biden2020signs.com Non-malicious
biden-winfrey2020.com Non-malicious
biden2020flags.com Non-malicious
biden2020shirts.com Non-malicious
2020biden.com Misconfigured or illegitimate
biden2020win.com Non-malicious
biden2020shirt.com Misconfigured or illegitimate
joseph-biden2020.com Non-malicious
biden-harris2020.net Non-malicious
Nextgendems4biden.com Misconfigured or illegitimate
biden-orourke2020.com Non-malicious
biden2020shirts.net Misconfigured or illegitimate
biden-buttigieg-2020.com Non-malicious
biden2020masks.com Non-malicious
trump-biden2020.com Non-malicious
biden-warren2020.com Non-malicious
bw2020.org Non-malicious
innovators4biden2020.com Misconfigured or illegitimate
dogs4biden.com Non-malicious
outforbiden.org Non-malicious
biden4freedom.com Redirect
sayno2biden.com Non-malicious
biden4muslims.com Non-malicious
smes4biden.com Non-malicious
independententrepreneurs4biden.com Non-malicious
entrepreneurs4biden.com Non-malicious
nextgendems4biden.com Misconfigured or illegitimate
joe-biden-kamala-harris.com Non-malicious
kamala-harris2020.com Misconfigured or illegitimate
kamala-harris2020.net Misconfigured or illegitimate
BIDEN2020ONLINESTORE.COM Non-malicious
biden-harrismerchandise.com Non-malicious
biden.exposed Redirect
biden-harris-election.com Non-malicious
biden.sexy Redirect
biden.icu Redirect
biden.monster Non-malicious
kamala.club Non-malicious
joe-and-kamala.com Non-malicious
kammalaharris.com Non-malicious
mamalaharris.com Misconfigured or illegitimate
kamalaaharris.com Non-malicious
kamallaharris.com Non-malicious
kamalharris.com Non-malicious
kampalaharris.com Non-malicious
kamulaharris.com Redirect
kamelaharris.com Redirect
kamalaharriss.com Redirect
kamalaharis.com Non-malicious
kamala-harris.com Redirect
kamlaharris.com Non-malicious
joe-hiden.com Non-malicious
joe-bidden.com Misconfigured or illegitimate
joe-bidens.com Non-malicious
biden-harris-team.com Redirect
harris-biden.net Non-malicious
biden-harris-20.com Non-malicious
biden-harris-ticket.com Non-malicious
joe-biden2020.com Non-malicious
biden-brindisi2020.com Non-malicious
biden-harris-2024.net Misconfigured or illegitimate
biden-harris2024.com Non-malicious
biden-harris-2020.net Misconfigured or illegitimate
2020biden-harris.com Redirect
biden-harris.com Non-malicious
joe-and-kamala.com Non-malicious
joe-kamala.net Non-malicious
bidenharrislive.com Redirect
vicepresidentkamalaharrislive.com Redirect
presidentjoebidenlive.com Redirect
vicepresidentharrislive.com Redirect
vicepresidentkamalaharris.live Redirect
presidentjoebiden.live Redirect
vicepresidentharris.live Redirect
biden2020clothes.com Misconfigured or illegitimate
biden.design Non-malicious
biden.holdings Non-malicious
biden.gallery Non-malicious
biden.llc Non-malicious
biden.miami Non-malicious
biden.ninja Non-malicious
biden.camp Non-malicious
biden.school Non-malicious
biden.cyou Non-malicious
vets4biden.com Non-malicious
biden-harrisbus.com Non-malicious
biden.tube Non-malicious
ok-biden.com Non-malicious
nursesforbiden.org Misconfigured or illegitimate
elect-biden2020.com Redirect
kamala-biden2020.com Redirect
vote4harris.com Non-malicious
harris2024.vote Non-malicious
bidenharristicket2020election.com Non-malicious
byedon2020.vote Non-malicious
byedon.vote Non-malicious
the-donald-trump.com Non-malicious
beardsfortrump.us Misconfigured or illegitimate
trump-gop-retreat-got-real-donald-trump.com Misconfigured or illegitimate
therealdonaldrtump.info Misconfigured or illegitimate
donald-trump.website Non-malicious
president-donald-trump.site Misconfigured or illegitimate
president-donald-trump.website Misconfigured or illegitimate
donald-j-trump.love Misconfigured or illegitimate
donald-trump-wtf.site Misconfigured or illegitimate
donald-j-trump.com Non-malicious
trump-donald.com Redirect
donald-trump45.com Non-malicious
donald666trump.com Non-malicious
donaldjoketrump.us Non-malicious
magasec.us Misconfigured or illegitimate
donaldtrumpjr.net Non-malicious
donald-trump-tweets.blog Misconfigured or illegitimate
donald-trump-us-president.info Misconfigured or illegitimate
donald-j-trump-presidential-library.net
Non-malicious
trump-tight.online Non-malicious
trump.consulting Non-malicious
trump2020trainwhistle.com Non-malicious
trump2020thegobconvention.com Misconfigured or illegitimate
trump-is-bad-for-us.com Redirect
trump4thepeople.com Non-malicious
latam4trump Redirect
serbs4trump.com Non-malicious
don-trump2020.com Misconfigured or illegitimate
trump2020promos.com Non-malicious
reelect-trump-pence.com Non-malicious
trump-ees.com Non-malicious
alt-trump.com Non-malicious
trump-pence-maga.com Non-malicious
trump2020fanclub.com Non-malicious
trump.associates Non-malicious
ceosagainsttrump.com Redirect
trumpaccountability.org Non-malicious
trump-19virus.com Non-malicious
trump-keep-america-great-2020.com Non-malicious
cowboys4trump.com Misconfigured or illegitimate
trump4u2020shop.com Misconfigured or illegitimate
trump2020payperview.com Non-malicious
trump.how Misconfigured or illegitimate
trump20hat.com Non-malicious
trump.football Non-malicious
trump2020co.com Non-malicious
trump–2020.com Non-malicious
trump2020supportmerch.com Non-malicious
trump-right.com Non-malicious
yo-trump.com Non-malicious
trump.bargains Non-malicious
trump2020merch.net Non-malicious
trump-stuff.com Non-malicious
putin-pence.com Non-malicious
pence.cm Non-malicious
trumpforgetsvets.org Misconfigured or illegitimate
maga-election.com Non-malicious
potus.review Misconfigured or illegitimate
america2020election.com Non-malicious
america-2020-election.com Non-malicious
electionsecurity.us Redirect
webex.vote Non-malicious
oakland.vote Non-malicious
progressivevote.us Non-malicious
progressive.vote Non-malicious
vote.center Non-malicious
directionsto.vote Non-malicious
activate.vote Non-malicious
ballottracker.vote Redirect
nvregistration.vote Redirect
sendit.vote Non-malicious
vote4better.org Non-malicious
vote4better.com Non-malicious
womenvoteflorida.vote Non-malicious
workthepolls.us Non-malicious
usps.vote Non-malicious
lets-go-vote.com Misconfigured or illegitimate
howcani.vote Misconfigured or illegitimate
weneedyou.vote Misconfigured or illegitimate
countmein2020.vote Non-malicious
electorate.vote Non-malicious
elector.vote Non-malicious
vote2saveamerica.com Non-malicious
moderateamerica.vote Non-malicious
vote.today Non-malicious
texaswomen.vote Non-malicious
miami.vote Redirect
the2020.vote Non-malicious
unitedwe.vote Non-malicious
was-my-vote-counted.com Misconfigured or illegitimate
ellectoral-vote.com Misconfigured or illegitimate
vote1proud.com Misconfigured or illegitimate
postyour.vote Misconfigured or illegitimate
forum.vote Misconfigured or illegitimate
millennial-vote.com Misconfigured or illegitimate
real2020poll.com Misconfigured or illegitimate
nc-poll.com Misconfigured or illegitimate
24-7poll.com Non-malicious
register2vote2020.net Non-malicious
register2vote2020.com Non-malicious
web-election.com Non-malicious
election-vote.com Non-malicious
election2020masks.com Non-malicious
electionworkercorps.org Non-malicious