Fraud Management & Cybercrime , Social Engineering , Social Media
Domain 'Typosquatting' Hits 2020 US Elections
Report Finds 550 Fraudulent Election Domains Connected to Presidential RaceAt least 550 fake domains targeting Democratic and Republican U.S. Presidential candidates and election-related funding sites have been uncovered by cybersecurity vendor Digital Shadows. In the runup to next year's elections, the findings are the latest indication that the internet will continue to play a central role in spreading both information and disinformation, security experts say.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Such so-called "typosquatting" efforts are designed to take advantage of errors by users who accidentally mistype the URL of a candidate website or of that of an election-related organization - such as a political party funding site - and get sent to another site, according to a report released this week by Digital Shadows.
For example, users who type "elizibethwarren.com" or "windre" - rather than the legitimate fundraising site WinRed.com - get sent to other "typosquats," the researchers write in the report. While many of the 550 typosquatted domains had no content, 68 percent of the typosquatted sites redirect the user to another site, at times including the site of a political rival, the researchers with Digital Shadows' Photon Research team say.
While such moves can sow political confusion, other redirects appear to be more dangerous, sending users to "file converter" or "secure browsing" Google extensions that can lead to attacks on voters' data privacy or drive-by malware infections.
Another 8 percent of the typosquat domains were misconfigured or illegitimate sites. Some were non-malicious, while others were designed to make fun of candidates or damage their image.
"As election season gets kicked off, the threats vary greatly," Harrison Van Riper, strategy and research analyst at Digital Shadows, tells Information Security Media Group. "The potential exists for disinformation campaigns to operate on these typosquat domains. Something simple like changing a candidate's opinions to be slightly more radical on polarizing issues may be overlooked as being illegitimate information to a voter and could lead to uninformed decision making. The typosquat could also be used by a financially motivated criminal who is merely using the political backdrop to increase their chances of a successful infection. It's going to be critical in the coming months to remain vigilant when it comes to politics and typosquat domains."
Eye Toward 2020
The focus on online disinformation campaigns and other internet- and social media-based interference efforts took center stage during and after the 2016 presidential elections, intensifying as the full extent of Russian interference came into focus. Now attention is turning to the upcoming primaries and elections in November 2020. Cybersecurity firms and U.S. and state government agencies, including the Department of Homeland Security and state attorneys general, are taking steps to try and safeguard elections.
Earlier this month, the U.S. Senate Intelligence Committee, as part of the second volume of results from its investigation into Russia interference in 2016, recommended security measures for social media companies such as Facebook and Google as well as new legislation and creating an interagency task force.
Digital Shadows sought out typosquat domains related to the president candidates - 19 on the Democratic side and four for Republicans. The company used its SearchLight platform to find these various domains.
Motivations Behind Typosquatting
Typosquat redirects are not unusual on the internet.
Some companies will buy the domains that closely resemble their own so that users will be redirected to the correct site even if the user makes a mistake when typing the URL. If a person types in "faceboo.com," it will redirect to Facebook's legitimate homepage. Some of the redirections among the sites Digital Shadows looked at, however, redirected to sites of political rivals.
"For starters, winrde.com is the mistyped WinRed.com, a technology platform developed mainly for Republican candidate supporters that allows easy donations to specific candidates," the report says. "Currently, it redirects to ActBlue, the main fundraising site for the Democrats. … Tulsi2020.co and elizibethwarren.com redirect to marianne2020.com and donaldjtrump.com, respectively, and donaldtrump.digital redirects to hillaryclinton.com. Without calling out one candidate or one party over another for these typosquats, it's clear that the political battles are not taking place just on the debate stage or in the media but expanding to the cyber realm, as well."
Six typosquat domains related to the 2020 elections redirected users to a file converter or secure browsing Chrome extension that, if installed, would grant "unreasonably high" permissions, the researchers write. Three of the five extensions were granted access to the chrome.cookies API, which gives access to the user's browser's cookies, which could enable bad actors to hijack a session and impersonate the user. These domains also could grant real-time access to cyber-criminals to web traffic within the browser, and malware also has been found in the extensions web store.
Among the 8 percent of illegitimate sites were those aiming to damage a candidate's brand, including the ones below involving President Trump and New York City Mayor Bill de Blasio:
"Regardless of what your politics are, acknowledge the parallels in these websites with what a company could face: Replace Donald Trump or Bill de Blasio with any company CEO or high-ranking executive and you've got something affecting your brand and potentially costing you money," the report states.
Trying to Find the Owners
The European Union's General Data Protection Regulation has made gathering information about domain owners more challenging.
"The unfortunate consequence of the EU's GDPR coming into effect coupled with the rise in domain registration by proxy service is that personal information belonging to registrants is no longer able to be seen on a large scale," Van Riper says. "As recently as two or three years ago, online investigators could access Whois domain registration information and connect the dots between registrants or hosting IPs, but a lot of this information has been generalized in the name of privacy which makes it near impossible to determine who is genuinely responsible for registering these domains. That being said, we don't have any evidence to suggest a nation-state or cybercriminal group operated the domains we detected."
Digital Shadows is calling for the industry to address the problem of typosquatting. What organizations can do right now is buy domains similar to theirs and monitor domain registration activity. The company also is calling on users to be aware of the problem, be wary of sites that don't seem legitimate, and don't visit to linked websites sent through unsolicited emails.