Though it hasn’t always gone by this name, “typosquatting” is hardly a new phenomenon — malicious actors have been registering sound-alike and one-character-off URLs since domain registration began. A new report from Digital Shadows indicates that the 2020 presidential election is being heavily leveraged for this staple of cyber fraud, but that most of the activity has been focused on stealing personal information rather than trying to sway the vote.
The 2020 typosquatting campaign
In October 2019, Digital Shadows found at least 550 typosquatting sites related to candidates in the 2020 presidential election campaign. With the field now narrowed down to the two candidates and their vice president selections, the San Francisco-based risk management firm revisited their work and found that 225 potentially malicious sites remained active. These sites are registered with either the names of one of the four remaining candidates in the race, or with the words “vote”, “poll” or “election.”
So who is behind these sites, and what are they attempting to do with them? Digital Shadows found that most of the sites (67%) were actually non-malicious; the ones that did have content either had an index page or only a very small amount that did not appear to be meant to perpetrate a scam or mislead the user. 21% were misconfigured or illegitimate; not all of these are necessarily scam sites, but some are openly soliciting donations for a campaign they are not actually associated with and others look like they may be primed to at some point. And the remaining 12% are URLs that redirect to another site, in some cases to an attack site.
Digital Shadows points out that the 67% of non-malicious sites may not actually be so harmless. While they must be categorized that way since they cannot be linked to some sort of malicious activity at present, many of these sites simply have an index page with minimal or no content and might be “activated” as a malicious site at some point in the future. Additionally, parked domains of this nature might be used in email-based scams that contain phishing attempts linking the victim to a different site.
The 21% of misconfigured or illegitimate sites tended to either have configuration errors rendering them non-functional, or to simply be anti-candidate sites with a minimal amount of content meant to soil a particular brand. A small handful were attempting to either sell merchandise or to solicit donations that likely would not be going to the campaign in question.
Among the 12% of redirect sites are some that were clearly registered by a political candidate or party for the purposes of harnessing wayward traffic and protecting their brand, with the typosquatted site automatically redirecting to a main campaign page. However, some redirected to some form of attack site including one apparent pro-Trump site that attempted to install a malicious Chrome extension.
Typosquatting sites that invoke “polls,” “elections,” or “voting” in their name have a higher likelihood of attempting to harvest some sort of personal information. Digital Shadows found 47 URLs of this nature that were potentially malicious, along with some others that appeared to be conducting legitimate polls but could not be linked to any known polling agency.
For individual security, Digital Shadows suggests going to the verified social media accounts (such as the “blue checks” on Twitter) to find links to the authentic sites of the 2020 presidential election candidates rather than relying on search engines or emails. At the organizational end, the group suggests using a tool such as DNSTwister to generate a list of available sound-alike URLs to potentially purchase and contracting with cybersecurity firms that provide a domain registration monitoring service for brand protection.
Are foreign agents attempting to manipulate the 2020 presidential election?
While Digital Shadows does not report any knowledge of the identities of any of the typosquatting parties, the evidence presented seems to indicate a patchwork of small-time criminals and opportunists out for self-gain without much interest in who actually wins the 2020 presidential election. Some sites look as if they are meant to be political smear campaigns, but it is unclear if these are connected to any of the campaigns or to any foreign interests.
This theory is backed up by the threat intelligence work that Digital Shadows did in October of 2019; that study found that typosquatting redirects to malicious sites were much more common, when the 2020 presidential election field was more open with some 34 different candidates still in the race. A number of these redirects would also go to the official page of a rival, indicating that US political interests were buying them up for personal benefit rather than foreign agents.
225 potentially malicious sites registered with either the names of one of the remaining candidates, or with the words ‘vote’, ‘poll’ or ‘election.’ #cybersecurity #respectdata
Click to Tweet
The FBI issued a warning about typosquatting in early August, indicating that it had found dozens of sites that came online between March and June that could be used to influence the 2020 presidential election. However, the report does not go into detail on the locations or content of these sites and it is not clear to what degree this overlaps with the work that Digital Shadows has done. The United States intelligence community has advised that Russia, China and Iran all intend to meddle in the 2020 presidential election but thus far there is no clear evidence that they are making use of typosquatting to do so.