A study of 225 typosquatted domains registered using election-related terms found that around two-thirds were non-malicious in nature, either hosting politically-themed propaganda or were left in a parked state, without any content.
The report, compiled by threat intelligence firm Digital Shadows, looked at so-called typosquatted domains, which are URLs modeled to mimic legitimate sites.
While the Digital Shadows report found that 67% of domains were “non-malicious,” researchers also found that 21% of the election-related typosquatted domains were either misconfigured or illegitimate sites. This includes websites that were either down, peddled scams, sold products using candidate brands, or falsely claimed to be affiliated with the official campaign.
Per the same report, the rest of the domains (12%) were redirecting users to other sites. Most were official candidate and campaign sites, and the domains were likely registered by the campaigns themselves, as a form of protection. However, the researchers also said that not all redirections were in good nature, and they also found typosquatted domains redirecting to sites attacking the candidate whose name they abused (i.e., trump-is-bad-for-us[.]com and biden[.]exposed).
This week’s report is a follow-up to a similar study researchers carried out in October 2019 when they looked at typosquatted domains for 34 candidate- and election-related terms, finding 550 sites in total.
But as the US presidential election has advanced to its final stage, Digital Shadows re-did its older report, and only looked at terms like Trump, Pence, Biden, Kamala, Kamala Harris, vote, elect, and poll.
But while the new 2020 report found that two-thirds of sites were non-malicious, Digital Shadows says this shouldn’t be taken at face value, as this could change as we near election day.
“Most of the non-malicious sites that we detected were parked domains, which can act as a false sense of safety; sure, it’s not hosting right now, but that can change within an instant and without warning,” the company said.
“Additionally, if a parked domain has an MX (Mail eXchange) record, it could potentially be leveraged in a phishing campaign, which we know is bad news all around.”
Furthermore, even if the sites that were categorized as “non-malicious” (as part of the 67% data set) didn’t host scams or malware, that doesn’t mean they weren’t malicious in the spectrum of election interference, with many of them hosting “negative sentiment” and “brand-damaging” propaganda, for both sides of the election aisles. In fact, this is what the DHS warned about last month in a bulletin sent to state and local officials across the US last month.