October 31, 2018
Anomali Threat Research

New .republican and .democrat Domains Offer New Ways to Fake Out Voters

<h2>Introduction</h2><p>Election cycles in the US are widely publicized on various forms of media sources but this publicity brings with it inherent risk. A campaign’s online presence is critical as more voters turn to the Internet to learn about candidates, compare positions, and prepare to vote. However, this online presence can also lead to new risks not only to candidates but to potential voters as well. As most of us have seen from phishing emails, it is extremely easy to fabricate messages that look literally identical to legitimate messages. Only a clever eye can discover the signs that certain messages are fake. The same is true for websites, and we are seeing a growing trend of fake websites being created to achieve malicious goals.</p><p>A well-known tactic is known as “<a href="https://www.anomali.com/resources/infographics/typosquatting-more-than-just-a-typo" target="_blank">typosquatting</a>.” Typosquatting is the practice of registering domains that can be confused for the legitimate site, or has a minor typo that can easily be missed by visitors. For example, say John Smith is running for the Senate in Texas and his campaign website is “johnsmithforsenate.com,” - typosquatted domains could look like:</p><ul><li>johnsmlthforsenate.com</li><li>jonathansmithforsenate.com</li><li>johnsmithtx.com</li><li>johnsmith4senate.com</li></ul><p>Now there is another way to confuse voters and/or make your opponent look bad. In many sectors we’ve seen the emergence of new, customized Top Level Domains (TLDs). Everyone is familiar with the standard TLDs: .com, .org, .net, .edu, .gov, etc. Now organizations can create new TLDs such as .info, .jobs, .kitchen, and pretty much anything else you can think of. We now see the emergence of new politically oriented TLDs, including .republican, .gop, and .democrat (we’ll refer to these as ”party TLDs” throughout this report). These don’t seem to be widely used by candidates, but they do offer the opportunity for confusion and misuse. The new party domains provide more ways for malicious actors to impersonate or embarrass legitimate sites.</p><p>Special TLDs such as .gov and .edu are restricted, meaning only authorized organizations may register domains with these TLDs. This is not true for the new suite of custom TLDs, including the party TLDs. The .democrat and .republican TLDs are owned by the Rightside group, which also owns multiple others such as .actor, .airforce, .ninja and .software among others. The .gop TLD is operated by the Republican State Leadership Committee (RSLC) which, while affiliated with the GOP, is not technically owned by the GOP. Anyone can register a domain with any of these TLDs. Analysis of these domains offers some insight into domain registration and typosquatting defense techniques.</p><p>A good mitigation against typosquatting is to use typosquatting as a defense by proactively registering domains with similar names to the website that is being protected; this tactic is likely being used amongst the domains analyzed by researchers. However, these domains are not all owned by the candidates, and most of them are likely owned by supporters, opposition groups, or individuals who merely want to own a domain named after a candidate perhaps in hopes to sell the domain at a later point in time.</p><p>Based on conversations with government officials, we recommend government organizations refrain from use of commercial TLDs such as .com, .org, or even the newer party-associated domains. The exclusive use of .gov domains reinforces the legitimacy of the sites and will inform visitors that they can be trusted. As a protective measure, government organizations should also register similar domains on these alternate TLDs, but not use them. As an additional protection, organizations should attempt to trademark their names at both the state and federal level to assist in takedown proceedings for maliciously registered domains.</p><h2>Analysis</h2><p>Anomali researchers analyzed domains registered to .democrat, .gop and .republican TLDs. We found a total of 7,336 party domains registered against these party TLDs. .democrat domains accounted for only 28% of the total, versus .gop and .republican domains accounting for 46% and 26% respectively.</p><p>Of the 7,336 total domains, the vast majority are stagnant - only 2,250 (31%) resolve to an IP address. Further, of the 2,250 that do have IP addresses, the majority contain some form of content, whether a fully-functioning website or basic html, or simply redirect to another website altogether. We found very few candidates have actually registered domains on the appropriate party TLD. In fact, some candidate-associated domains (those that have candidate names in them) have little to do with the candidate, and in some cases redirect to competing candidates or to other sites designed to embarrass the candidate.</p><p>To illustrate how domains can be misused here are a few examples:</p><ul><li>http://pelosi.democrat - This site redirects visitors donaldjtrump.com, the official site of the Trump campaign</li><li>http://bobstump.republican - This site redirects visitors to debbieleskoforcongress.com, another candidate for US Congress in Arizona</li><li>http://kirkpatrick.republican - This site redirects visitors to a YouTube video from 2009</li></ul><p>It’s important to understand that these sites are almost always not registered by competing candidates. They are generally created by independent individuals to embarrass a particular candidate. For example, pelosi.democrat redirects to the Trump campaign, but almost certainly was not registered by the Trump organization.</p><p>Note, most Internet users likely understand that while any person or organization can register a .com address, there are other addresses like .gov/.mil that are highly are restricted. When it comes to new TLDs like .republican and .democrat it’s not clear whether these are open or restricted. In fact, many users likely assume that any domain on these TLDs are managed, approved or endorsed by the party. That is, there is a presumption of validity for sites with these unique suffixes.</p><h2>Threats and Risks</h2><p>During election cycles threat actors can exploit the high emotionality of US politics in a variety of ways. Typosquatting allows individuals to create websites aimed to surprise unsuspecting visitors and potentially spread disinformation. As disinformation campaigns become more commonly discussed in open sources, political candidates and parties in general must take extra steps to protect themselves from potential false information, fake websites under their name, and malware distributed via those typosquatted domains. Politicians must be proactive in addressing this risk to election processes to reduce the negative impact it has on voters as well as mitigate external influences the subsequent outcome of elections.</p><h3>Domains and TLDs</h3><p>A threat posed to this year’s midterm elections is the registration of typosquatted domains using the .democrat, .gop, and .republican TLDs that are not necessarily related directly to a candidate running in the upcoming election. The objective would be to trick users/constituents into visiting the illegitimate sites. These malicious sites may cause potential voters to view party domains as more legitimate because of a candidate name and their associated party appearing in the domain name. Risks to users include being redirected to malicious websites, or tricking donors into contributing to a fake account.</p><p>Candidates should actively monitor for domains impersonating them on different TLDs in attempts to identify potential typosquatting attacks. A <a href="https://www.anomali.com/blog/hacker-tactics-part-1-domain-generation-algorithms" target="_blank">Domain Generation Algorithm</a> (DGA) could be used to assist in finding possible domain names associated to a specific candidate.</p><h3>Disinformation</h3><p>Disinformation has been a current threat to recent elections because of the rise of echo chambers which are created due to the so-called “filter bubble.” The filter bubble is the algorithmic prioritization of information made available to users based on their political, religious, and other beliefs and interests. The filter bubble pushes people and information related to the individual’s interests towards the top of social media sites and search engines, and thus causes information and connection suggestions with differing perspectives towards the bottom of pages.</p><p>This creates a “bubble” of information made available to an individual that tends to reinforce pre-existing beliefs and ideas. This also creates echo chambers consisting of people and groups that cycle around similar information and ideologies that further reinforces those beliefs. In this manner, echo chambers have contributed to the polarization of political parties and campaigns. Disinformation, also colloquially known as “fake news” or “alternative facts,” has become a significant threat to the electoral process of the US, with the filter bubble amplifying the threat. Disinformation campaigns take different shapes - here are some examples and tactics:</p><ul><li>Democratic People’s Republic of Korea (DPRK), Russian, Chinese, Iranian, and other state-sponsored threat groups use bots and fake accounts on Twitter and Facebook to share sensationalized headlines. These headlines are often linked to fake or inaccurate news stories and even conspiracy theories that take advantage of heated political subjects and prey on user’s emotions.</li><li>Use of malspam and malvertising of false headlines to grab user’s attention, which then link to:<ul><li>Propaganda for one side or the other</li><li>Watering holes - compromised websites that threat actors use to install malware onto the victim’s computer</li><li>Typosquatted domains that install malware, cryptominers, spyware, or keyloggers onto visitor computers</li></ul></li><li>Filter bubble and echo chambers:<ul><li>Spread false information to readers who share similar beliefs, while excluding other, potentially more legitimate sources; spreading a sense of indignation on both sides of an issue to incite societal instability</li><li>Rely on the lack of fact checking because others in the same group are sharing similar things</li><li>Circulate stories that may or may not be fully accurate</li><li>Offer limited or zero access to information from other perspectives, further polarizing people</li></ul></li></ul><h2>Mitigations</h2><p>Candidates running for elections have to take steps to mitigate these threats, through improved TLD and domain habits. Individual voters must protect themselves from these threats since electorates are not. Here is what each group can do:</p><h3>Candidates and Political Parties</h3><ul><li>Parties can provide lists of candidates and their *official* websites directly on established party websites (democrats.org, gop.com, lp.org, etc.).</li><li>Candidates can purchase domains on different TLDs with relevant domain names that redirect to the official website to avoid potential typosquatting attempts (Example: joecandidate.gop and joecandidate.republican both point to the main website for Joe Candidate).</li><li>Inform possible voters, whether it be via mail, door-to-door supports, or social media, of their legitimate websites and pages, and how to give donations (if they are being accepted).</li><li>Warn voters not to enter credit card credentials anywhere accept via official mechanisms (after letting them know the official mechanisms).</li><li>Political parties could, or should, purchase a TLD solely for the use of associated candidates.</li></ul><h3>Individual Voters</h3><ul><li>Only access sites that candidates and parties personally promote through television advertisements, state or government websites, or verified social media accounts.</li><li>Distrust sites that do not use HTTPS with legitimate certificates.</li><li>Ensure that when accessing websites, they are properly spelled with zero errors (watch out for minor changes in the URL name).</li><li>Be aware of Twitter accounts and other social media bots that share “sensationalized” stories.</li><li>Check the source of the story; question the authenticity of those originating from potentially satirical, questionable, or unverifiable sources.</li><li>Links to stories could lead to malware-infected sites or false news stories with little to no accurate information.</li><li>Avoid disinformation by accessing various news sources that are reputable to inform your voting choices.</li><li>Ensure your voter data is up-to-date</li><li>Be aware of data breaches that exposed your data: monitor public data breaches and password compromise websites (e.g., databreaches.net, haveibeenpwned.com)</li></ul>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.