Even as the world continues to fight the coronavirus pandemic, critical events simply cannot be delayed. The US presidential elections will continue on November 3, 2020.
Even though there are only months left, the discussions are intensifying. At the same time, as with other events of interest, dozens of domain names linked to the elections are detected.
Trends in election-related domain name registrations
We started detecting domain names related to the US election on June 2. On that day, primaries were also held in Washington, DC and in seven states, namely Indiana, Maryland, Montana, New Mexico, Pennsylvania, Rhode Island and South Dakota.
We have been tracking election-related typosquatting domain names during the period June 2-13, specifically those containing the following strings:
- ” wait “
- ” preside “
In 12 days, we saw a total of 216 election-related domain names that appeared on the Domain Name System (DNS).
Spike in domain name registrations after major election-related event
The graph above shows the number of domains containing each string as well as the total. It shows that the number of election-related domain names peaked on the following dates:
- June 3: A day after the primaries were held in Washington DC and in seven states. A total of 30 domain names were detected.
- June 5-6: The presidential caucuses of the Virgin Islands have taken place. Twenty-five domain names were viewed each day.
- June 10: Primaries were held the day before in Georgia and West Virginia. Some 29 domain names have been detected.
Other election-related events that could shape domain registration are the Kentucky and New York primaries scheduled for June 23. With the emerging trend, domain registrations may increase as of this date. We have seen the same thing happen with coronavirus-themed domain names.
The anatomy of “Biden” and “Trump” domain names
While the tally for “Biden” and “Trump” typosquatting domains seems close (73 and 87, respectively), the themes vary. “Biden” domain names, for example, indicate who people might want to be his running mate. Here are some examples :
- bidendemings us[.]com
- bidenharris for president[.]report
- bidenharris for president[.]organization
- bidenharris for president[.]com
Some domain names also allude to the Ukrainian-American community’s takeover of Biden. We saw 24 domain names on this topic registered in just two days:
The WHOIS records for Ukrainian-US domain names appeared to have the same registrant during a bulk WHOIS search. All use the same privacy services, pointing to 96 Mowat Ave., Ontario, Canada.
On the other hand, the typosquatting of domain names containing the string “trum” had slightly different themes. On the one hand, only the Owen-Trump tandem appeared to promote a running mate, despite wearing the 2024 and 2028 tags:
Some domain names also appeared to show their support for Trump, such as:
- fortrump army[.]club
- fortrump army[.]live
- fortrump army[.]organization
- support asset leadership[.]com
- support asset leadership[.]organization
- support asset leadership[.]Info
- Liberal Outreach Action Committee[.]Info
- Liberal Outreach Action Committee[.]organization
- Liberal Outreach Action Committee[.]com
Others also appeared to be against the outgoing president:
- fucking trump[.]to place
What electoral typosquatting domains could be
It is a known fact that typosquatting domains can be used in harmful activities such as phishing campaigns, scams, and malware attacks. So what kind of content could these domains host?
We can preview domains without having to visit websites using a screenshot tool.
Biden-inspired domain names that promote teammates, for example, are mostly parked, with some hosting ads.
The same goes for domain names that express their support for Trump, although some pages promise to have content soon.
Other screenshots show that most of the election-related areas follow the same patterns. They are either parked or under construction, with the exception of a few that are already operational.
The increase in domain names linked to elections reinforces the fact that new registrations generally follow newsworthy events. While most of these domains may currently be parked or subject to speculative investments in the domains, they may also turn into phishing entities in the near future.