Typosquatting. It’s a phrase most of us know in the security realm and think we’ve got our hands and minds firmly wrapped around. For example, my employer’s domain is digitalshadows.com, and a typosquat could be digitashadows.com or even digitalshdows.com. That typosquat could be used for a variety of things, like phishing, brand impersonation, or even reputational damage.

If you want to learn more about typosquatting and domain squatting, check out our in depth blog post: Domain Squatting: The Phisher-man’s Friend

What about something more malicious? Maybe delivering malware or some shady software to a potential customer who’s just trying to get information about the company and its offerings. The point is, there’s a wide range between what a typosquat actually is and what it can look like.

What’s something else on everyone’s minds at the moment? In the United States, it’s the upcoming presidential election of 2020. As of 20 September, there are 19 Democratic candidates and 4 Republicans, including President Donald Trump. Politics aside, Photon Research Team thought it would be interesting to use this pool of candidates as a backdrop for research into typosquatted domains; following the 2016 presidential election, it was a fair bet we would find some interesting tidbits using our SearchLight™ platform.

Altogether, we detected over 550 typosquats for the 34 candidate- and election-related domains we gathered from open-source research. Not every single one was something interesting; most of the time the typosquatted domain was simply parked and not hosting content. Still, there were some worthwhile areas to dig into deeper.

Alex and I recorded a video as well walking through the findings. Check it out here.

3 types of typosquats detected for 2020 candidates

For the purposes of this research, we decided to classify the different types of typosquats we detected into three distinct categories, which are replete with examples:

Misconfigured or illegitimate sites: typosquats that were not correctly configured when initially created and aren’t hosting anything but an index page, as well as typosquats that likely are not legitimate but look like they could be Non-malicious: typosquatted domains that are either not hosting content or are hosting content that includes a small amount of brand-damaging content Redirects: by far the largest category we detected, this consists mainly of certain typosquats that redirect the user to a different website

The following chart shows the breakdown of relevant typosquatted sites we uncovered, by category.

Figure 1: Breakdown of relevant typosquatted sites uncovered by category

Typosquat Redirects Have a 68% Majority

The most interesting pieces of this political puzzle we found resided in the domains we classified as redirects, or sites that were redirecting to some other domain that wasn’t originally typed into the address bar. Redirects happen all the time for legitimate reasons (even as a way to combat typosquatting). For instance, faceboo.com redirects to facebook.com. Facebook’s security team likely knows that those quick typists out there trying to see all the latest updates from their friends may make a mistake when putting the URL into the address bar.

But what would happen if faceboo.com redirected to a competitor, like Twitter or TikTok? Or, what if it redirected to a hate site devoted to doxing Facebook employees? These are brand perception nightmares that corporations should be readily prepared for. Redirection can also be used as a way to mask the true nature of the server until it is due to be used. One of the main things we found were typosquats for presidential campaigns redirecting to their political opponent’s websites.

Figure 2: Examples of redirect typosquats detected around the 2020 US Presidential election

The four examples pictured above represent the spread of various instances of typosquatting that we detected. For starters, winrde.com is the mistyped WinRed.com, a technology platform developed mainly for Republican candidate supporters that allows easy donations to specific candidates. Currently, it redirects to ActBlue, the main fundraising site for the Democrats. You can see how a company standing in the same shoes could potentially lose out on an e-commerce purchase or a business deal simply because they typed in the wrong URL address.

Tulsi2020.co and elizibethwarren.com redirect to marianne2020.com and donaldjtrump.com, respectively, and donaldtrump.digital redirects to hillaryclinton.com. Without calling out one candidate or one party over another for these typosquats, it’s clear that the political battles are not taking place just on the debate stage or in the media but expanding to the cyber realm, as well.

Shady Chrome Extensions

Redirection can come in all different kinds of flavors, including the shady kind. We detected six typosquatted domains around the 2020 U.S. election redirecting to various “file converter” or “secure browsing” Google Chrome extensions:

tuls2020[.]com

joebinden[.]info

joebide[.]info

actbue[.]com

yung2020[.]com

joebidin[.]info

Figure 3: Examples of typosquatted domains redirecting to “file converter” or “secure browsing” Google Chrome extensions

If a user were to install the extensions, the permissions granted to the extensions seem unreasonably high. Using the free Google Chrome extension analyzer CRXcavator, we took a deeper look into these five items. Three of the five extensions were given access to the chrome.cookies API, which lets the extensions do exactly what it sounds like: have access to your browser’s cookies. If an attacker were to have access to your browser’s cookies, they could conduct a session hijacking attack using the unique information contained within the saved cookies to effectively impersonate the browser, and in turn, you.

Additionally, two of them could access web traffic within the browser in real time via the chrome.webRequest API. Readers should take this chance to recognize the amount of access some Chrome extensions have to their browser data. Malware has been found frequently in the extensions web store and if nothing else, you should make sure you’re only using extensions you need.

DailyTravelPosh and the Potential for Typosquats

In researching redirects, we came across an interesting site, dailytravelposh[.]info. The site is simply hosting a login page that wasn’t all that exciting but redirected to two of our suspected typosquat domains: kamalaharriss[.]info and berniesanderst[.]info. Since there were only two instances, this discovery was more of an outlier, similar to the Chrome Extensions, but we investigated further.

In total, 66 domains were being hosted on 50.63.164.243, all registered under the privacy protection service WhoisGuard, Inc. with a Panama address (a point we’ll explore later on). As of October 3rd, the domains being hosted on that IP address (listed in full at the end of this post) weren’t hosting any content and only redirecting to the .info TLD. The following are some of the more political-sounding domains, all registered within the past 40 days (since 3 Oct 2019).

brinkofrecession[.]info

chinamulls[.]info

cleareconomy[.]info

contractvote[.]info

generalstates[.]info

kamalaharriss[.]info

nextrecessions[.]info

polociprotest[.]info (misspelling of Nancy Pelosi’s name)

publicoffices[.]info

contractvote[.]info

nextrecessions[.]info

Earlier this year, dailytravelposh[.]com (note the different top-level domain (TLD)) was being hosted on an IP address that was hosting several typosquatted pages for technology-related domains. If we look to the past to tell us about the future, we can reasonably conclude that it’s possible these domains could begin hosting typosquatted content at some point in the future.

This conclusion is based on previous activity of other domains hosted on dailytravelposh[.]com’s IP address, and a similar situation being presented by dailytravelposh[.]info. Although we can’t say for certain that typosquats will start to be hosted on these domains (nothing in the threat intelligence field is for certain), voters in the 2020 US presidential election could be duped by one of these sites in the coming months.

Misconfigured and Illegitimate Sites Have an 8% Minority

We detected four typosquatted domains that weren’t really doing much, from what we saw. The first two (pictured below on the left) are pretty easy to spot as “misconfigured” sites. Typically, you don’t want your website to be showing the index page because a) nobody will know what to do with it and b) it could unintentionally show various asset files (public or hidden) being stored on the site.

The two domains pictured on the right are actually hosting some content. Now, these could be legitimate sites but we’re inclined to think otherwise. Berniesandersofficial[.]com is filled with placeholder text that almost certainly wasn’t set up by Bernie Sanders’ official tech team. The “Donate” and social media links on the site redirected to the actual donation pages and social media pages for the candidate, as well, so really this just looks like a project that never got finished.

The same goes for betoorourke[.]me―though it doesn’t appear to be something owned and operated by Beto O’Rourke’s campaign, it doesn’t look to be malicious in nature, either. If we had to guess, this is owned by a fan of the candidate looking to spread his message by selling some buttons―Go Democracy!

Figure 4: Four typosquatted domains (non-malicious) around the 2020 U.S. Presidential election

Now we’re going to get into something a little more along the lines of brand damage; these typosquats fall into the non-malicious category. The more egregious of the sites we saw were hosting content directly making fun of the respective candidates (see the figure below). Regardless of what your politics are, acknowledge the parallels in these websites with what a company could face: Replace Donald Trump or Bill de Blasio with any company CEO or high-ranking executive and you’ve got something affecting your brand and potentially costing you money.

Figure 5: Brand damaging typosquat examples in the 2020 U.S. Presidential election

We know that people can register websites and host content that isn’t favorable to a CEO (or presidential candidate, in this example), but there’s also a kinder side to typosquats. One typosquat (or TLD squat, if we want to be specific) was for a site pertaining to candidate Kamala Harris (kamalaharris[.]fr). The .fr TLD is typically used for French websites, but in this case, it was being used to advocate for Kamala Harris. It almost certainly isn’t official and run by Harris’s campaign, but it’s not harming the brand (as of now).

Figure 6: Typosquat detected example (non-malicious)

If you want more evidence that the Internet is sometimes an okay place, a typosquat detected with Elizabeth Warren’s name (eliabethwarren[.]com) actually tells the visitor that they made a typo in their address bar AND shares a picture of a kitty!

Figure 7: Typosquat detected example (non-malicious)

The site also alluded to future sharing of political opinions―whether they would be for or against Warren, we don’t know. The potential is there for the person that runs the website to speak out against the candidate or for her. Regardless, if every typosquat resulted in the picture of a cat, the Internet world would be a much better place.

Protesting for Change (in WHOIS data regulations)

A natural step during our research was to try to determine any patterns or links among the owners of these domains, the IP addresses they’re being hosted on, registration dates, etc. Even just a few years ago, WHOIS records were an essential tool in the online investigator’s toolbox. However, a lot can change in a couple years, with the biggest delta being the introduction of the EU’s General Data Protection Regulation (GDPR).

Before GDPR was even firmly in place and discussions around the act were still swirling around, websites began updating their data and privacy policies to be in line when that day would come. This included ICANN, the regulatory arm responsible for coordinating domain name and IP address allocations, essentially monitoring Internet domain registrations and WHOIS data at large. So many discussions were taking place before May 2018…would there be a new system to access WHOIS data? Who would be able to get access? After all, there are legitimate needs from law-enforcement bodies, brand-enforcement officials, and consumer protection agencies who rely on that data to conduct their normal daily work.

Then May 2018 came and no real resolutions were in place, as highlighted in the article “The End of the Road: ICANN, Whois, and Regulation”. The resulting process has been one of requesting specific information from the individual registrars, which has proved challenging, to say the least. According to the article, statistics from June 2018 to June 2019 indicate that brand-protection providers have had only 4% to 14% of requests actioned successfully.

Furthermore, one of the providers had lawfully submitted information requests ignored (no response or action) at a rate of almost 50%. It would seem GDPR has forced registrars to take on more responsibility that they don’t seem to be handling very efficiently or effectively.

Protecting Your Business Against Typosquats

I know what you’re thinking: “Photon team, this blog started as an election piece and now you’re talking about GDPR, ICANN, WHOIS data…where ya goin’ with this?” Well, dear reader, if you’ve been following us for any period of time now, you’ll know we like to provide you with some concrete advice on the issues we present.

Understanding the challenges that providers and vendors face can help internal teams plan for potential issues that might arise. Because, as those stats above show, even if you submit a takedown request, even if you can see phishing or some other fraud activity taking place on a typosquatted domain, registrars simply may not pay attention to your request.

The cyber security community needs to come together to combat this issue. We need to continue facilitating discussions between ICANN, domain registrars, law-enforcement and brand protection agencies, and anyone trying to fight the good fight against typosquatted domains.

What can we do right now, though?

Buy Domains Similar To Yours

For practitioners, if we look at typosquats in a timeline, one of the initial things you can do is buy domains that appear to be similar to yours. Obvious options would be domains that are one or two letters off from your legitimate domains. Using a tool like DNSTwister, you can generate a list of currently active domains that could already be impersonating your brand or give ideas for where to start purchasing domains. Monitor Domain Registration Activity

You should also start monitoring registration activity. This is hard enough for one domain, but if you have several it may be a bit unmanageable. At that stage we would suggest getting help; part of our core service at Digital Shadows is monitoring for domain impersonations and providing a variety of alerts: when a new typosquatted domain is available to register, when someone has added an MX record that is required to send emails (read: PHISHING emails), when a domain is actively hosting impersonating content, and more.

We’ve also got several more options in our Practical Guide to Digital Risk, created specifically with the busy security practitioner in mind.





Advice For Voters to Mitigate Risk During Election Season

For regular Internet users or voters, it can be extremely difficult to tell the difference between a well-crafted phishing page from a legitimate one. If you think a website looks phishy, don’t be afraid to ask your spouse, friend, or coworker if something seems legitimate before you make a donation or sign up for a newsletter; a second set of eyes can be an easy way to spot telltale signs you may have missed!

Corroborate the legitimacy of the page by looking at the candidate’s social media networks. Typically, candidates will share their official domains in their biography sections or highlighted within their feed―if you’re looking to make a donation to one of the campaigns, try looking there first for information. We don’t recommend visiting linked websites sent via unsolicited emails, as this is a common tactic of threat actors employing phishing pages.

To learn more about typosquat and phishing protection, check out our Phishing Protection resources center page here.

Whoever your candidate is, go vote in 2020 and be safe when browsing online.

This research was brought to you by the Photon Research Team and Digital Shadows approves this message.

Researched domains

Misconfigured or illegitimate

tulsy2020[.]com

tulsie2020[.]com

berniesnaders[.]com

betoorourke[.]me

Non-malicious

elizabethwarren[.]cf

yang2020[.]io

berniesanders[.]de

berniesanders[.]news

eliabethwarren[.]com

corybooker[.]tk

elizabethwarrent[.]com

brniesanders[.]com

kamalaharris[.]fr

t0msteyer[.]com

billdebiasio[.]com

donladjtrump[.]com

elizabethwarren[.]me

Redirects

donaldjtrunp[.]com

billdeblasio[.]live

tulsi2020[.]co

donaldtrump[.]digital

winrde[.]com

wnired[.]com

joeobiden[.]com

elizibethwarren[.]com

elizabethwaren[.]com

joebiden[.]ca

wonred[.]com

winred[.]republican

coryboker[.]com

betoorourk[.]com

donaldjttump[.]com

jowalsh[.]org

berniesandars[.]com

elizabethwarran[.]com

stevebulock[.]com

tlusi2020[.]com

stevebullock[.]info

wiinred[.]com

kamalaharriss[.]info

berniesanderst[.]info

tuls2020[.]com

betoorourke[.]news

joebinden[.]info

joebide[.]info

actbue[.]com

yung2020[.]com

joebidin[.]info

kamelaharris[.]org

donaldtrump[.]cloud

donaldtrump[.]credit

donaldtrump[.]vet

betoorourke[.]world

Other suspicious domains

Dailytravelposh[.]info

Convertfilenow[.]com

Convertpdftoword[.]co

Thesilentsearch[.]com

Thesecuredweb[.]com

Convertpdfpro[.]com

Domains hosted on 50.63.164.243

allsideslevel[.]info

applicationref[.]info

armsrunning[.]info

astronautscame[.]info

bamboogallery[.]co[.]ug

berniesanderst[.]info

biggergap[.]info

bigtechco[.]info

billionpairs[.]info

breakfasts[.]info

brinkofrecession[.]info

campsdemand[.]info

carbonmaps[.]info

chinamulls[.]info

cleareconomy[.]info

contractvote[.]info

dailytravelposh[.]info

digjustice[.]info

doriansimple[.]info

enclosedcmb[.]info

everyonetell[.]info

fossilreveals[.]info

generalstates[.]info

homeseeing[.]info

indexingissue[.]info

industriesdid[.]info

instituteplay[.]info

jessicombs[.]info

junoreveals[.]info

kamalaharriss[.]info

knowncontrol[.]info

locksdown[.]info

mapellimozzi[.]info

medicaldebt[.]info

mooreshow[.]info

mountaffirm[.]info

mymonarchs[.]info

mystreamingfree[.]info

nearseaplace[.]info

nextrecessions[.]info

oregoncoasts[.]info

othercommit[.]info

overpaidresults[.]info

peacetalking[.]info

polociprotest[.]info

prospectdata[.]info

publicoffices[.]info

recievesoff[.]info

riceandbeans[.]info

rulingparty[.]info

sensitivepor[.]info

sessioncomm[.]info

spacextree[.]info

survivalrisks[.]info

tardigradess[.]info

tinyrobins[.]info

tripteams[.]info

tropicalstorm[.]info

uberbelt[.]info

unearthedclam[.]info

valueplunge[.]info

volcanicrock[.]info

watermoon[.]info

whiplashing[.]info

workbalances[.]info

zeropointenergy[.]info

CRXcavator links

https://crxcavator.io/report/opahibnipmkjincplepgjiiinbfmppmh/1.0.5

https://crxcavator.io/report/bicecdnkmdjpaiccohmpdbjjinpoldij/1.0.1

https://crxcavator.io/report/leanandmnjclkgmddjpdofhlophihaol/1.0.0.2

https://crxcavator.io/report/chbpnonhcgdbcpicacolalkgjlcjkbbd/1.0.4

https://crxcavator.io/report/lbeekfefglldjjenkaekhnogoplpmfin/1.0.0