Threat Research

Investigating Domain Threats Related to the U.S. Presidential Election in the DNS

CircleID

Two sentences: WhoisXML API researchers identified thousands of election-related cybersquatting domains, including many unattributable domains and a large set of IPs, posing potential profit and misinformation risks ahead of the US elections. The study notes GoDaddy as the top registrar and highlights extensive privacy-protected WHOIS data, which complicates attribution and threat assessment. #HarrisWalz #ClintonKaine #KamalaHarris #GoDaddy #Cybersquatting #ElectionRelatedDomains

Keypoints

  • Discovery of 3,314 domains and 197 subdomains (after deduplication), with 2,320 unattributable election-related domains.
  • 541 email-connected domains and 1,165 IP addresses (775 of which are malicious) identified in the analysis.
  • Cybersquatting domains can be used for profit or to spread misinformation about candidates.
  • GoDaddy.com LLC is the top registrar (650 domains), followed by Namecheap (509) and other registrars; many domains lack current registrar data.
  • Most domains are US-registered (1,568), followed by Iceland (510) and Canada (93); a substantial portion had privacy-protected WHOIS information complicating attribution.
  • Official domains (donaldjtrump.com, kamalaharris.com, walzflanagan.org, usa.gov) showed privacy protection, making public attribution difficult.
  • Examples cited include HarrisWalz.com selling for $15,000 and ClintonKaine.com used to publish anti-Clinton content; Microsoft warns nation-state actors employ impersonation as part of electoral interference.

MITRE Techniques

  • [T1583] Acquire Infrastructure – “Domain Generation Algorithms … Used to create domains that can be used for malicious purposes.”
  • [T1566] Phishing – “Cybersquatting domains may be used to host phishing sites targeting voters.”
  • [T1003] Credential Dumping – “Potential for harvesting credentials through impersonation tactics.”
  • [T1036] Masquerading – “Nation-state actors may use cybersquatting domains to impersonate candidates.”

Indicators of Compromise

  • [Domain] HarrisWalz[.]com, ClintonKaine[.]com – election-related cybersquatting domains potentially used for misinformation or phishing.
  • [Domain] kamalaharris[.]com, walzflanagan[.]org, usa[.]gov – official domains checked for attribution; many had privacy-protected WHOIS data.
  • [IP Address] 1,165 IP addresses associated with the election-related domains, with 775 identified as malicious – context: underlying infrastructure for these domains.
  • [Email] 541 email-connected domains – context: domains linked to email-based infrastructure without disclosed sample addresses.

Read more: https://circleid.com/posts/20240830-hunting-for-us-presidential-election-related-domain-threats-in-the-dns