Bitdefender Finds Hackers Targeting High-Profile US Election Candidates Using Fake Domains with Fake Scandals

Here at Bitdefender Labs we are closely watching the US Midterm Elections in search of anomalies in malware, spam, misinformation and social network activity.

What is a ‘fake domain’?  Typically, a fake website.  Hackers register variations of valid website domains in order to hijack them and create lookalike websites with information meant to trick Internet users into visiting their wrong, and potentially malicious website. And during this election with its high Internet traffic rates, criminals are taking every step they can to harvest the opportunity.

How does it work? Known to the security community as ‘typo-squatting’, it is a type of URL hijacking that relies on user mistakes such as typos made when inputting a website address into a web browser. It is also a very common tactic in phishing and online fraud. But as part of modern, information warfare tactics, we’re seeing innovative cyber-criminals also using it to provide misinformation and smear-campaigns against political candidates.

Below is an example of the typo-squatted domains for former US President, Barack Obama.

Fig. 1 Barack Obama’s website in typo squatted form.

What has Bitdefender found?

Bitdefender Labs has surveyed the Internet for typo-squatted website addresses used by political candidates, especially those in the ‘battleground’ US states for the top races including the US Congress and Governor seats.

We believe our findings should alarm the US public and its political candidates.  And, with a minimum of exceptions, our findings highlight ongoing bad practices used by the candidates and their teams in their preparations for their campaigns and the upcoming election.

Executive summary and methodology

Bitdefender began by building a list of the known candidates running for office in the 2018 Midterm elections, and their associated, official (known) campaign websites.  We then ran an automated check on each candidate’s campaign URL in search of typo-squatted address alternatives alive on the Internet.

This is what we found.

Fig. 2 Actual 2018 Election Candidate Search Results Comparing Valid vs. Suspicious ‘Rogue’ Domains

For instance, Jon Tester’s official campaign website domain (jontester.com) has several typo-squatted versions such as jntester.com (missing o) or jonester.com (missing t) that redirect users to insecure pages.

The Impact?

During this election season, when a user accidentally enters one of these currently-live typo-squatted domains, they will likely land on a different website than the one they intended to visit.  And it may not be safe for the candidate, or safe for the visitor.

Many of these websites we’ve visited clearly have an intent to hijack the brand of the candidate, and/or possibly expose the visitor to either malware or to messages controlled by an authorized third-party. And high profile activities such as election campaigns are known to be highly sensitive to reputation attacks, especially this close to an election day.

The findings

Our investigation has shown that for the majority of candidates, the IT infrastructure managers handling online communications for these campaigns have not taken typo-squatting attacks into account when budgeting and registering for their domains.

A few candidates and their teams such as Kyrsten Sinema, current US House of Representatives member (D-AZ) and now democratic candidate for the Arizona US Senate seat, have understood the importance of buying all variations of the official domain and have registered many of the possible domains to prevent attack.

On the opposite side, Ted Cruz, current US Senator (R-TX) running for re-election during the Midterms, and his campaign team, seems to have left plenty of leeway for cybercriminals to redirect users to (we assume) unauthorized websites of malicious intent.

For example, some variations of his official domain lead visitors to websites hosting adult pornographic or otherwise offensive content. Other typo-squatted domains were hijacked to lead visitors to websites supporting his competitor in the Midterms race.