Cybercriminals know how to take advantage of anticipated traffic by abusing the momentum of a particular event, like the U.S presidential election in this case. Everyone, from scammers coming up with legitimately looking donation sites that they will later on spam, to the a bit more complex blackhat search engine optimization campaigns used in order to serve malware, everyone can benefit from a typosquatted domain. And what better time of the year to check whether or not domains having the potential to impersonate U.S presidential candidates are still available at the disposal of malicious parties? The same question was asked and further investigated by Oliver Friedrichs, former director of research for Symantec who recently did a study into the topic and presented his findings at this year's Black Hat con. Let's double check.
"There are about 160 different ways to type in the wrong web site for www.barackobama.com. Oliver Friedrichs, former director of research at Symantec, knows this because he did a study of the sites that typo squat, or exploit users’ misspellings of web site names to siphon off traffic from the official candidate’s web site for a variety of commercial or corrupt purposes.
At Black Hat today, Friedrichs described the typosquatting study as part of a broader talk offering a warning about how any big election could be threatened by a variety of different cyber attacks. The talk is partially chronicled in a chapter that he wrote for Crimeware, a new book published by Symantec Press. Typosquatting, while interesting, is one of the smaller cyber threats. Some of the more serious ones could actually undermine confidence of voters and skew election results. Fortunately, Friedrichs said, there hasn’t been a lot of use of the worst tactics yet in the current U.S. presidential campaign."
Why would a malicious party bother, and how would an opportunistic cyber criminal know when and where to hit exactly? Because the elections engage in general, and the more people are engaged, the more people to target in general, where if even a small proportion of them fall victim into the upcoming scams it would once again be a scamming campaign worth the efforts.
According to a recently released study by the Pew Internet Project entitled "The Internet and the 2008 election", 45% of Americans are in fact actively engaged online, potentially becoming victims of malicious campaigns taking advantage of such typosquatted domains. Some of the key findings :
- 40% of all Americans (internet users and non-users alike) have gotten news and information about this year’s campaign via the internet
- 19% of Americans go online once a week or more to do something related to the campaign, and 6% go online to engage politically on a daily basis
- 23% of Americans say they receive emails urging them to support a candidate or discuss the campaign once a week or more
- 10% of Americans use email to contribute to the political debate with a similar frequency
With typosquatted domains having the potential to contribute to any successful phishing and malware campaign, what's the current situation? A five minutes experiment I just did indicates that several hundred high quality typosquatted domains are currently available, which shouldn't come as surprise given the possibilities for abuse taking advantage of tactics such as removal of dot, missing keys, replacement by surrounding keys, reversal of keys, repetitive keys, and the possible insertion of surrounding keys in a domain name.
Rather interesting, for the time being more high quality typosquatted domains seem to have been registered for Barack Obama than for John McCain, a situation that could change pretty fast, so considering the possibilities for abuse and the fact that cybercriminals have a non-refundable donation policy, extra vigilance should be applied in the upcoming months.