Typosquatting the U.S presidential election - a security risk?

Typosquatting the U.S presidential election - a security risk?

Summary: Cybercriminals know how to take advantage of anticipated traffic by abusing the momentum of a particular event, like the U.S presidential election in this case.

SHARE:
14

Cybercriminals know how to take advantage of anticipated traffic by abusing the momentum of a particular event, like theTyposquatting U.S presidential election in this case. Everyone, from scammers coming up with legitimately looking donation sites that they will later on spam, to the a bit more complex blackhat search engine optimization campaigns used in order to serve malware, everyone can benefit from a typosquatted domain. And what better time of the year to check whether or not domains having the potential to impersonate U.S presidential candidates are still available at the disposal of malicious parties? The same question was asked and further investigated by Oliver Friedrichs, former director of research for Symantec who recently did a study into the topic and presented his findings at this year's Black Hat con. Let's double check.

"There are about 160 different ways to type in the wrong web site for www.barackobama.com. OliverTyposquatting Friedrichs, former director of research at Symantec, knows this because he did a study of the sites that typo squat, or exploit users’ misspellings of web site names to siphon off traffic from the official candidate’s web site for a variety of commercial or corrupt purposes.

At Black Hat today, Friedrichs described the typosquatting study as part of a broader talk offering a warning about how any big election could be threatened by a variety of different cyber attacks. The talk is partially chronicled in a chapter that he wrote for Crimeware, a new book published by Symantec Press. Typosquatting, while interesting, is one of the smaller cyber threats. Some of the more serious ones could actually undermine confidence of voters and skew election results. Fortunately, Friedrichs said, there hasn’t been a lot of use of the worst tactics yet in the current U.S. presidential campaign."

Why would a malicious party bother, and how would an opportunistic cyber criminal know when andTyposquatting where to hit exactly? Because the elections engage in general, and the more people are engaged, the more people to target in general, where if even a small proportion of them fall victim into the upcoming scams it would once again be a scamming campaign worth the efforts.

According to a recently released study by the Pew Internet Project entitled "The Internet and the 2008 election", 45% of Americans are in fact actively engaged online, potentially becoming victims of malicious campaigns taking advantage of such typosquatted domains. Some of the key findings :

  • 40% of all Americans (internet users and non-users alike) have gotten news and information about this year’s campaign via the internet
  • 19% of Americans go online once a week or more to do something related to the campaign, and 6% go online to engage politically on a daily basis
  • 23% of Americans say they receive emails urging them to support a candidate or discuss the campaign once a week or more
  • 10% of Americans use email to contribute to the political debate with a similar frequency

With typosquatted domains having the potential to contribute to any successful phishing and malware campaign, what's theTyposquatting current situation? A five minutes experiment I just did indicates that several hundred high quality typosquatted domains are currently available, which shouldn't come as surprise given the possibilities for abuse taking advantage of tactics such as removal of dot, missing keys, replacement by surrounding keys, reversal of keys, repetitive keys, and the possible insertion of surrounding keys in a domain name.

Rather interesting, for the time being more high quality typosquatted domains seem to have been registered for Barack Obama than for John McCain, a situation that could change pretty fast, so considering the possibilities for abuse and the fact that cybercriminals have a non-refundable donation policy, extra vigilance should be applied in the upcoming months.

Topics: Symantec, Malware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • Surely.

    If the RIAA is able to prosecute people for allegedly 'making available' a few music files then why are these 'cyber criminals' not pursued so vigorously? After all your average file sharer is not making any money out of it. They are not comitting fraud or theft, unlike the owners of the phishing sites that steal your credit card details.

    I personally don't fileshare, but it annoys me how easily they are caught and punished beyond what I consider reasonable amounts. Whilst the scum who trade in child porn, spam and other scams seem to not be affected at all.

    Here in the UK you would be better off going into a real store and shoplift actual CDs rather than fileshare. The fines are certainly less if you get caught.

    Governments should be doing more to prevent and pursue cyber criminals. If the RIAA is able to do it, then surely so should the government.
    Bozzer
    • Biggest problems

      Finding the perps and apprehending them, frequently far outside a country's jurisdiction.

      You are right, however. Many criminals could be nailed, but investigative agencies just aren't doing the investigation. Child porn is far more likely to elicit a response than actual "computer crimes" (computers and internet are just another medium for distribution of an already criminal enterprise), and spamming from a "company" is more likely to produce an actionable case than, say, botnet spamming. Sometimes they do catch these people, though.

      As far as 'piracy" goes, those who get busted are not usually of a criminal mindset, they aren't covering their tracks and using sophisticated code to do their work for them. The RIAA just gets an ISP to cough up user data, and makes law enforcement do their work for them. Money talks, and commands an audience.
      seanferd
  • Who will care to protect the visitors?

    Your analysis is quite right, but you failed to observe the most important element: there will be NO ONE to prevent these types of attacks, or protect the visitors, simply because nobody will care.
    Unlike a typosquatting attack on a corporate site, for a political agenda the following fact must be observed: As long as these typosquatting campaign does not hurt the image of the candidates, they'll do nothing to address these issues.
    And an expert attacker will tread carefully to collect data, or to attack visitors, while the actual site content is supporting the campagin of the chosen name. This way, the elections will be long gone before the victims raise their voices to the candidates - there won't be anyone to hear them

    So you should finish up the commentary with a clear warning that visitors are left on their own devices to protect themselves

    Spirovski Bozidar
    http://www.shortinfosec.net
    Bozhidar
  • It is amazing that there is no press coverage

    of the epidemic that is antivirus 2008/2009. I have seen more infected computers in the last 3 weeks as there was at the peak of the blaster/sasser worm outbreaks. People need to know about it and how to protect themselves. I'm sure many of these typosquatting url's will be hosting flash exploits and socially engineered newsclips aimed right at americans who think they are safe.
    zmud
    • Possibly because it is not terribly new

      Every big thing that is widely engaging produces typo-squatting sites, along with the standard long-term typo-squatting sites.

      The Olympics provided for quite a few of these.

      A lot of typo-squatting sites aren't particularly malicious, they just want to catch your eye and sell you something. (Which I, personally, find almost as annoying as an attempt to infect machines.)

      Many are plenty dangerous, though, and repeated efforts have been made to make people aware, but they don't listen. The lack of major news stories may be good, in a way: Once the targeted event is over, folks would tend to think they were somehow safe, as they wouldn't be trying to access the particular sites any longer.

      It's dangerous out there all the time.
      seanferd
  • When journalists confuse "then" and "than"

    (last paragraph) it is almost as sad as when they use "it's" as the possessive of it. You guys should be leading the way in terms of grammar and syntax, not making the same mistakes as the general populace.
    bmgoodman
    • "then" and "than"

      seriously? i spent some time double checking myself at dictionary.com, and i can't seem to find "then" being used as a conjunction in similar comparison statements as we find in the article. the use of "than" in the paragraph might, and i stress might, be a little on the informal side, but using "then" would seem to have been completely incorrect. certainly some possible informality is not worthy of disdain and dismissal of the "general public."

      oh, and those malcontents who misuse someone's rushed spelling to spam or misdirect them are truly annoying. i am glad that you are more in tune with the phenomenon than i am, because i am then able to learn from you!

      ;D peace!
      reserve7
    • Not Anymore

      Either it's been fixed or there is no error in the last paragraph.
      @...
  • www.obama-ftw.com is available!

    Make hay while the sun shines. In this day of WhizRSS, built-in RSS for browsers, etc - who types in typos? How much money is at stake here, anyway?
    scott1329
  • How likely?

    Obama is an intelligent manager; surely he has people working for him who have foreseen this sort of thing and parked on the most likely typos themselves. I tried typing in several variants of barackobama.com. They either redirected to the right site or defaulted to Google, which I keep as my home page. This makes me think this is pretty much a non-issue, though it is useful for all to be and stay aware of the potential for this to happen.
    avanclea@...
  • How did George Bush think of this in 2000 but in 2008....

    Ok, I know it really wasn't George Bush who thought of it, but during the 2000 election when he was running against Al Gore, his campaign bought every imaginable domain around his name -- I am sure some have been released as not paid since then.

    We are 8 years later and the Internet is immensely more developed and these politicians can't figure it out still. I guess it makes G W look like he is smarter than he leads us to believe.
    riveroad
  • Open source failure...

    If that where the title, the responses would flow for pages.
    This is beyond sad.
    Why?
    This sort of issue and the inability to quickly shut down sites that are used for clearly illegal activities has become the bane of the Internet.

    And the software community could or seems to care less.

    However, attack their religion, and WOW!!!

    unbelievable...

    Perhaps it's time to address the IP# and domain names from the TOP level.
    dragon@...
    • Wow is right <nt>

      ?
      seanferd
  • RE: Typosquatting the U.S presidential election - a security risk?

    I'm trying not to chuckle at the poetic justice.

    I have no desire to visit barakobama.com anyway.

    Those who do, deserve whatever befalls them.

    This election season has proven fun; it's convenient not to have a horse in the race.
    hiraghm@...