Typo threats and the 2008 Presidential election (Page 2)

In order to prove this, Friedrichs looked at the websites of all the major candidates from both parties and discovered every possible typo domain that fell into one of five categories:

• Missing the first period (example: wwwbarackobama.com).
• Missing a character in the name (www.johnmcain.com).
• Hitting a surrounding character (www.jillaryclinton.com).
• Adding an additional character (www.mittrromney.com).
• Reversing two characters (www.johnewdards.com).

What did Friedrichs find? There are a shocking number of typo domains that are not owned by the campaigns. For example, 52 out of 160 or 33 percent of Barack Obama typo domains were found to be registered by someone else. “Clearly these campaigns are not being as proactive about policing this as they could be,” Friedrichs said. Just how easy is it to register typo domains? “I was jealous, I needed to buy some typo domains myself,” Friedrichs said. “Eight-hundred dollars bought 124 domain names for Romney, Obama and Clinton. Anyone can do this, it costs 800 bucks--even the campaigns can do this to protect themselves but nobody’s doing it. I’ve owned these domains since July 2007, not one person has gotten in touch with me to ask ‘Why have you registered these domains?’”.

So we’ve established that it’s not difficult to register a typo domain, but what are domain squatters actually using these URLs for? By and large, advertising: most of these domains simply point to fake, yet innocuous sites, most of which are full of Google Ads. A few typo domains are being used for parody sites (for example, HillaryClingon.com or MuttRomney.com). But what if someone registered a typo domain with a more malicious intent? What might they do with it?

Friedrichs detailed a few different scenarios. The first (and possibly the easiest to implement) is email squatting. A typo domain owner could easily install software on their server that would pull in any emails sent to that domain. So if someone accidentally mistyped an email address intending to send it to a campaign official, it could end up in the hands of someone else entirely. “This is concerning to me because it’s a serious problem and I’m not sure that people really think about it,” Friedrichs said. To really drive the point home, he took a look at typo domains for two different defense contractors and found two suspicious domains that had been registered by companies in India and China. “Who is sitting on that typo domain, collecting emails for this company in China?” Friedrichs asked. “We don’t know. What we do know is there is no website, there is an MX record, and if someone misspelled the domain, they would get their email.”

Of course, typo domains can also be used to launch more “traditional” attacks. Phishing is one that poses a serious threat, as it could be used to divert monetary contributions that are intended for political candidates. While such phishing attacks haven’t yet been seen in this election, there were two separate phishing attacks aimed at presidential candidate John Kerry in 2004; one attempted to collect credit card numbers while the other asked recipients to call a pay-by-the-minute 1-900 number. What’s more, typo domains could also be used to install just about any type of software on an end user’s machine--be it malware, sypware, adware or ransomware.

For a hacker, the possibilities that typo domains offer are virtually endless--once a user lands on the site, that user’s machine is in a position to be compromised in a number of different ways. Taken in this light, typo squatting is in no way a problem that’s limited to election-related sites—it’s an attack that could be used against any site on the web. “In general [election sites are] reasonably secure, I’d say they’re no worse off than other types of organizations,” Friedrichs said. His advice for any business that runs its own website? “Don’t walk, run and register your typos. It’s like 800 bucks. It’s so cheap and will save you a lot of trouble in the future.”