Threat actors prepare at least 1,000 new malicious domains ahead of US presidential elections


As the US election approaches, scammers and fraudsters are focusing on targeting voters. FortiGuard Labs researchers have observed phishing kits for sale on the dark web and more than 1,000 new domains incorporating election-related potentially malicious content.

The new report warns that cyber adversaries, including state-sponsored actors and hacktivist groups, are increasingly active in the lead-up to elections. The dark web has become a hub for developing strategies and trading sensitive information.

“Since January 2024, we have identified the registration of over 1,000 new domain names. These domains follow particular patterns, frequently incorporating election-related terms and references to prominent political figures,” Fortinet researchers said in a report.

ADVERTISEMENT

Some examples of the name patterns include “votefor,” “vote4,” “Trump2024,” “voteharris,” “2024harris-kelly,” trumpvancetransition,” “uselection,” and others.

These websites are used for phishing campaigns, disinformation campaigns, influence campaigns, attempts to undermine electoral integrity, and other malicious activities. Some deceptive websites focus on collecting donations and personal details such as credit card information, names, emails, and full residential addresses.

Researchers noted a centralized approach to these activities, as some IP addresses host dozens of malicious domains, signaling capabilities to manage and execute large-scale campaigns.

“It’s critical to recognize and understand the cyber threats that may impact the integrity and trustworthiness of the election process and the welfare of the participating citizens. Cyber adversaries, including state-sponsored actors and hacktivist groups, are increasingly active leading up to major events like elections,” Derek Manky, Chief Security Strategist and VP of Global Threat Intelligence at Fortinet, said.

fake-website-harris

Most of the detected domains are registered in the US (636), followed by Canada (72 domains). Malicious actors mostly abuse legitimate hosting providers. Most election-themed websites (458) were hosted on AMAZON-02, while 71 domains could be found on CLOUDFLARENET, and 70 domains were on NAMECHEAP-NET.

Researchers also observed one threat actor selling “two distinct phishing kits, priced at $1,260 each, designed to impersonate political leaders Donald Trump and Kamala Harris.”

The materials are designed to impersonate presidential candidates and their campaigns to target voters and donors.

ADVERTISEMENT

Threat actors also target US voters with vast datasets on the dark web containing personal information, including SSNs, usernames, email addresses, passwords, credit card data, date of birth, and other PII. Ahead of the elections, researchers discovered over 1.3 billion rows of combo lists for sale.

These datasets are often used for credential-stuffing attacks, in which cybercriminals attempt to gain unauthorized access to accounts.

Most other data points in the threat landscape also indicate a spike in threat activity that coincides with elections.

Fortinet warns that everyone could be at risk during this time: Election infrastructure, government agencies engaged in electoral processes, political campaigns, media organizations, technology providers, and users.

Researchers recommend maintaining robust cybersecurity measures and awareness of fundamental best practices, as well as training, multi-factor authentication, endpoint protection solutions, regular updating, and others.