Exclusive: DHS warns of fake election websites potentially tied to criminals, foreign actors

The FBI has identified dozens of suspicious websites that look like official election websites but are not legitimate and could be used to interfere with the 2020 vote, according to a Department of Homeland Security bulletin sent to state and local officials across the country and reviewed by Yahoo News. The URLs of those websites are close imitations of state and federal election websites, and could be used to spread wrong information on how to vote or for election interference or influence operations.

“The FBI between March and June 2020 identified suspicious typosquatting of U.S. state and federal election domains, according to recent FBI reporting from a collaborative source,” the Aug. 11 bulletin says.

Typosquatting refers to websites that are set up to mimic a real or official website, using misspellings or similar domain names, hoping to lure in internet users who accidentally enter the wrong address.

“These suspicious typosquatting domains may be used for advertising, credential harvesting, and other malicious purposes, such as phishing and influence operations,” says the DHS bulletin. “Users should pay close attention to the spelling of web addresses or websites that look trustworthy but may be close imitations of legitimate U.S. election websites.”

A DHS official told Yahoo News registering these doppelganger domain names may not be nefarious — but they are concerned they could be the “initial preparatory step by criminal and foreign adversaries” planning to carry out a range of different types of attacks on the presidential election.

This comes as the U.S. intelligence community says Russia, China and Iran are attempting to meddle in the upcoming election. Earlier this month, the Office of the Director of National Intelligence released information warning of several countries, including Russia, China and Iran, which are seeking to influence the 2020 elections. And on Wednesday, Bill Evanina, the director of the National Counterintelligence and Security Center said Cuba, North Korea and Saudi Arabia are also working to influence the U.S. election with information operations, cyberscoop reported.

In the middle of a pandemic, and as Congress and the public worry the postal system will be overwhelmed, some states are still scrambling to implement changes to their voting process — and voters are going online to find out how to cast their ballot for president. But the lack of standard use of dot-gov and decentralized nature of U.S. elections can make it hard for voters to know what information and sources to trust.

“Someone attempting to go to a county website for information on voting could get redirected to a site set up to steal personal financial information or credentials,” explained Lawrence Norden, Director of the Election Reform Program at the Brennan Center for Justice at New York University School of Law.

“And of course, disinformation. Something may be set up to basically get voters the wrong info on how to vote,” Norden said.

“We are also worried about all these sites spoofing election night reporting,” he said.

The websites’ addresses flagged by the FBI include names that appear to reference voting in states like Pennsylvania, Georgia, Tennessee, Florida and among others. Many end in dot-com, others in dot-net, just like many official elections websites.

This makes it harder for people to tell if they’re clicking on the real government website or a close approximation that could give them bad information or install malware on their computer that steals all their data. This is especially a problem for those searching for voting information from their mobile phone, where it’s harder to see a website’s full address before clicking on it.

Some states and counties do use dot-gov but many other local and state election websites end in dot-com, dot-net, dot-org, dot-us — domains anyone can buy. A dot-gov domain involves an assessment by the government and indicates it’s a legitimate site.

A bipartisan bill to usher along states’ and counties’ move to dot-gov has been sitting on the Senate floor since January. It specifically speaks to the issue of elections, and cites a 2018 study from security company McAfee that found most county websites in swing states did not use dot-gov addresses. More than 90 percent of counties in Minnesota, Texas, Michigan and New Hampshire were on non-dot-gov sites, and Ohio and Mississippi were both over 85 percent non-dot-gov. Ohio has since moved to dot-gov, and the percentage of counties nationwide using dot-gov has increased since then, according to a June 2020 update from McAfee.

Colorado made the move from dot-com to dot-gov in 2018 after noticing that someone had purchased a domain name very similar to their official voting portal, then govotecolorado-dot-com, said Trevor Timmons, chief information officer for Colorado’s Secretary of State. (The state’s official election portal is now govotecolorado.gov.)

“Govotecolorado2018-dot-com was purchased by someone else who isn’t us, and when we saw that, we called the FBI,” he said.

That website never went live with any content, but if it had, it could have thrown the election into chaos.

Moving all states’ election websites to dot-gov like this would mitigate some, but not all, of the risks associated with these fake election sites.

The FBI declined to comment, referring questions to DHS, which declined to comment on the record.

“It’s not just a government issue,” a DHS official, who asked not to be named to discuss sensitive security issues, told Yahoo News. “Campaigns run on their own infrastructure, with their own websites, their own email service.”

Only after the election does the transition team for the incoming administration get set up with dot-gov addresses.

In the meantime, election security researchers in the run-up to the elections are also seeing domain names and websites pop up mimicking candidates or party or surrogate websites.

“It’s a very volatile environment,” said Kacey Clark, Threat Researcher, Digital Shadows, who has done research on presidential candidate-themed typosquatting sites. “You can definitely see how these could easily confuse users.”

She found dozens of recently registered websites that appear to be associated with Joe Biden and Kamala Harris, she told Yahoo News. Many appear innocuous, others appear to be sources of information and could be nefarious depending on what content appears. The ones that redirect or attempt to download an extension are the most concerning — that’s how malware could be installed. Some appear to support one candidate but redirect to a website supporting their opponent.

Like the election websites’ doppelgangers, these fake candidate websites could be used for criminal purposes, or even just to mislead voters.

Not all of these typosquatting sites are set up for bad purposes, the DHS official emphasized. It’s unknown how or even if the sites flagged by DHS — or others like McAfee and Clark — will ultimately be used, which is why it’s so critical for states to have backup plans in place, said Norden, the elections expert at NYU’s Brennan Center.

“Unfortunately, we don’t know what we don’t know,” Norden said.

“Those backup plans, that’s what I’m worried about now,” he said. “There’s still time, but we are running out of time.”

_____

Read more from Yahoo News:

• You don't need the U.S. Postal Service to deliver your mail-in ballot

• Trump says children are 'almost immune' to COVID-19. Doctors don't agree.

• Memorable moments from past conventions

• Should you send your child back to school? Here's how to weigh the coronavirus risks

• How the coronavirus could change college sports forever