Home / Industry

Thousands of Government-Related Subdomains Revealed in Subdomains Search

Elections and other events related to the government typically drive a great amount of Internet activity. Considering the domain name space, we found 4,197 subdomains related to the U.S. elections and the government in general. These were uncovered by our subdomains discovery tool. The following terms were used during the subdomains search:

  • CIA-Gov
  • Election-Gov
  • FBI-Gov
  • Hunter-Biden
  • IRS-Gov
  • Mueller
  • Nancy-Pelosi
  • QANON
  • Vote-Gov

Using WHOIS, domain, and IP intelligence tools, we discovered that the 4,197 subdomains can be traced back to 1,097 root domains that resolved to 1,083 unique IP addresses. With this data, we were able to answer these questions:

  • How old are the root domains?
  • What top-level domains (TLDs) did they mostly use?
  • Where are the subdomains geographically located?
  • What words were commonly used in the subdomains?

Domain Age

Threat actors are known to use newly registered domains (NRDs) in different malicious campaigns. However, when it comes to the election- and government-related subdomains, a combination of new and old domains was observed.

Domains that are five years old and above accounted for 57% of the total number of subdomains. About 30% were more than 10 years old, while only 6% were less than a year old.

Threat actors could exploit old domains by adding malicious subdomains or taking over unused ones. Subdomain protection should, therefore, be part of the overall cybersecurity strategy of enterprises.

Top 10 TLDs

The chart below shows the top 10 TLDs used by the election- and government-related subdomains.

The subdomains search revealed that the .com TLD was most frequently used. Six of the top 10 TLDs were country-code TLDs (ccTLDs) pointing to origins from other countries:

  • .br (Brazil)
  • .ms (Montserrat)
  • .cn (China)
  • .co (Colombia)
  • .au (Australia)
  • .ma (Morocco)

Subdomains that use these ccTLDs are quite suspicious since they are related to the U.S. elections and governmental entities.

Subdomain Location

Registrant Countries

The majority of the root domains were registered in the U.S. (44%) and France (18%). Panama and Czech Republic accounts for 3%, while Canada has 2% of the root domains. A total of 70% can be attributed to the top five registrant countries, while the remaining 30% were distributed across 41 other registrant countries.

Those root domains registered in other countries require special attention. But for the utmost security of organizations and end-users, even domains registered in the U.S. should be treated with caution.

IP Geolocation

Bulk IP Geolocation GUI allowed us to look up the subdomains' IP geolocation details. The IP intelligence source revealed that most of the IP addresses the subdomains resolved to were U.S.-based (43%), coinciding with the top registrant country.

Around 35% of the IP addresses were located in Canada, 12% in Japan, 3% in Germany, and 2% in Russia. The remaining 6% were spread across 36 other countries.

Frequently Used Text Strings

Only 12 subdomains used the .gov TLD, but it is the most common text string that appeared alongside the related terms. In fact, the word "gov" tops the list, as it was used by about 31% of the subdomains. Some examples are:

  • cia[.]gov[.]hotsited[.]com
  • ociagov[.]proboards[.]com
  • socialgov[.]posterous[.]com
  • rqqirs[.]gov[.]hg3342[.]com

The string "com" also appeared, making it the second most common word among the subdomains. Below are a few examples of subdomains that contain the string:

  • com[.]governmentsocialmedia[.]qirina[.]com
  • huntersandanglersforbiden-com[.]mail[.]protection[.]outlook[.]com

Some random-looking text strings also repeatedly appeared in the subdomains. The long string "2v8wa6govgwlkmtpcu43237ymvpacmrfibnuhvld," for example, was used in 365 subdomains, making it the fifth most common text string. The string "ig3rdenz," on the other hand, appeared 165 times, making it seventh on the list. These random-looking strings could be automatically generated.

Meanwhile, words like "socialsecurity," "admin," and "irs,"could make subdomains appear trustworthy in the eyes of potential cybercrime victims.


The U.S. elections may be over, but these election- and government-related subdomains could still be active. While some of them may be used legitimately, several could figure in malicious activities, such as phishing and smear and disinformation campaigns.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byIPv4.Global

Cybercrime

Sponsored byThreat Intelligence Platform

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

New TLDs

Sponsored byAfilias

Whois

Sponsored byWhoisXML API