Skip to content

Trending tags

How To Locate Domains Spoofing Campaigns (Using Google Dorks) #Midterms2018

Noora Hyvärinen

30.07.18 2 min. read

The government accounts of US Senator Claire McCaskill (and her staff) were targeted in 2017 by APT28 A.K.A. “Fancy Bear” according to an article published by The Daily Beast on July 26th. Senator McCaskill has since confirmed the details.

And many of the subsequent (non-technical) articles that have been published has focused almost exclusively on the fact that McCaskill is running for re-election in 2018. But, is it really conclusive that this hacking attempt was about the 2018 midterms? After all, Senator McCaskill is the top-ranking Democrat on the Homeland Security & Governmental Affairs Committee and also sits on the Armed Services Committee. Perhaps she and her staffers were instead targeted for insights into on-going Senate investigations?

Senator Claire McCaskill's Committee Assignments

Because if you want to target an election campaign, you should target the candidate’s campaign server, not their government accounts. (Elected officials cannot use government accounts/resources for their personal campaigns.) In the case of Senator McCaskill, the campaign server is: clairemccaskill.com.

Which appears to be a WordPress site.

clairemccaskill.com/robots.txt

Running on an Apache server.

clairemccaskill.com Apache error log

And it has various e-mail addresses associated with it.

clairemccaskill.com email addresses

That looks interesting, right? So… let’s do some Google dorking!

Searching for “clairemccaskill.com” in URLs while discarding the actual site yielded a few pages of results.

Google dork: inurl:clairemccaskill.com -site:clairemccaskill.com

And on page two of those results, this…

clairemccaskill.com.de

Definitely suspicious.

Whats is com.de? It’s a domain on the .de TLD (not a TLD itself).

.com.de

Okay, so… what other interesting domains associated with com.de are there to discover?

How about additional US Senators up for re-election such as Florida Senator Bill Nelson? Yep.

nelsonforsenate.com.de

Senator Bob Casey? Yep.

bobcasey.com.de

And Senator Sheldon Whitehouse? Yep.

whitehouseforsenate.com.de

But that’s not all. Democrats aren’t the only ones being spoofed.

Iowa Senate Republicans.

iowasenaterepublicans.com.de

And “Senate Conservatives“.

senateconservatives.com.de

Hmm. Well, while being no more closer to knowing whether or not Senator McCaskill’s government accounts were actually targeted because of the midterm elections – the domains shown above are definitely shady AF. And enough to give cause for concern that the 2018 midterms are indeed being targeted, by somebody.

(Our research continues.)

Meanwhile, the FBI might want to get in touch with the owners of com.de.

Noora Hyvärinen

30.07.18 2 min. read

Categories

Related posts

Close

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.