SecurityTrails Blog

Recon Safari number 2: Looking at the Osint Behind Fake US Census Bureau Domains


Listen Later

Note: The audio version doesn't include data from the tables. Those parts of the post can be seen in the text version.
Just recently, we came across a flash alert released by the FBI concerning 63 domains that were impersonating the US Census Bureau. We were intrigued and wanted to investigate further, so for our second Recon Safari we're going to look at what Osint data we can uncover from these spoofed domains.
We'll be primarily using Surfacebrowser, our browser-based, all-in-one passive intelligence tool.
Some of the data we'll look at includes:
Whois, including history.
DNS, current and historical.
Subdomains with their associated hosts, ports and more.
SSL certificates.
We will also apply some logical deduction to spot any obvious trends. Let's dig in!
The list of suspicious domains
The list appears to indicate 63 domains, but if you look more closely, the actual number is only 57. The actual number of domains is even less because some of these domains are actually subdomains. Examples include bendus.ensus.org and calforniac.ensus.org.
The second noticeable trend we picked up on is the use of '-' for domains with the exact same spelling. Examples of these include:
uscensusbureau.co, us-census-bureau.co
censuscareers.com, census-careers.com
uscensusbureau.net, us-census-bureau.net
Here are common keywords with these spoofed domains:
bureau (a difficult word to spell and easily exploitable via misspelled domains).
careers.
jobs.
form.
survey.
The 4 main TLDs of the spoofed domains are **.com, .net, .org** and **.us**.
Exploring the Data
The spreadsheet below introduces the Osint data we found on the 57 domains. The data contains: registrar, current Whois, registration date, historical Whois, subdomains with their hosts and open ports, the certificate authority and relevant notes.
You can find the full spreadsheet at the following link.
For some of the domains (arrecensust.cf, censuspeer.cf) we found no available data.
The bulk of the spoofed domains, over 30 of them, are currently registered with Network Solutions.
You can find all domains registered on 08-09-2018 in the spreadsheet above, categorized under the orange label. We could assume that the Whois data being used here is inaccurate.
In a couple of these orange-labelled domains, we were able to find historical Whois data pointing to a @census.gov email. Our powerful "Associated Domains" engine was able to uncover at least 35 domains through various associations:
Many of the domains above were initially registered 6 years ago, all on the same date: 2014-03-19.
Of the few registered on different dates (census2020.net), we uncovered an association to an organization named Naleo Educational Fund.
Another important domain is: 2020census.us. The current Whois for this domain points to a Doug Gardner of Reingold (marked under the blue label). This Whois data should look familiar because we found Whois data associated with this person, organization in 7 of the spoofed domains identified above. The www subdomain points to a "Confluence Networks" IP: 208, 91, 197, 27.
The same 208, 91, 197, 27 IP is also present on www.uscensus.us.
Doing a lookup on 208, 91, 197, 27 IP uncovered over 1 million associated domains, but by using Surfacebrowser, we were able to filter them out and found 314 "census"-related domains. We tested a number of these domains and a lot of them have redirects.
It redirects to "link in the document".
A sample of this redirect situation is on uscensusbureau-gov.u.
The Whois, including historical data for searchacross.com is guarded by Whois protection, so we're unable to extract any data from that angle.
The same issue exists for another of these redirect domains: wellnesszap.com.
We thought we were in luck because the third redirect domain had historical Whois data pointing to a person with no Whois privacy: fill-out-census-online.net (which has the same Whois as on figure 1), s...
...more
View all episodesView all episodes
Download on the App Store

SecurityTrails BlogBy SecurityTrails