tips enterprise security

SecurityTrails Blog · Nov 02 · by Sara Jelen

Recon Safari #2: Looking at the OSINT Behind Fake US Census Bureau Domains

Reading time: 6 minutes

Just recently, we came across a flash alert released by the FBI concerning 63 domains that were impersonating the US Census Bureau. We were intrigued and wanted to investigate further, so for our second Recon Safari we’re going to look at what OSINT data we can uncover from these spoofed domains.

We’ll be primarily using SurfaceBrowser™, our browser-based, all-in-one passive intelligence tool.

Some of the data we’ll look at includes:

  • WHOIS - including history
  • DNS - current and historical
  • Subdomains with their associated hosts, ports and more
  • SSL certificates

We will also apply some logical deduction to spot any obvious trends. Let’s dig in!

The list of suspicious domains

arrecensust.cf

online-census-form.net

bendus.ensus.org

onlinecensussurvey.com

cacensusfactsheets.online

online-census-survey.com

californiac.ensus.org

onlinecensussurvey.net

censusarchive.org

online-census-survey.net

censusburea.com

rnicensus.com

census-bureau.com

server.censusarchive.com

census-bureau.us

startcensusonline.com

censusbureaudata.com

start-census-online.com

census-bureau-gov.us

startcensusonline.net

censuscareers.com

uscensus.net

census-careers.com

us-census.net

census-gov.us

us-census.org

census-info.us

uscensus.us

census-jobs.com

uscensusbureau.co

censusnj.org

us-census-bureau.co

censusofsurvey.com

us-census-bureau.com

censusonline.us

uscensusbureau.net

censuspeer.cf

us-census-bureau.net

gf.ensus.org

uscensusbureau.org

lists.us-census.org

us-census-bureau.org

mycensus.io

uscensusbureau.us

njcensus.com

us-census-bureau.us

nycensus.com

uscensusbureau-gov.us

ocensus.cn

us-census-bureau-gov.us

onlinecensusform.com

uscensuscareers.com

online-census-form.com

us-census-careers.com

onlinecensusform.net

uscensus-gov.us

us-census-jobs.com

The list appears to indicate 63 domains, but if you look more closely, the actual number is only 57. The actual number of domains is even less because some of these domains are actually subdomains. Examples include bendus.ensus.org and calforniac.ensus.org.

The second noticeable trend we picked up on is the use of ‘-’ for domains with the exact same spelling. Examples of these include:

  • uscensusbureau.co | us-census-bureau.co
  • censuscareers.com | census-careers.com
  • uscensusbureau.net | us-census-bureau.net

Here are common keywords with these spoofed domains:

  • bureau (a difficult word to spell and easily exploitable via misspelled domains)
  • careers
  • jobs
  • form
  • survey

The 4 main TLDs of the spoofed domains are .com, .net, .org and .us.

Exploring the Data

The spreadsheet below introduces the OSINT data we found on the 57 domains. The data contains: registrar, current WHOIS, registration date, historical WHOIS, subdomains with their hosts and open ports, the certificate authority and relevant notes.

You can find the full spreadsheet at the following link.

For some of the domains (arrecensust.cf, censuspeer.cf) we found no available data.

The bulk of the spoofed domains, over 30 of them, are currently registered with Network Solutions.

Pic one
Figure 1.

You can find all domains registered on 08-09-2018 in the spreadsheet above, categorized under the orange label. We could assume that the WHOIS data being used here is inaccurate.

In a couple of these orange-labelled domains, we were able to find historical WHOIS data pointing to a @census.gov email. Our powerful “Associated Domains” engine was able to uncover at least 35 domains through various associations:

2020censusform.org

censusgeocoding.org

decennialgeography.com

censusvgi.com

census2020data.com

2020censusjobs.com

tigergeography.org

2020censushelpdesk.org

2020censusform.com

censuscrowdsource.org

tigergeography.com

decennialgeography.us

2020censusjobs.org

2020geography.org

2020census4schools.org

censusgeoservices.org

2020censusmaps.org

census2020.us

census2020.info

2020census.us

censusvgi.org

censuscrowdsource.com

census2020data.org

americancommunitysurvey.org

2020censusgeo.org

censusgeocoding.com

census2020geo.org

communitytiger.com

decennialgeography.org

2020censusresults.com

2020censusresults.org

census2020.net

2020censusform.net

communitytiger.org

census2020helpdesk.org

Many of the domains above were initially registered 6 years ago, all on the same date: 2014-03-19.

Of the few registered on different dates (census2020.net), we uncovered an association to an organization named Naleo Educational Fund.

Another important domain is: 2020census.us. The current WHOIS for this domain points to a Doug Gardner of Reingold (marked under the blue label). This WHOIS data should look familiar because we found WHOIS data associated with this person/organization in 7 of the spoofed domains identified above. The www subdomain points to a “Confluence Networks” IP: 208.91.197.27.

The same 208.91.197.27 IP is also present on www.uscensus.us.

Doing a lookup on 208.91.197.27 IP uncovered over 1 million associated domains, but by using SurfaceBrowser™, we were able to filter them out and found 314 “census”-related domains. We tested a number of these domains and a lot of them have redirects.

It redirects to “http://searchacross.com/?pid=9POI520ZA&dn=uscensusbureau-gov.us&url=https://usc”.

A sample of this redirect situation is on uscensusbureau-gov.u.

The WHOIS, including historical data for searchacross.com is guarded by WHOIS protection, so we’re unable to extract any data from that angle.

The same issue exists for another of these redirect domains: wellnesszap.com.

We thought we were in luck because the third redirect domain had historical WHOIS data pointing to a person with no WHOIS privacy: fill-out-census-online.net (which has the same WHOIS as on Figure 1) -> steersearch.com.

It is likely that this third domain originally expired, with the original registrar being GoDaddy, and registered to the same registrar as the other 2 domains — searchacross.com and wellnesszap.com — on PublicDomainRegistry.

Domains wellnesszap and steersearch are protected behind Cloudflare DNS, but searchacross.com exposed its Confluence Networks IP, 208.91.196.4 — which shows 224 domains all appearing to be forwarding and/or malware domains.

Another interesting domain was uscensusbureau.us.

pic 4
Figure 4.

With the power of our “Associated Domains” engine, we discovered 400+ associated domains. What caught our eye was the number of US/state government-looking domains, such as:

  • newjerseystatepolice.com
  • newmexicostatepolice.com
  • statepolice.us
  • unitedstatesgovernment.us

Many of these domains are really old and were registered in the early 2000s, so this might be a domain squatter, but we did not investigate for redirects/malware.

The last observation we found interesting was the domain census-gov.us.

Through the current DNS IPs (Digital Ocean) we were able to further uncover 17 and 20 census-related domains. One of these IPs exposed the domain metavertex.com, which left a breadcrumb to the owner WHOIS:

pic5
Figure 5.

Another 2 domains, namely censusonline.us and census-gov.us, point to a Seymour Benjamin of “Census Data Research Online”. The PO Box 4522 happens to be the same as the PO Box Thadeus Johnson (above). The same PO Box could indicate a number of things, like both companies being owned/managed by the same person or group. Another theory might be that “Census Data Research Online” is a customer of “ThetaHost Solutions LLC” and the customer is using the PO Box of “ThetaHost Solutions LLC” for its WHOIS.

pic6
Figure 6.

Summary

Our Recon Safari turned into a really fun rabbit hole for us. We uncovered a lot more than just 57 domains and the connections we found indicated at least 300+ census-related domains. Not all of them may be malicious, but a simple exercise using the OSINT data we provided above with some additional redirect/malware analysis can clarify that.

All of this was achieved with the power of SurfaceBrowser™, but you can go even further by combining it with SQL Explorer, and even our SecurityTrails API™.

We hope you’ve enjoyed the second instalment of SecurityTrails Recon Safari. More research is incoming, and in meantime you can check out the first Recon Safari that focused on the Friendemic data breach. Stay tuned!

SARA JELEN

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.