Recon Safari #2: Looking at the OSINT Behind Fake US Census Bureau Domains
Reading time: 14 minutes
Just recently, we came across a flash alert released by the FBI concerning 63 domains that were impersonating the US Census Bureau. We were intrigued and wanted to investigate further, so for our second Recon Safari we're going to look at what OSINT data we can uncover from these spoofed domains.
We'll be primarily using SurfaceBrowser™, our browser-based, all-in-one passive intelligence tool.
Some of the data we'll look at includes:
- WHOIS - including history
- DNS - current and historical
- Subdomains with their associated hosts, ports and more
- SSL certificates
We will also apply some logical deduction to spot any obvious trends. Let's dig in!
The list of suspicious domains
|
arrecensust.cf |
online-census-form.net |
|
bendus.ensus.org |
onlinecensussurvey.com |
|
cacensusfactsheets.online |
online-census-survey.com |
|
californiac.ensus.org |
onlinecensussurvey.net |
|
censusarchive.org |
online-census-survey.net |
|
censusburea.com |
rnicensus.com |
|
census-bureau.com |
server.censusarchive.com |
|
census-bureau.us |
startcensusonline.com |
|
censusbureaudata.com |
start-census-online.com |
|
census-bureau-gov.us |
startcensusonline.net |
|
censuscareers.com |
uscensus.net |
|
census-careers.com |
us-census.net |
|
census-gov.us |
us-census.org |
|
census-info.us |
uscensus.us |
|
census-jobs.com |
uscensusbureau.co |
|
censusnj.org |
us-census-bureau.co |
|
censusofsurvey.com |
us-census-bureau.com |
|
censusonline.us |
uscensusbureau.net |
|
censuspeer.cf |
us-census-bureau.net |
|
gf.ensus.org |
uscensusbureau.org |
|
lists.us-census.org |
us-census-bureau.org |
|
mycensus.io |
uscensusbureau.us |
|
njcensus.com |
us-census-bureau.us |
|
nycensus.com |
uscensusbureau-gov.us |
|
ocensus.cn |
us-census-bureau-gov.us |
|
onlinecensusform.com |
uscensuscareers.com |
|
online-census-form.com |
us-census-careers.com |
|
onlinecensusform.net |
uscensus-gov.us |
|
us-census-jobs.com |
|
The list appears to indicate 63 domains, but if you look more closely, the actual number is only 57. The actual number of domains is even less because some of these domains are actually subdomains. Examples include bendus.ensus.org and calforniac.ensus.org.
The second noticeable trend we picked up on is the use of '-' for domains with the exact same spelling. Examples of these include:
- uscensusbureau.co | us-census-bureau.co
- censuscareers.com | census-careers.com
- uscensusbureau.net | us-census-bureau.net
Here are common keywords with these spoofed domains:
- bureau (a difficult word to spell and easily exploitable via misspelled domains)
- careers
- jobs
- form
- survey
The 4 main TLDs of the spoofed domains are .com, .net, .org and .us.
Exploring the Data
The spreadsheet below introduces the OSINT data we found on the 57 domains. The data contains: registrar, current WHOIS, registration date, historical WHOIS, subdomains with their hosts and open ports, the certificate authority and relevant notes.
You can find the full spreadsheet at the following link.
For some of the domains (arrecensust.cf, censuspeer.cf) we found no available data.
The bulk of the spoofed domains, over 30 of them, are currently registered with Network Solutions.
You can find all domains registered on 08-09-2018 in the spreadsheet above, categorized under the orange label. We could assume that the WHOIS data being used here is inaccurate.
In a couple of these orange-labelled domains, we were able to find historical WHOIS data pointing to a @census.gov email. Our powerful "Associated Domains" engine was able to uncover at least 35 domains through various associations:
Many of the domains above were initially registered 6 years ago, all on the same date: 2014-03-19.
Of the few registered on different dates (census2020.net), we uncovered an association to an organization named Naleo Educational Fund.
Another important domain is: 2020census.us. The current WHOIS for this domain points to a Doug Gardner of Reingold (marked under the blue label). This WHOIS data should look familiar because we found WHOIS data associated with this person/organization in 7 of the spoofed domains identified above. The www subdomain points to a "Confluence Networks" IP: 208.91.197.27.
The same 208.91.197.27 IP is also present on www.uscensus.us.
Doing a lookup on 208.91.197.27 IP uncovered over 1 million associated domains, but by using SurfaceBrowser™, we were able to filter them out and found 314 "census"-related domains. We tested a number of these domains and a lot of them have redirects.
It redirects to "http://searchacross.com/?pid=9POI520ZA&dn=uscensusbureau-gov.us&url=https://usc".
A sample of this redirect situation is on uscensusbureau-gov.u.
The WHOIS, including historical data for searchacross.com is guarded by WHOIS protection, so we're unable to extract any data from that angle.
The same issue exists for another of these redirect domains: wellnesszap.com.
We thought we were in luck because the third redirect domain had historical WHOIS data pointing to a person with no WHOIS privacy: fill-out-census-online.net (which has the same WHOIS as on Figure 1) -> steersearch.com.
It is likely that this third domain originally expired, with the original registrar being GoDaddy, and registered to the same registrar as the other 2 domains — searchacross.com and wellnesszap.com — on PublicDomainRegistry.
Domains wellnesszap and steersearch are protected behind Cloudflare DNS, but searchacross.com exposed its Confluence Networks IP, 208.91.196.4 — which shows 224 domains all appearing to be forwarding and/or malware domains.
Another interesting domain was uscensusbureau.us.
With the power of our "Associated Domains" engine, we discovered 400+ associated domains. What caught our eye was the number of US/state government-looking domains, such as:
- newjerseystatepolice.com
- newmexicostatepolice.com
- statepolice.us
- unitedstatesgovernment.us
Many of these domains are really old and were registered in the early 2000s, so this might be a domain squatter, but we did not investigate for redirects/malware.
The last observation we found interesting was the domain census-gov.us.
Through the current DNS IPs (Digital Ocean) we were able to further uncover 17 and 20 census-related domains. One of these IPs exposed the domain metavertex.com, which left a breadcrumb to the owner WHOIS:
Another 2 domains, namely censusonline.us and census-gov.us, point to a Seymour Benjamin of "Census Data Research Online". The PO Box 4522 happens to be the same as the PO Box Thadeus Johnson (above). The same PO Box could indicate a number of things, like both companies being owned/managed by the same person or group. Another theory might be that "Census Data Research Online" is a customer of "ThetaHost Solutions LLC" and the customer is using the PO Box of "ThetaHost Solutions LLC" for its WHOIS.
Summary
Our Recon Safari turned into a really fun rabbit hole for us. We uncovered a lot more than just 57 domains and the connections we found indicated at least 300+ census-related domains. Not all of them may be malicious, but a simple exercise using the OSINT data we provided above with some additional redirect/malware analysis can clarify that.
All of this was achieved with the power of SurfaceBrowser™, but you can go even further by combining it with SQL Explorer, and even our SecurityTrails API™.
We hope you’ve enjoyed the second instalment of SecurityTrails Recon Safari. More research is incoming, and in meantime you can check out the first Recon Safari that focused on the Friendemic data breach. Stay tuned!
