As political events go, the Conservative Party’s summer leadership contest was a largely restrained one, with relatively little mudslinging. But despite this outward appearance, there were domain squatting tactics at play behind the scenes that could have come straight from an influence operations handbook.
Domain squatting (also known as cybersquatting) is the pre-emptive purchase of website domains, conducted to prevent another interested party from controlling a domain name that is likely to be important to them. It can also be conducted as part of a wider effort to influence third-party searchers by intercepting their attempts to reach a website and redirecting them towards an alternative domain. Instances of domain squatting are recorded by the World Intellectual Property Organization (WIPO), whose statistics show a steady increase in the number of reported cases almost every year since the early 2000s.
Domain squatting techniques and objectives
Although domain squatting can take a multitude of forms, three primary techniques prevail, each with a slightly different intended target and objective.
First (and most effective) is the act of pre-emptively purchasing top-level domains such as example.com or example.org before the target organisation has managed to secure them. These domain registrations are often followed by attempts to extort the organisation with an interest in the domain to pay for the rights to it.
The second method is substitution-squatting, where a domain is registered with characters that substitute a known company domain’s letters with something visually similar, for example tw1tter.com spelled with a “1” instead of an “i”. This technique is often used to trick users into accepting the site as the legitimate website of a known organisation, and is often employed as part of an effort to harvest user credentials.
Finally, there is typo-squatting, which attempts to intercept users who have misspelled the domain of the website they are trying to visit, for example twqitter.com or faceboook.com. This method is often used by hackers in an attempt to install malware onto users’ devices.
How domain squatting featured in the Conservative leadership contest
So what activity did we see in the 2022 Conservative leadership contest? Penny Mordaunt, Nadhim Zahawi, Rishi Sunak, and Liz Truss’s campaigns all featured some form of domain squatting, although there has been no acceptance of responsibility for this from any of the candidates’ camps.
According to viewdns.info, Rishi Sunak’s formal leadership campaign website domain ready4rishi.com was registered via GoDaddy on 6 July 2022, two days after he resigned as Chancellor. However, speculation has arisen as to how long Sunak’s camp was preparing for a leadership bid, after it was discovered that a similar website, readyforrishi.com, was registered on 23 December 2021 – at the height of Boris Johnson’s partygate scandal and more than six months before he announced his resignation as Prime Minister.
When analysing complex financial situations for evidence of disinformation operations, Digitalis searches for ‘ghost architecture’, the sites and domains registered ahead of contentious situations that lie dormant, ready to be engaged to influence stakeholders when the time comes. Speculation regarding Liz Truss’s leadership ambitions was reported on in January this year, after journalists identified two websites of interest. Both inlizwetruss.com and inlizwetruss.co.uk were registered on 29 December 2021, again during former Prime Minister Boris Johnson’s tumultuous period. While Liz Truss’s formal campaign website was registered as lizforleader.co.uk on 8 June 2022, the activity follows the pattern of a classic domain squatting attempt to pre-emptively control potentially useful domains.
A far more brazen domain squatting activity occurred in relation to Nadhim Zahawi and Penny Mordaunt’s campaigns. Early on in Zahawi’s leadership bid, before he had created an official domain, he had tweeted using the hashtag #NZ4PM (Nadhim Zahawi for Prime Minister). Incredibly, when entering the URL NZ4PM.com, users were shown a holding page endorsing Penny Mordaunt for leader before being automatically redirected to her official website. A note on the page (see below) stated that the domain redirection was set up by “an anonymous Penny Mordaunt supporter”.
Digitalis continues to track the spread of state-sponsored influence operation techniques, and it is likely that examples of soft-influence methodologies will remain a feature of future leadership campaigns and elections. For those outside of politics, developing an understanding of the domain landscape well ahead of planned transactions is of paramount importance. Securing domains before malicious actors can use them to conduct influence operations is vital, and understanding the techniques employed by domain squatters will enable you to take steps to protect your business against such activity.