I. Trust but Verify: The U.S. Census Domain
Like many people, I recently received my U.S. Census request in the mail. Some probably opened it and did just as the form asked without question.
Based on my experience investigating phishing, however, I was initially apprehensive about following the instructions in the letter.
Sidebar:
This was a perfect moment to use advice from the “Stop. Think. Connect.” guidelines to avoid being duped by phishing or identity theft scams. The U.S. Census is a once-in-10-year opportunity to be defrauded similar to the annual tax season scams that are all too common. It’s worthwhile to visit the guidelines at stopthinkconnect.org for a refresher. Some of us might take for granted the protections afforded us by our office IT staff. Now that many of us are social distancing at home, the ever-pervasive cybercrime industry will be looking to take advantage of us.
Instead of asking me to visit a well-known web presence for their organization, like www.census.gov, the letter asked that I visit a single-purpose domain name, my2020census.gov. A unique response code was printed on my letter. Is it possible that someone put questionable content into my physical mailbox? Maybe I am just being paranoid.
Before responding, I wanted to verify if the response domain my2020census.gov was legitimate. I visited a website I already knew, https://www.census.gov, and looked for a reference to the domain in the mailing. Alternatively, one might search or browse for “is my2020census.gov legitimate?” for helpful answers, but the results might not be 100% trustworthy. Malicious information could come from a malicious advertising placement.
Looking at the census.gov web page I saw:
Nowhere on the page did I see “my2020census.gov”. When I clicked the “Respond” link on their homepage, it took me to “2020census.gov”. When I used the “Search” field to look for “my2020census”, I got only one search result leading to a press kit. While I find it odd that the domain name in their mailing was so minimally referenced, the domain does check out. The my2020census.gov domain appears legitimate. I filled out my form and the questions with my unique identifier sent in the mail.
In the coming days or weeks, people are likely to receive emails or even physical letters from shady characters as a premise to “phish” sensitive information from people who think that it is from the Census. They will assume that the government has a right to ask sensitive questions. If there is one takeaway from this blog post, it’s the following advice from their website: https://2020census.gov/en/avoiding-fraud.html:
My Census form asked me how many people live in my residence, home type, names, relationships, phone numbers, gender, birthdays, and race.
I then called a regional U.S. Census office to ask whether there were alternate Census forms asking for sensitive information. A representative told me that a small fraction of the population in the U.S. will get a more comprehensive “American Community Survey”. The rules are the same as the generic Census form though — they don’t ask anything related to blatant identity theft. [Note: For more information about the standard form and the ACS form, visit https://www.census.gov/programs-surveys/acs/about/acs-and-census.html]
II. Analyzing the my2020census hosting infrastructure
I asked myself some questions about how the domain and website was hosted beyond just “trusting the padlock.”
Q: Does the domain have a DNSSEC signature?
A: Yes, the main website is DNSSEC-signed dnsviz so stealing the domain would be more difficult than normal. Excellent.
Q: Does the domain have a SSL (Secure Sockets Layer) certificate?
A: The SSL certificate used by the server gets most web browsers to display an American flag to click on:
I don’t like the above statements because:
- The .GOV registry provides more municipal domain names (for example “www.ca.gov” or “sanmanuel-nsn.gov”) than U.S. Federal government domain names. Regardless, at least .GOV has a vetting process unlike other top-level domains.
- The “https://” really means that at least one of the certificate authorities used by your browser has signed the web server certificate – and that process is not invulnerable to hijacking. Still, at least the path between your browser and the target website is encrypted, so it’s harder for an entity in the middle to intercept the information you type in.
If I click on the padlock and actually look at the certificate details, it appears to be signed by GeoTrust/DigiCert, a U.S. company that has been a leader in the industry. The certificate authority is not in a foreign country or without a significant presence. The certificate details even match those of www.census.gov. As much as we appreciate Let’s Encrypt or cheap SSL certificates available for our domain registrars, I would expect major brands, including the U.S. Government, to spend some money every year to have an extended validation certificate for their mass-market web presence.
Q: Where are the nameservers for the domain?
A: The nameservers for the domain are at Akamai (*.akam.net) as well as the IP address.
$ dig +short my2020census.gov ns a1-22.akam.net. a16-67.akam.net. a3-65.akam.net. a28-64.akam.net. a10-65.akam.net. a11-66.akam.net. $ whois 104.106.41.65 | grep Organization Organization: Akamai Technologies, Inc. (AKAMAI)
This is all normal for a high-profile website and seems to be a precaution against DDoS or network attacks or overwhelming demand. Again, excellent.
III. What other my2020census domains are out there?
A: If someone were to try look-a-like or typosquatting domains, they’d use a similar name under a different registry or subdomain. Here’s a quick query to try in Farsight DNSDB (request a free trial here):
$ dnsdbq -r my2020census.\*/NS
Most of the results (my2020census.{co,net,site,info,news,…etc…}) appear to be domain parking search pages run by Network Solutions. The motive behind the registration and parking of these domains seems suspicious.
A couple of the names (“my2020census.com”, “my2020census.net”) are registered as placeholder websites with nameserver entries under census.gov. The website they direct people to has some simple legitimate retro content:
That seems like a more trustworthy to approach than domain parking.
Performing a linear search through some Farsight DNSDB data, I found:
my2020censusgov.com wwwmy2020census.com
The registrar for those two domains is Dynadot with some hidden administrative contact information:
Registrant Email: [email protected]
Looking for off-by-one names in Farsight’s real-time passive DNS data streams, I found:
mt2020census.com (Dynadot/privacy) my2020cencus.com (Dynadot/privacy) my2020censusweb.com (NetSol parking) my2020cnsus.com (Dynadot/privacy) mymy2020census.com (NetSol parking) my2020censusgov.com (Dynadot/privacy)
It looks to me like only domain parkers and typoquatters are at work on this domain so far.
Here’s an interesting domain I saw in Farsight’s real-time passive DNS data streams:
ma2020census.org
It appears Massachusetts is actively branding their own census collection under their own sec.state.ma.us infrastructure. It’s confusing, though, and almost seems like a phishing campaign utilizing content or links that belong to the Census Bureau campaign.
IV. What’s Next
Any branding online can be abused – including the U.S. Census domain. My main concern is that an unsuspecting user may fall for a phishing attack thanks to a look-a-like or even a homoglyph domain.
While we ingrain “my2020census” into our collective memories, imagine what site people might instinctively try in 2030. Someone already has since my2030census.com has already been registered (again Dynadot). That bad faith domain looks like a good case for the Census Bureau to utilize ICANN UDRP.
[ Update: While writing this article, I found that Brian Krebs had a similar observation about the American flag and text seen in some browsers. ]
Eric Ziegast is a Distinguished Engineer with Farsight Security®, Inc.
