background image
Blog General Infosec

Sometimes Disinformation Campaigns Are All Bloom and Gloom

The US presidential election has dominated the news cycle in 2020, playing second fiddle only to the coronavirus pandemic. So naturally, we wanted to ask questions and get answers by taking a closer look at our data during the run-up to election day. In true DomainTools fashion, we decided to ask a particularly hard question that has no readily apparent answer. Specifically, “Is there a way to look at our data in order to reliably detect and characterize election-related disinformation campaigns, viral misinformation, or fraud?” A repeatable answer to this question undoubtedly involves many pieces, probably a large number of moving parts, and perhaps a bit of luck.

We know that one moving piece of the disinformation puzzle is related to the orchestrated creation of infrastructure built up around a central narrative. This infrastructure may materialize as an army of Twitter bots, a gang of discus trolls, or a cluster of newly registered domains all sharing a specific theme. Unfortunately identifying the latter can be like looking for a needle in a field of haystacks. One nascent DomainTools project seeks to make this process easier by identifying outliers in domain registration patterns.

What are Domain Blooms?

Specifically, Domain Blooms looks for spikes in the number of domains registered that center around a common theme. Some themes are benign and indicate things like SEO campaigns or domain squatting. But some themes, especially those that center around an ongoing contentious topic, can be used to identify infrastructure that points to a broader component of the disinformation puzzle.

These domain “blooms” can be short-lived, burning out in just a day. Or they may last much longer, perhaps a month or more depending on the topic, dominant narrative, and news cycle. If one were to graph these blooms, they would appear as a spike that coincides with a specific day or dates powered by a spate of theme-based registrations.

COVID-19 Related Domain Blooms

COVID-19 is the quintessential example of a domain bloom. The chart below shows that in early February there was a large spike in COVID-19 related domains being registered, followed a few weeks later by an unprecedented massive spike in domain registration that sustained throughout the month of March. 



Reopen Domain Blooms

As the COVID-19 bloom was dying down in early April 2020, another domain bloom started to take off, this one centered around the “reopen” theme in response to a movement to end social distancing.



Domain Blooms Associated with the 2020 National Election

And so, while searching for Domain Blooms related to the upcoming election, we could not help but notice something that for someone in the community might be an “easy answer.” Domain blooms were regularly emerging in response to current events. If a social media influencer mentioned a key phrase, we would see a spike in domain registrations following that phrase. It is said that a picture is worth a thousand words, so the following graphs will hopefully speak for themselves.



These two spikes represent domain blooms, specifically with the term “Biden.” On August 11th, Democratic presidential candidate Joe Biden nominated Senator Kamala Harris to be his running mate for vice-president. Immediately, we see a spike in domain registrations containing the term “Biden.” A cursory look at these domains shows them to be Biden-Harris related, and unsurprisingly both for and against that ticket. But what happened in late October? If you remember, October 22nd was the date of the final presidential debate. At around the 20-minute mark, Joe Biden mentioned a novel term that had not really been heard before in this election cycle. That term was “Bidencare.” Within a day, we saw almost 200 domains being registered that referenced Bidencare in both supportive and disproving ways.

Taking a look at terms related to President Trump also reveals intense interest in what he says, as well as what he does not say. During the first presidential debate on September 29th, debate moderator Chris Wallace asked the president if he would condemn white supremacy, with Vice President Biden prodding the president to condemn a group called “The Proud Boys.” The Proud Boys have pledged allegiance to President Trump, and some of their members have been arrested on charges of violence. Mr. Wallace asked the president if he would order the Proud Boys to “stand down,” and President Trump responded by saying, “Proud Boys, stand back and stand by.”

It would be an understatement to say that this heated exchange generated a flurry of domain registrations the following day containing the terms “proud”, “stand back” and “standby”. Some of these domains combine all three terms, others just use one or two of these terms. Interestingly, a few domains incorporate the phrase “stand down,” a term that the president was urged to say but never actually said. Hopefully, these charts show the intense interest around this exchange.





Further Domain Bloom Research

So, what does this all mean? Do these domain blooms represent the start of a disinformation campaign that will be controlled by a shadowy foreign government or domestic special interest group? Perhaps these registrations are being driven by those who wish to squat on the domain for political or financial reasons. Or it may simply be that a large number of people support their preferred group, candidate, or cause, and the spike in registrations is a reflection of that. As of now, the answers to these questions remain unclear, but DomainTools Research is diving deep into this quagmire of blooms to piece this puzzle together.  We plan on following this post up over the next few months with a series of deep dives into how Domain Blooms are identified, as well as an exploration into some of the more interesting blooms.