Trump-Related Domains and Subdomains Tracking Results
The January 6, 2021 US Capitol Riot was an unexpected event following the 2020 US election. The incident also made headlines around the world, prompting us to follow the trend of domain and subdomain registrations. linked to Trump. We also looked at two areas for Trump’s e-commerce stores that Shopify closed.
Closing of Trump’s online stores
Some entities have planned to withdraw their trade relations with Trump’s organizations. For example, Shopify announced on January 7, 2021 that it was shutting down two e-commerce sites owned by Trump Organization — trumpstore[.]com and shop[.]donaldjtrump[.]com. Indeed, visit the shop[.]donaldjtrump[.]com on Jan 19, 2021 still results in an invalid request error.
However, the Trumpstore domain[.]com is already operational since January 18, 2021. It was down from January 7 to 14, 2021 but was redirected to Trump[.]com / trump-store, according to photos taken by the Wayback Machine.
The website’s recovery occurred after its WHOIS records were changed on January 17, 2021, as revealed by the WHOIS history search. Specifically, the reporter’s contact organization has changed from The Trump Organization to DTTM Operations LLC. The change was also detected the next day by the Domain Research Suite (DRS) Registrant Monitor when we started monitoring DTTM Operations LLC.
The Trump-Linked Domain Name Trend
We have observed the trend of domain registrations related to Donald Trump over the past two weeks. Specifically, here are the types of domains included in the study:
- Typosquatting of domain names: We downloaded the weekly typosquatting data feed from January 4-10 and January 11-17, 2021. Next, we counted the number of domain names that contained the string “trump”.
- Subdomains: We have also retrieved all subdomains containing the string “trump” that were added to the Domain Name System (DNS) on January 6, 2021.
Typosquatting of domains
The domains retrieved by the Typosquatting data feed include those registered in bulk as well as other domains of similar appearance. Mass domain registrations of domain names containing the string “trump” began to decline a week or two after the US election on November 3, 2020..
None of the Trump-related domains registered in the weeks ending January 10 and 17, 2021, have been publicly registered under the Trump Organization or DTTM Operations LLC. Here are some examples of domains:
- bring back the trump[.]organization
- bring back the trump[.]store
- bring back the trump[.]shop
- donaldtrump[.]to win
- trumpinsurrection[.]X Y Z
The subdomain search returned 247 subdomains containing the string “trump” which made their way into the DNS as of January 6, 2021. These subdomains were linked to 74 domain names, all of which could not be attributed to Trump Organization or DTTM Operations LLC based on Bulk WHOIS Lookup Results. About 62% of domains, in fact, had WHOIS records drafted or protected by confidentiality.
Trump-related subdomains include these examples:
- trumpwon[.]make disappear[.]com
- only asset[.]I’m bleeding[.]report
- the trumpet[.]trumpsden[.]com
- trumpybot2[.]to replace[.]co
- American assets[.]land and air[.]video
- cpcontacts[.]asset2[.]torweb[.]to place
Based on the above analysis, it is possible that changes to the Trumpstore WHOIS record[.]com shows the organization’s response to the Shopify shutdown. It also wouldn’t be surprising if more areas of the Trump Organization ended up being transferred to DTTM Operations LLC. Additionally, the increase in the number of Trump-related typosquatting domains and subdomains that cannot be traced to Trump’s organizations could also suggest that domainers or even threat actors are profiting from the media tide.