“Any basic security audit would show the existence of these subdomains, and what servers they’re leading to. This is sloppy at best, and potentially criminally negligent at worst, depending on the traffic that is being run through these servers.”
In fact, the IP addresses associated with the fake subdomains are linked to an IP address for at least one domain previously used by hackers to deploy malware known as an “exploit kit,” which can allow an attacker to gain a computer user’s passwords and logins or to take over another computer and gain access to the files within it.
Four years ago, the Trump Organization experienced a major cyber breach that could have allowed the perpetrator (or perpetrators) to mount malware attacks from the company’s web domains and may have enabled the intruders to gain access to the company’s computer network. Up until this week, this penetration had gone undetected by President Donald Trump’s company, according to several internet security researchers.
n 2013, a hacker (or hackers) apparently obtained access to the Trump Organization’s domain registration account and created at least 250 website subdomains that cybersecurity experts refer to as “shadow” subdomains. Each one of these shadow Trump subdomains pointed to a Russian IP address, meaning that they were hosted at these Russian addresses. (Every website domain is associated with one or more IP addresses. These addresses allow the internet to find the server that hosts the website. Authentic Trump Organization domains point to IP addresses that are hosted in the United States or countries where the company operates.)
The creation of these shadow subdomains within the Trump Organization network was visible in the publicly available records of the company’s domains.
Here is a list of a Trump Organization shadow subdomains https://archive.is/3K42s
Two weeks ago, a computer security expert, who wishes to remain unidentified, contacted Mother Jones and provided the list of the shadow Trump Organization subdomains. He explained what he believed had happened. Some hacker—or group—had gained access to the Trump Organization’s GoDaddy domain registration account. Like many companies, the Trump Organization has registered a long list of domain names, many of which it has never put to use. Some examples: barrontrump.com, donaldtrump.org, chicagotrumptower.com, celebritypokerdealer.com, and donaldtrumppyramidscheme.com.
For each of over a hundred of these Trump domains, the intruder created two shadow subdomains, with the names of these subdomains generally following a pattern: three to seven seemingly random letters placed before the real domain name. Here are examples from the list: bfdh.barrontrump.com and dhfb.barrontrump.com; bfch.donaldtrump.org and bxdc.donaldtrump.org; cesf.chicagotrumptower.com and vsrv.chicagotrumptower.com; dxgrg.celebritypokerdealer.com and vsrfg.celebritypokerdealer.com; and bdth.donaldtrumppyramidscheme.com and drhg.donaldtrumppyramidscheme.com.
The available historical data for these shadow subdomains indicate most of them were created in August 2013. When they first were set up, the shadow subdomains were aimed at one of 17 IP addresses on a network that was based in St. Petersburg, Russia, and they were hosted on servers owned by a company called the Petersburg Internet Network, a server provider with a reputation for hosting nefarious actors.