From The Election Polls to Holiday Deals: Cybercriminals are Preying on Seasonal Trends For Their Own Gain

In July I published a blog on the DNSFilter website where I looked closely at our passive DNS data, highlighting early election trends in relation to threat domains.

Now that the election is in the rearview mirror, I thought it would be a good time to focus on the seasonal threats that have impacted Autumn 2024. The recent election brought a surge in online activity, with voters searching for reliable sources of information, donation sites, and real-time polling data. At the same time, with the holidays coming up quickly, we’re seeing heavy traffic to domains that indicate scammers are taking advantage of shopping trends—right on time, every year.

Here, we’ll take a look at those seasonal trends.

Election Traffic

DNSFilter’s first-party data analysis of election-related threat domains (including terms related to voting, ballot, polling, election, and politic) was concentrated in the following categories: New Domains, Phishing & Deception, and Malware categories. New Domains alone accounted for a significant percentage of requests, indicating new domain registration was directly meant to capitalize on the election. 

One particular domain with “vote” in the domain name was registered on June 4 and just three days later received the highest amount of traffic compared to any other domain analyzed in our data set. The peak was 27x above the daily average of domains with “vote” in the domain name over the last year. This domain was linked to by low-authority backlinks and is now parked—a suspicious profile often associated with deceptive practices. Another spike in traffic to this term occurred on September 18, which was 13x the daily average, with sustained traffic between September 17 and September 29 showing steady interest in voting-related domains in the lead up to the election.

When looking at domains with “polling” in the domain name, blocked request data reveals a pattern of heightened activity around late August 2024, with spikes reaching nearly 2,000% over the average of daily requests. 

On June 16, 2024, the Ballot category experienced an extraordinary peak, with requests surging 74x over the daily average. This dramatic increase stands out compared to other categories, suggesting a particularly intense interest or targeted activity around ballot-related domains. The June 2024 spike in ballot-related requests could align with a documented increase in phishing scams targeting voters. According to Fortinet's FortiGuard Labs, over 1,000 new election-themed, potentially malicious domains were registered in 2024, many of which aimed to deceive voters and donors through phishing schemes impersonating political campaigns and fundraising platforms. These efforts included darknet listings of phishing kits designed to harvest sensitive data from individuals interested in election-related content, a trend that coincides with the significant increase in ballot-related domain traffic observed on June 16​. Election cybersecurity threats were widespread over the last year, but it wasn’t just the broad strokes.

Candidate and Party Comparison Traffic

During major political events, we see a recurring pattern of malicious activity centered around high-profile names and terms. Our network data reveals significant spikes in traffic to malicious sites following key dates, particularly around the Democratic and Republican National Conventions. For instance, on August 26, just days after the Democratic National Convention, there was a major spike in activity targeting the term “Walz.” Interestingly, much of this traffic directed users to a deceptive site that appeared to be anti-Walz but was actually launched by democrats and was not in fact anti-Walz in nature.

Similarly, searches involving “Kamala” surged twice—once on August 22, the final day of the DNC, and again on September 6, indicating persistent interest in leveraging her name for malicious purposes. Activity around “Trump” showed a substantial spike on July 17, right in the middle of the Republican National Convention, with the most trafficked domains being newly registered in June and July of 2024. This trend underscores how threat actors continue to exploit politically charged moments, registering new domains in anticipation of increased attention and vulnerability among audiences. The recurrence of these patterns during election cycles highlights the need for vigilant cybersecurity strategies around major political events.

When emotions run high, and time is of the essence, humans make “forced” decisions, and this is what all the cyber threats prey on.I’ve seen people so focused on buying something online that they ignore all the security warnings. Elections are like that, people are so focused on their candidates winning that they will do what it takes to support them.

Which brings me to my last topic…

Seasonal Shopping and Holiday Scam Domains

As the holiday season draws near, we observe a predictable surge in shopping-related cyber threats related to holiday scam sites, particularly tied to domains leveraging the TLDs (top level domains) “.deals” and “.shop.” Cyber Monday scam domains and Black Friday cybersecurity threats are a high risk to shoppers in the upcoming weeks.

Of the malicious domains that leverage the “.shop” TLD, almost 50% of them are flagged as phishing attempts and another 35% categorized as new domains on our network. These threats began rising as early as August, reaching a significant peak in September, and intensify as we approach key shopping days like Black Friday and Cyber Monday.

Historical data underscores the intensity of these threats. For example, in 2023, we saw a 34-fold spike in traffic to a phishing domain with “cybermonday” embedded in its name on Cyber Monday, preceded by a 15-fold increase on Black Friday. This spike highlights the enduring risk these domains pose, with some remaining active well beyond the holiday season, continually targeting unsuspecting shoppers. As threat actors repeat these tactics annually, it’s critical to maintain robust awareness and security measures to navigate this high-risk period safely. Keep an eye out for fake online stores during this time of year, and rely on trusted sites.

Final Thoughts

When it comes to staying secure online, it goes beyond the election and the holiday season. You want to be safe all year. Organizations should practice the fundamentals for their end users, and individuals should be more cyber aware in every interaction. Take those steps and you won’t have to stay hyper-vigilant during high-risk periods, you’ll already be set up for success.

As you can see from some of the data we have published here, we can see a lot of these threat actors and their tactics well before you may or may not click on these links. At DNSFilter, we're actively identifying and blocking these threats before users even encounter them. Our technology intercepts harmful connections at the DNS level, stopping users from accessing known malicious sites. With real-time insights into evolving tactics, we’re committed to staying a step ahead, safeguarding users from threats tied to social and political events. By continuously educating and protecting users, we can help foster a safer online environment during election seasons and beyond.