David Barnett's Brand Protection Articles: Brand Monitoring Data-Niblet #4: DOGE/MAGA

The latest in the long line of high-profile entities finding themselves subject to impersonation for the purposes of fraud is (perhaps predictably) the US 'Department of Government Efficiency' (DOGE), often referenced in conjunction with Trump's MAGA ('Make America Great Again') tagline.

One recent report^[1,2] concerns an SMS- (text-message) based scam purporting to be offering government payouts, with the intention of actually collecting user credentials and/or donations (Figure 1).

Figure 1: An SMS-based DOGE impersonation scam

In this case, the homepage of the 'MAGA'-specific domain name utilised in the scam actually resolves to a page stating that the site has been configured as a URL-shortening service (which not only potentially makes the scam-specific content - buried on a specific URL - harder to detect, but also provides the potential for multiple scams to be launched using the same site, and also allows the content to be hosted - via a re-direct, as used in this case - on an arbitrary separate site).

Screenshots of the destination page of the link in the SMS message are shown in Figure 2.

Figure 2: Screenshots of the destination page of the link in the SMS message shown in Figure 1

Unsurprisingly, this is far from an isolated case. There are over 38,000 gTLD domains with names beginning with 'doge' or 'maga'. With a view to identifying those most likely to be associated with the above types of scams, it is instructive to remove any obvious false positives (domains containing 'magasin*', 'magazin*', 'magazijn' or 'magazzin*', or any with names containing 'coin'; more likely to pertain to crypto-related content (or scams specifically associated with this)^[3]). This still leaves over 28,000 domains - a testament to the high profile of DOGE and MAGA and the range of ways in which they are referenced online. Accordingly, it is helpful to employ an 'inclusional' filtering approach, and consider only those domains with names explicitly also containing 'gov', 'usa', 'maga(-)us' as an explicit string, 'fund', 'pay' or 'check' - leaving a dataset of 378 examples.

Of these, 259 resolve to live website content (though noting that the others may also be in active use for phishing, etc. in cases where active MX records are present) and 101 have 'non-zero' webpage titles for their homepage.

Amongst these live sites, there are a number of examples of potential concern, in addition to a range of low-threat examples currently (e.g. placeholder pages), but which have the potential to be activated in the future.

The content of the sites cover a range of different categories, including e-commerce sites (for DOGE/MAGA-themed merchandise) (dogegovapparel[.]com, dogegov[.]store, magamanusa[.]net), informational sites (dogegovmap[.]com, dogetaxpayersavings[.]org, doge-gov[.]com, dogegov[.]com, dogegovapp[.]com, dogegovlive[.]com), instances of false affiliation or misdirection to other types of content (dogecasinousa[.]casino, dogepayments[.]tech), and yet more crypto-related material (dogegovtrx[.]vip, dogegov[.]xyz, dogegovprogram[.]com, dogeusa[.]pro, dogeusa[.]com) - however, other apparent scam sites similar to the example reported at the outset were also identified (Figure 3) - in addition to another, potentially real site (magalegaldefensefund[.]com), re-directing to a GoFundMe page soliciting for donations to fund the cases being brought by Trump against various legal entities! Furthermore, additional to magaus[.]net, three further domains (magaus[.]org, magaus[.]info and maga-us[.]com) were found to have been configured to serve as URL-shorteners and may have further active scams associated with them.