In a practice referred to as "typo squatting" people not connected to campaigns can buy rights to Internet addresses with candidates’ names misspelled and use them to malign, mock or steal from contenders.
"You can guarantee that more of these will become common in future elections," Oliver Friedrichs, director of emerging technologies at Symantec’s security response unit, said while detailing such attacks at a premier Black Hat conference in Las Vegas.
"More than likely the people who do this are the extremists or people who are in it for a profit. Campaigns need to become more aware of these kinds of attacks."
For example, a Symantec check in February revealed that 47 out of 160 variations on "www.barackobama.com" were being "typo-squatted."
Ironically, one squatter’s web page featured a legitimate Obama ad.
"Obama is paying for advertisements, through Google, on a site that is a typo-squatter on a domain name the Obama campaign should own in the first place," Freidrichs said.
"Campaigns are spending a lot on online advertising and some of this money is really being misspent and going to typo-squatters."
Some typo-squatters use the web pages to mock or deride candidates. A "hillaryclingon.com" website poked fun at her and other candidates by depicting them as characters from "Star Trek" films and television shows.
"Typoed" web pages can be used to spread false announcements, such as a candidate withdrawing from a race, or tell stories of scandals that don’t exist.
A candidate who has dropped out of the US presidential race was accused of being an animal killer on a typo-squatted website.
Malicious software secretly planted in computers of people who visit squatted websites could reveal where they go online or even take control of machines.
"If I want to attack supporters of a particular campaign I can easily put malware on my site," Freidrichs said of typo-squatters.
"You can target candidates, cause confusion, pop-up ads, or re-direct computers when they try to log on to a candidate’s website."
Typo-squatters can create realistic looking campaign websites and take donations, keeping the cash and using credit card information for further fraud.
Online donations intended for one candidate could be routed to an opponent without donors knowing.
Once someone owns a website based on a typo, they can also intercept and redirect similarly misaddressed emails.
Campaign emails containing speech drafts, contributions, or strategy notes could be intercepted due to errant keystrokes while typing addresses, according to Freidrichs.
"This is a serious problem that spans not only campaigns but every company with email," Freidrichs said.
"Even more scary, we went and looked at defense contractors and found a typoed domain routed to India and another routed to China."