When some people think of cybersecurity, they envision dimly-lit rooms filled with glowing monitors staffed by FBI agents sleuthing scam artists and offshore bank accounts. While this may be the sharp end of the stick for cyber criminals, a significant, albeit less visible role is played by brand owners pursuing domain name enforcement efforts such as filing complaints under the UDRP or URS.

Over the years, I’ve had the opportunity to file a number of such cases where an infringing domain was used to try and perpetrate some sort of online scam. The variety and scope of these is quite wide and they are often quite instructional on how to best avoid becoming a victim.

The Free Gift Card Scam

One of the more common online scams involves using an infringing domain name to host a website that claims to offer a free gift card to a famous retail store.

In one case, this offer was made in exchange for users filling out a “survey” about the Twitter social media platform. The website, at <tiwtter.com>, alternated between attempting to deliver malware, hosting pay-per-click links, and redirecting to survey websites. These surveys are really just a pretext because, at their completion, users are asked to input their email addresses, names, postal addresses, phone numbers, and other personal information in order to receive their prize. The surveys are often rather long and, as a result, many users feel particularly motivated to complete the informational form with the hope of getting their hard-earned gift card. Unfortunately, there is no gift card and the gathered information is then sold to spammers, credit card thieves, and others perpetrating various forms of identity theft. In this case, Twitter obtained an order that the domain be transferred and it recovered an important typosquatted defensive domain name in the process.

The “Whaling” Technique

Another growing form of cyber fraud is what has become known as “whaling.” This is similar to “phishing” except that, instead of seeking to steal from an individual internet user, the perpetrator is out for a big score from a major corporation or its senior officers.

The famous French-based retail chain Carrefour got hit by one of these scams. About 240 of the Complainant’s employees received  emails from an address using the domain <webmail-carrefour.com> requesting that they go to a fraudulent website that was imitating Complainant’s official website and enter their login and password. A UDRP case was filed and the Panel found that these actions demonstrate identity theft (which meant that the Respondent did not establish rights or legitimate interests in the disputed domain name) and that the name had been registered primarily for the purpose of defrauding the Complainant’s consumers and employees into revealing personal and financial information (which clearly showed registration in bad faith).

The Use of a “Clone Firm”

Finally, there is a type of fraud known as “cloned firms”, in which the identity of an existing person or company is copied in order to give the appearance of trustworthiness or legitimacy, and thereby used to trick customers, business partners, and even investors. One recent case involved the famous currency market Forex Capital Markets, which owns the trademark FXCM.

A website at the domain <fxcmanagement.com> was created by a company using the name FXCManagement. This “clone” site featured the phrase “FXCM money management discover your potential” but was, in reality, set up by an unauthorized investment firm. The unauthorized firm approached customers posing as a foreign subsidiary of Complainant’s business. An email address at the same domain was used to further support its story. Citing these facts, the Panel in this UDRP decision found in favor of the Complainant on all three elements of the UDRP Policy and the domain was ordered to be transferred, thus shutting down the scheme.

Given the time it takes to go through the UDRP process, this may not be a weapon of first defense against online fraud; however, it can be quite useful to ensure that the domain is transferred to the brand owner and never used in connection with cybercrime again. Some companies have even used a combination of the much faster URS to get the domain shut down (sometimes within a week or two) followed by a UDRP complaint to get the domain transferred. In any case, these are tools which are currently being used to good effect and can form a part of a brand owner’s cybersecurity arsenal.

Steve Levy
Domain Disputes as a Cybersecurity Tool

Leave a Reply

Your email address will not be published. Required fields are marked *