The rise of cybersquatting and trademark infringement in the digital space
How to detect, prevent and combat malicious cybersquatting, typosquatting and trademark infringement.
Cybersquatting, also known as URL hijacking, usually leads to a form of corporate extortion. A domain name that is potentially valuable to a target company is purchased and offered to the target at a highly inflated price.
A typical recent example followed the 30 September 2017 registration of cybfx.co.uk by a cybersquatter named Eric Cheng, living in Beijing. Cheng registered the domain after the Scottish Clydesdale Bank introduced an online cyber foreign exchange service (CYBFX) with the same name. The bank trademarked the name but omitted to register the domain. The squatter immediately registered cybfx.co.uk and offered it to the bank for £95,000.
The extortion element occurs because the owner of the domain name can redirect traffic anywhere he or she chooses. In this case it was being redirected to other financial services websites. It could equally be used for delivering malware to visitors or as a phishing site, victimizing the visitors and damaging the Clydesdale brand.
In this instance, the relevant domain registrar (Nominet) ruled in its dispute resolution service (DRS) that this was an ‘abusive registration’, and transferred control of the domain name to Clydesdale Bank (full ruling here) on 14 February, 2018.
Typosquatting is different, and potentially more dangerous to a far greater number of internet users. It is the deliberate registration of look-alike domain names that can be mis-read in phishing emails or mis-typed in general surfing. They are imposter domains.
These impostor domains can serve two purposes. First, they gain the traffic of anyone making a small error when attempting to visit a legitimate website – this is a drive-by attack. This can allow the squatter to bombard visitors with monetized advertisements, socially engineer personal information, or attempt to deliver malware to their system.
Second, the squatted domains can be part of an email phishing attack where the attacker attempts to link potential victims to a bad domain. When clicking a link to the fake website, an inattentive user might not notice the small errors in the URL they're expecting to visit.
Typosquatting and phishing often go hand-in-hand, as attackers need a convincing website to trick victims into divulging personal data, or as a vector for drive-by malware downloads.
Consider, for example, a hypothetical financial site named BestNewCashCow.com. A typosquatter could register an alternative BestNevvCashCow.com. The latter is easily mistaken for the former; and people looking for an online loan – and expecting to provide personal financial details – might find themselves handing that data to a criminal.
The second category of typosquatting relies on genuine misspellings in the browser’s URL bar. Goggle.com takes you (at the time of writing) to https://www.your-surveys.com/routing. Gooogle.com, however, is controlled by Google and redirects you to Google.com. This shows both the problem and potential solution for typosquats – big companies need to get control of their most common typos.
Real time monitoring for all newly registered TLDs in all zones by ImmuniWeb® Trademark Monitor:
Malicious Domains in the Real World
HMRC (the UK’s tax office) filed a cybersquatting case against the Panama-based Whois Foundation (which has no relation to any WHOIS domain lookup tool) in November 2017. Whois Foundation had registered four domains; hdmrc.co.uk, hmrc-onlines.co.uk, hmrcsubmitareturn.co.uk and hmrc-tx.co.uk. These were ruled abusive registrations and ordered to be transferred to HMRC in January 2018 – but Whois Foundation has had four more cases filed against it in the Nominet DRS since then.
HMRC is one of the most scammed and phished brand names on the internet, with scammers constantly trying to persuade gullible Brits to send their financial details to cybersquatting criminal websites. The same principal will apply to every national tax office around the world.
Neutralizing a cybersquatter requires positive action by the trademark holder. If a company isn't aware that they're being targeted by a squatter, there's nothing to protect against the malicious domains.
A user named Hacktask published several similarly-named packages, which served to send data back to his own servers when users downloaded the malicious packages by mistake.
It is impossible to quantify the full extent of the typosquatting problem – suffice it to say that it is almost certainly far more widespread than you think.
According to research by security company Webroot, 2017 saw approximately 1.5 million new phishing sites being created every month. Not all are typosquatting sites. Webroot states, “Phishing sites… hide behind benign domains [typosquatting included] and obfuscate true URLs, carrying more malignant payloads, and fooling users with realistic impersonated websites.”
Financial institutions and technology companies were the most frequently impersonated, with Google alone accounting for 35% of all impersonated websites.
Traditional typosquatting with visible but easily mis-read domain names thrives in the top-level domain realm. The dot-cm (Cameroon) suffix is a good example. AnyName.com could and is easily mis-typed as AnyName.cm.
Research from Brian Krebs suggests that in the first quarter of 2018, typosquatting dot-cm websites were visited by 12 million users, “or almost 50 million hits per year,” he wrote.
The problem isn’t limited to dot-cm. In June 2017, the security researcher using the handle ‘x0rz’ examined the use of typosquatting for delivering waterhole attacks (that is, leaving a malicious or compromised website to simply wait for casual or careless visitors).
To dot-cm he adds dot-co (Columbia), dot-om (Oman), dot-ne (Niger, for dot-net domains), and dot-et (Ethiopia) as potential subject matter. For his experiment he used dot-co. He acquired 8 dot-co sites with the same primary name as popular sites.
Over a period of 40 days, he writes, “I got 1,765 page requests counting 916 unique IP addresses (approximately 23/day) landing on the watering hole server. Looking at the User-Agents, those were actual browsers – people manually typing the URL on the address bar and got the domain wrong, it works!”
It’s not just top-level domain, but also generic TLDs (gTLDs) with no national specification (such as dot-biz, dot-info) that are abused for both typosquatting and cybersquatting. The World Intellectual Property Organization, WIPO, had a record-breaking quantity of cybersquatting cases in 2017. Of these, over 12% were related to new gTLDs, especially dot-store, dot-site and dot-online. WIPO handled a total of 3,074 cases from trademark owners in 2017, covering 6,370 disputed domains.
“The biggest concern,” comments Ilia Kolochenko, CEO of High-Tech Bridge, “is that relatively harmless techniques such as typosquatting and cybersquatting are now being aggressively used in pair with phishing and drive-by-download attacks.”
Below are global brands most targeted by cyber-squatters and cybercriminals:
Recourse against cybersquatting and typosquatting
The primary recourse for victims of cybersquatting is to use the domain registrar's dispute resolution service (DRS). For gTLD's operated under license to ICANN, this would be ICANN's Uniform Domain Name Dispute Resolution Policy (UDRP). For national domain names, this would be the primary domain registrar's own DRS (such as Nominet in the UK, and Verisign for .com domains).
This does not preclude the possibility of legal action in the courts, but is likely to be quicker and cheaper.
The registrar will use an independent adjudicator to examine whether the disputed site is an 'abusive registration'. This includes registration for the primary purpose of selling on at an inflated price (typical cybersquatting), disruption to the complainant's business (typical typosquatting) and so on. If the complaint is undisputed (as in the Clydesdale bank example), the adjudicator can make summary decision. If disputed, the adjudicator will examine the arguments before coming to a binding decision. In the UK, the former will cost the complainant £200, while the latter will cost £750.
If the complainant wins the argument, the registrar is able to transfer ownership of the domain name to the complainant.
There may also be legal action possible through the courts - for example the Anticybersquatting Consumer Protection Act (ACPA) in the U.S. and national trademark laws. Legal advice will be necessary if this direction is taken.
Clydesdale Bank won a successful DRS claim against Eric Cheng. DRS does not offer the financial remedy that can be sought in a court of law. Legal action can be time-consuming, complex and costly, and does not guarantee success - each case is decided on its own merits. WIPO refused to allow rockstar Sting to gain control over Sting.com because the word is too generic. Bruce Springsteen failed to gain BruceSpringsteen.com because the defendant showed it to be a fan club that did no harm to the singer.
In one very famous case, Microsoft was forced by public opinion to abandon its attempts to wrest MikeRowesoft.com from its owner, teenager Mike Rowe. Nevertheless, successful lawsuits can result in high financial awards. In one current case, cyclist Geg Lemond is claiming $6.6 million – and has already won a preliminary injunction.
Under ACPA, plaintiffs may seek between $1000 and $100,000 per domain name. Greg Lemond has a complaint against 66 different domains that he claims are cybersquatting.
For general users, cybersquatting and typosquatting are rarely a huge concern. Using bookmarks and search engines rather than directly navigating via typing the URL into the browser will prevent accidental visits to typosquatted domains, and standard self-protection advice for phishing applies.
For trademark owners being made the victim of a squatter, however, the problem becomes more complex. It can be difficult to know when a domain is being targeted, and manual checking of any typosquattable domains is time-consuming and relies heavily on guesswork.
To help legitimate domain-holders, High-Tech Bridge has created the free Immuniweb® Trademark Monitor. The monitor provides instant, intelligent scanning of any domain to discover cybersquatting, typosquatting and phishing issues, or any form of domain misuse. Radar has already analyzed over 1 billion domains since its launch in 2016, and provides real time reports on domains and subdomains being targeted:
“At High-Tech Bridge,” says Kolochenko, “as a part of our continuous effort to make the Web safer, we have created ImmuniWeb Trademark Monitor enable anyone to track illicit activities against a brand or a domain name.”