Brand Protection in the domain name space.

On the interplay of defensive registrations, active monitoring and offensive enforcement to protect your brand online.

Managing your reputation online is a complex undertaking for any popular brand. There are dozens of variables that determine what the best brand protection approach is for your specific setup. For B2C, choosing the right tone of enforcement letters is paramount, for highly regulated environments such as pharmaceuticals, knowledge of national legislation in advertising and distribution is a must, for the financial sector security is of higher priority and so on.

In this article, we look at the benefits and drawbacks of defensive registrations, active monitoring and offensive enforcement, so you, as a brand protection professional, can deliberate on how much of each tactic you want to apply for your brands optimal protection in the domain name space.

A) Defensive Registrations

Defensive domain registrations are domains under your management that were registered with the intent of proactively blocking 3rd parties from registering those domain names.

If you register a domain with the intent of actively using the domain now or in the future, we would not categorize that registration as defensive.

Considerations on the size of your defensive portfolio contain reflections on 

1. a) Competitor-Factor: how much would it bother you, if a competitor e.g. with the same trademark name in a different class, would register the domain.
2. b) Likelihood of confusion: How likely is the domain to confuse your audience, when registered by a third party, in particular in regards to use in phishing email.
3. c) Enforceability: How difficult will it be to attack the registration in case a third party would decide to register the domain in bad faith.
4. d) Cost of domain extension. The obvious.

In regards to your competition, we advise ambitious global brands to register your brand name in all geographies where you intend to be active or expect to be known in .ccTLD early on. Once your brand has global recognition it is too late as cybersquatters or your competition have already registered the brand name. Further, it can be hard to prove bad faith without a consistent trademark portfolio and the more famous your brand, the higher the asking price of a professionally squatted domain will become. We have seen cybersquatters going all the length, by even registering companies named yourbrand Inc. in different countries, before registering the yourbrand.ccTLD, just so they could legitimize their squatting. 

In terms of confusion, we want to focus on the use in email for impersonation. Unfortunately, Email wasn’t designed with inbuilt verification mechanisms and identities in the email protocol are easy to spoof. Luckily, additional mechanisms are available to improve your defense. For domains in your portfolio, you can place SPF, DKIM and DMARC records, text records in the domains DNS, that help the receiver of emails verifying whether the indicated sender is authenticated to send emails in the name of your organization. Besides alerting the recipient of spam and phishing emails, a DMARC record can also alert you, if a domain in your portfolio is spoofed. This is why you want to register those domains that are most likely to be used in spam and phishing. Besides your actual domain used for corporate communication and the previously mentioned brand.ccTLD, there is another candidate here: Typos of your main domain usually under .com. For example’s sake, let’s use Jaguar.com, for whom we would advise to also register jaquar.com (with a q) and jaguan.com (with an n).

In short: Register domains likely to be used for phishing so that a) they can’t be used to send emails and b) if those domains get spoofed, you and the recipient will be alerted of such spoofing (conditional to DMARC records on those domains).

A third consideration goes towards enforceability. Some ccTLD extensions, such as .VN are notorious for the lack of IP protection mechanisms. Internet intermediaries may only suspend or turn over domains after the decision of a costly and uncertain litigation procedure. If your brand is known in a country with a big potential market and low IP protection, we advise you to be a bit more flexible with your budget and cast the net wider. On the other end of the spectrum, free domains under the Freenom regime (.ml, .cf, .ga, .gq ,.tk) are quick to be enforced with a C&D letter to the registrar, which also functions as a proxy-registrant and based in the Netherlands wants to avoid partial liability of damages and therefore responds to legitimate complaints appropriately.

Probably the one factor your stakeholders are most concerned with is the cost of your domain portfolio. Luckily, cost is also a concern to your opponents and more expensive domains are less likely to be abused. Looking at the 10 most compromised domain extensions (relation of registered domains vs. abused domains) we find that 5/10 are new gTLDs (.men, .work, .click, .site etc.), often sold with huge discounts in the hopes they will get renewed at a higher price in consecutive years. The other group of domains with a notorious high “bad” percentage are the previously mentioned free domain names by Freenom (Source).

While this abuse is measured in terms of malware distribution and botnets, we would advise brand owners to register their main brands in at least the thematically closely related gTLDs where the likelihood of having to battle abuse and the cost of keeping a few dozen extra domains in the portfolio pose a reasonable trade-off.

On the other hand, we advise to be quite critical with your portfolio and cut down where you are not sure whether the trade-off between cost and value is justified. The first domains to be removed are all those long forgotten product taglines, company events and marketing campaigns: Cut them loose, let them float, sail light. Not only can you avoid renewal fees, you also avoid maturing domains. Domain age is perceived as a positive SEO factor, the longer you keep domains registered, the more likely it becomes that automated dropcatchers pick up your domains in order to resell them, which means your monitoring effort will increase, as you will want to make sure the domains won’t be used for infringing purposes.

Blocking Services

There is an alternative to registering domains available in the gTLD space called blocking services. Most noteworthy, the largest registry operator Donuts Inc. has a product allowing marks registered in the trademark clearinghouse to be blocked from all their 243 newTLD extensions. An additional 43 extensions can be blocked via the TREx mechanism and recently the registry for adult extensions started offering a blocking service for its 4 extensions.

While it only costs a fraction to block domains compared to registering them individually, corporates often decide to only block the main company names, as registering and blocking your brand in gTLDs is also financial support for the registries who attract cybercriminals with their policies in the first place adding an additional layer of complexity to the domain portfolio strategy.

B) Mitigation of brand risk through domain monitoring

In a previous article we discussed how the detection of newly registered domains containing your brand works and shed some light on what results you can expect from a domain monitoring tool.

In this section, we give our view on how and when monitoring of already detected problematic domains can help you save cost, by reducing the need for an extensive defensive domain portfolio and unnecessary enforcement actions.

Both processes may be referred to as domain monitoring, even though the processes behind are very different. When we monitor an identified potentially problematic domain, we observe three things: The website visuals, how the content is changing over time, also called screenshot monitoring. Second, the underlying infrastructure in particular registrar, registrant, DNS records incl. MX record and if applicable the hosting provider. Thirdly we monitor the HTTP response code of the domain root to detect whether we can expect a forward, content or no content.

Monitoring changes in those areas reduces the need to take proactive enforcement action. A large number of cybersquatted domains are never used for malicious purposes and simply remain parked in the hopes of getting acquired by the brand owner, a competitor or a cybercriminal. If the parked page is displaying ads related to keywords appearing in the domain – which they usually do – it’s worth requesting from the parked page provider to stop the ads as removal of the ads disincentivizes the squatter from renewing the domain and the domain may eventually be dropped without any further enforcement.

If a domain appears well-suited for the sale of unauthorized goods or another kind of trademark infringement, visual monitoring enables your team to take action only if this threat actually materializes.

Investigating DNS records can often reveal whether a domain was registered by an affiliated provider, a subsidiary or a marketing agency that acted proactively (maybe too proactively) and therefore taking the content down might be a too big hammer for the issue and a friendly transfer demand letter more appropriate.

Missing MX-records ensure you that the domain is in fact (currently) not used to send emails.

If a suspicious change is detected, an analyst can investigate deeper, for example by searching the infrastructure providers for similar domain registrations, analyze other domains pointing to the same servers and interpret, whether the infrastructure is most likely used by nefarious actors. Such investigations can lead to cost savings in the form of bulk actions, as recently displayed by a UDRP where our colleague enforced the transfer of 49 domains, belonging to 7 brands, in only one UDRP.

These are some scenarios that demonstrate how monitoring of domain infrastructure can save your team from spending time and resources, where it’s not required.

Test your brand protection investigation expertise!

What do you see in this image?

Correct answer:

Here, an agency registered a domain without observing your internal policies via a registrar often used by cybercriminals. The pre-release website is asking for employee login credentials, where the SSL hasn’t been setup yet. – This is a fly, not a wasp, enjoy your coffee before it gets cold.

What do you see in the next image?

Correct Answer: 

A professional phisher, disguised as part of the surrounding infrastructure, similar design and color patterns, harmless look and feel but highly dangerous to your organism mixing venom with painkillers to obfuscate the attack. – Cone snails hunt mainly fish, but are reported to kill around 30 human divers every year.

Experienced zoologists and Brand Protection Specialists can assist you differentiate the annoying from the dangerous.

C) Active Enforcement.

Taking decisive actions against high priority risks is the third pillar of a brand protection strategy in the domain space.

Before starting costly procedures, we recommend exhausting your repertoire of out-of-court enforcement mechanisms. Hereby, we suggest to separate issues into different categories and create standard workflows for each category taking into account the tone or voice of the letters and the available attack vectors (intermediaries). These standard workflows decrease the marginal cost of each action and make it worthwhile to send out multiple letters, even if chances of success for each individual letter are often low.

Registrar

One way to classify cases is by whether the issue is likely to get resolved by a registrar (phishing, malware, fraud; sometimes rogue pharmacies, counterfeiting) or not. ICANN-accredited registrars are obliged to investigate and respond to reports of alleged criminal activity, but do not have to assess civil intellectual property issues.

In other words, if you are in possession of evidence that a domain was registered with criminal intent such as phishing, malware or fraud, submission of such evidence to the registrar will often lead to the suspension of the domain.

For other content related issues, most registrars will reject taking actions, unless it’s a widespread, easily recognizable case of rogue pharmacies or sales of counterfeits (conditional on registrar).

Hosting Provider

For content related matters, hosting providers in most jurisdictions react to notifications of alleged infringement with a response falling somewhere in between forwarding the complaint to the client and intermediate suspension of the content until a resolution was found.

Search Engines

An often neglected attack vector is a DMCA addressing search engines. If the website content includes a copyright infringement, your team may be able to delist URLs from the search engine results page. As a result, the infringement may still be retrievable online, but cannot be found via keyword searches in search engines.

Registrant

Yes, registrant data is more difficult to retrieve than it used to be. Still there are several options that may lead to establishing contact with the registrant. Some registries and domain privacy services reveal registrant data if the domain contains your trademark (proof of legitimate interest) and you file a request (i.a. .uk, .de). Further, the website may reveal a contact email or phone number. Also, privacy protection services enable you to contact the registrant via forms or anonymized email addresses.

So, why would anyone try to contact the registrant, they won’t respond either way?!

There are a number of reasons:

First, from our experience, around 5% of cybersquatted domains are dropped after C&D letters.

Second, the letter could reveal a subsidiary or contracted party behind the domain.

Third, you might discover that the registrant contact data is false, which can open another attack vector, A WHOIS inaccuracy complaint which is available in one or another form by most registries.

Fourth, the cybersquatter could attempt to sell you the domain, which helps you prove bad faith in case of a UDRP, and you can separate the domain from cases with criminal intent. In other words, the domain was registered for resell and is most likely not going to be used for criminal purposes.

UDRP

Yes, UDRPs aren’t cheap. Therefore we advise that you investigate the environment of a domain carefully before launching a UDRP against a single domain. You just might discover several other domains under common control which is one condition for successfully filing a bulk UDRP. Registration date, website trackers and web servers are promising ways to identify common control.

The art of brand protection is to enable fact-based prioritisation and to apply the least-costly feasible mechanism to resolve an online intellectual property issue.

Optimizing the interplay of defensive, active and offensive measures – A Quick Summary.

Defensive Registrations

Register brand names in your markets.

Register domains suitable for impersonating your company and email communication.

Delete outdated domains quickly – already agree on a lifespan upon registration.

Active Monitoring

Monitor new domain registrations and detect suspicious domains.

Investigate the environment of suspicious domains.

Differentiate the dangerous from the annoying.

Offensive Enforcement

Use workflows to decrease time spent on letters.

Incl. evidence of criminal intent when reporting to registrars.

Bulk UDRPs.

---

Hey reader! thanks for visiting, we hope you got something out of this essay. If you have any input to the article, would like us to deliberate on one aspect more in depth or want to discuss your own issues the Thomsen Trampedach team is happy to start a dialogue.