Home / Blogs

Abusive and Malicious Registrations of Domain Names

When ICANN implemented the Uniform Domain Name Dispute Resolution Policy (UDRP) in 1999, it explained its purpose as combating “abusive registrations” of domain names which it defined as registrations “made with bad-faith intent to profit commercially from others’ trademarks (e.g., cybersquatting and cyberpiracy).” (The full statement can be found in the Second Staff Report on Implementation Documents for the Uniform Dispute Resolution Policy, Paragraph 4.1(c)). Bad actors employ a palette of stratagems, such as combining marks with generic qualifiers, truncating or varying marks or by removing, reversing, and rearranging letters within the second level domain (typosquatting). They are costly to police and likelier even more costly to maintain forfeited domain names, but for all the pain they inflict they are essentially plain vanilla irritants.

While these kinds of disputes essentially dominate the UDRP docket, there has been an increase in the number of disputes involving malicious registrations. The first instances of “phishing” and “spoofing” appear in a 2005 case, CareerBuilder, LLC v. Stephen Baker, D2005-0251 (WIPO May 6, 2005) in which the Panel found that the “disputed domain name is being used as part of a phishing attack (i.e., using ‘spoofed’ e-mails and a fraudulent website designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc.”)

The quainter forms of abuse are registrants looking to pluck lower hanging fruit. They are so obviously opportunistic respondents don’t even bother to appear (they also don’t appear with the malicious cases, but for another reason, to avoid identity). The plain vanilla type is represented by such cases as Guess? IP Holder L.P. and Guess? Inc. v. Domain Admin: Damon Nelson—Manager, Quantec LLC, Novo Point LLC, D2017-1350 (WIPO August 24, 2017) (<guess accessories.com>) in which Complainant’s product line includes “accessories.” In these types of cases, respondents are essentially looking for visitors.

In contrast, malicious registrations are of the kind described, for example, in Google Inc. v. 1&1 Internet Limited, FA1708001742725 (Forum August 31, 2017) (<web-account-google.com> in which

respondent used the complainant’s mark and logo on a resolving website containing offers for technical support and password recovery services, and soliciting Internet users’ personal information). . . . Complainant’s exhibit 11 displays a malware message displayed on the webpage, which Complainant claims indicates fraudulent conduct.

Malicious registrations are a step up in that they introduce a new, more disturbing, and even criminal element into the cyber marketplace. Respondents are not just looking for visitors, they are targeting brands for victims. Their bad faith is more than “profit[ing] commercially from others’ trademarks” but operating websites (or using e-mails) as trojan horses. It aligns registrations actionable under the UDRP with conduct policed and prosecuted by governments.

The UDRP, then, is not just a “rights protection mechanism.” The term “abusive registration” has enlarged in meaning (and, thus, in jurisdiction) to include malicious conduct generally. Total security is a pipe dream. ICANN has working groups devoted to mapping the problem, and there are analytical studies assessing its extent in legacy and new TLDs. Some idea of the magnitude is seen in “Statistical Analysis of DNS Abuse in gTLDs Final Report” commissioned by an ICANN mandated review team, the Competition, Consumer Trust and Consumer Choice Review Team (CCTRT). Incidents of abusive and malicious activity online and radiating out to affect the public offline represent the universe of cyber crime and uncivil behavior of which UDRP disputes play a minor, although important role in policing the Internet. In initiating complaints, mark owners are on the front line not only in protecting the integrity of their mark but also protecting visitors landing on fake websites by shutting down infectious domain names.

It is interesting to learn that disputes filed with UDRP providers are the tip of the iceberg. There are a number of organizations devoted to collecting, analyzing, correlating, and reporting incidents of abusive and malicious activity on the Internet. Stopbadware.org, for example, reports that there are currently blacklisted 3,918,603 domain names; Securedomain.org compiles “badness” indices of TLDs, registrars, spammers, and bot ISPs; Antiphishing.org and Arwg.org warn us to be vigilant against malware infected domain names and e-mails. Not surprisingly, cyberspace is a microcosm of the social world—calm on the surface; turbulence below.

Malicious registrations are reserved for more outrageous conduct (a step above abusive), not only threatening mark owners but also consumers. It is a kind of misconduct that has (I believe) become more common, even to the point of including miscreant complainants who have no actionable claims for cybersquatting but file complaints anyway (not without a spice of malice) for the cost of incurring a minor penalty. Somewhere on the time-line between the implementation of the UDRP and now there has been a marked increase in the number of these kinds of registrations. “Phishing” (“spoofing” is a less used term and appears to have become folded into phishing) became more common after 2008, and increasingly so in 2011 and 2012. Already in September 2017 there have been 8 decisions; over 20 in August of spoofing, phishing, and distribution of malware. This upward trajectory has been an evolutionary process in the direction of criminal conduct.

To take some examples of the various forms of malicious conduct. In CommScope, Inc. of North Carolina v. Chris Lowe / comm-scope / Chris Lowe / comm-scopes / Chris Lowa / commmscope, FA1707001742149 (Forum September 7, 2017) Respondent “used the domain names as an email suffix and has solicited third parties to submit personally identifiable information.” In Novartis AG v. CHRIS TAITAGUE, FA170800 1744264 (Forum September 11, 2017) (<sandozcareers.com>) Respondent targets job seekers. In Goodwin Procter LLP v. GAYLE FANDETTI, FA1706001738231 () Respondent target a law firm to “to misdirect funds in an e mail for an illegal and fraudulent purpose.”

The target is not necessarily the mark owner but consumers drawn to the website because of what the domain name implies. In the case of Yahoo Holdings, Inc. v. Registration Private, Domains By Proxy, LLC / Technonics Solutions,. D2017-1336 (WIPO August 11, 2017) (<yahoodomainsupport.com>) it offers “support”:

The evidence supports the inference that Respondent sought to use the disputed domain name to create a false association with Complainant to perpetuate a phishing scam. Although Respondent has no affiliation with Complainant, the website associated with the disputed domain name purports to offer technical support for Yahoo-branded services and urges customers seeking assistance to call a provided phone number.

Also, Hill-Rom Inc. v. Jyoti Bansal, FA1703001724573 (Forum May 3, 2017) <himlrom.org>) in which Respondent was using the e-mail to send messages

to Complainant’s distributors, fraudulently attempting to create the impression that the emails originate from Complainant and requesting payment from the recipients, in what Complainant describes as a “phishing attack.”

Similarly in The Travelers Indemnity Company v. jack Halua / Google Inc., FA1707001739643 (Forum August 21, 2017) (<travelerschampionshipgolf.org>); Home Depot Product Authority, LLC v. Jim Brainard, FA1707001739571 (Forum August 8, 2017) (<homedepotmemphis.com>), and The Travelers Indemnity Company.

Good examples of spoofing (not always called as such, but that’s the term for payment instruction fraud) are found in Arla Foods Amba v. ESMM EMPIRE staincollins, CAC 101578 (ADR.eu August 14, 2017) and optionsXpress Holdings, Inc. v. David A., FA1701001711999 (Forum February 15, 2017) (<optionexpress.net>). In Arla Foods, Respondent was both spoofing the mark owners and phishing for personal information. The general complaint is that Respondent was engaged in a “fraudulent scheme to deceive Internet users into providing their credit card and personal information.” Respondent was using the domain name to “send emails in the name of Complainant’s employees, in an attempt to commit fraud and deceptively steal sensitive information by “impersonat[ing] the Complainant and fraudulently attempt[ing] to obtain payments and sensitive personal information” or by “solicit[ing] payment of fraudulent invoices by the Complainant’s actual or prospective customers.”

At bottom, respondents are engaged in a hunt to syphon funds from mark owners and anyone who deals with them such as distributors and customers.) In Shotgun Software Inc. v. Domain Admin / Hulmiho Ukolen, Poste restante, D2017-1273 (WIPO August 23, 2017) (<shotgunstudios.com>) Respondent added another layer of deceit by diverting visitors to “sponsored links” for the purpose of distributing malware:

The disputed domain name resolves to different successive websites after repeated access, named by the Complainant as a “Scam Page”, a “Disable Tracking Page”, “Malware Pages”, and sponsored links. The “Scam Page” is designed to trick the visitor into taking action, through a specified telephone number, to eliminate a virus but is an attempt to phish for confidential information. The “Disable Tracking Page” is designed to trick visitors into supposedly disabling their Internet search history but leads to a phishing attempt. The “Malware Pages” may attempt to download malware on to the visitor’s computer. The sponsored links pages lead to advertisements including those of the Complainant’s competitors.

What brands are now experiencing with domain names can be seen as similar to the mischievous and criminal hacking of corporate aggregators of sensitive personal data. The business model employed by these registrants (if it can be dignified as such) is using domain names to commit fraud and larceny by testing how much they can get away with before they are shut down; only to reappear with other fraudulent and larcenous schemes. Cyber security is not just a matter of data protection; it extends to protection of reputation and general public on the Internet.

By Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP

Information about the firm can be found on the Firm’s website at iplegalcorner.com. Mr. Levine has a litigation and counseling practice representing clients in Intellectual Property rights and management, Internet and Cyberspace issues, domain names and cybersquatting, as well as a diverse range of legal and business matters from working with client to resolve commercial disputes, to copyright and trademark counseling and registrations. He is the author of a treatise on Trademarks, Domain Names, and Cybersquatting, Domain Name Arbitration: A Practical Guide to Asserting and Defending Claims of Cybersquatting Under the Uniform Domain Name Dispute Resolution Policy. A Second Edition of the treatise was published July 2019 and is available from Amazon or from the publisher, Legal Corner Press (LCP). For inquiries to LCP write to .(JavaScript must be enabled to view this email address) or Mr. Levine at .(JavaScript must be enabled to view this email address).

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign