Could phishing attacks be prevented by brand holders adopting a more proactive domain name strategy?


In their half-yearly review of activity on the internet, the Anti-Phishing Working Group (APWG) reported that phishing is simply not going away.  Nearly 125,000 attacks were reported in the six month period from July to December 2014, the highest six month figure for over six years.  However, the number of targets for phishers fell significantly from the first half of 2014, although over 500 institutions is still a scary number for brand holders.

Phishers are relatively unique in terms of the criminal fraternity.  They don’t just target brands but also consumers – a real double-whammy.  Some of these brands are hit up to 1,000 per month, with cyber-criminals knowing they only need one victim to give them a return on their investment.  Their key weapon is the domain name, and the launch of over 350 new gTLDs in the past eighteen months has given them a whole host of new opportunities to commit their crime.

Whilst the Top Level Domains used in phishing attacks is still dominated by those that can be obtained free of charge (dotTK, dotML and dotGA), the rise of the new gTLDs being used cannot be ignored. As of the end of 2014, 295 new gTLDs had been launched and were publically available, of which 56 had seen some phishing activity, with a total of 454 domain names were used.  The vast majority of which (nearly 66%) were in dotXYZ.  This in itself is not too surprising based on the number of actual registrations of the TLD when compared to the other new gTLDs – you would expect the most domains used to come from the most popular TLDs, hence why dotCom is still the weapon of choice for cyber-criminals.  Chinese registrars, offering cheap new gTLDs, not just in dotXYZ but others too, heavily discounted registrations which makes them attractive to phishers.

Alas, there is only so much a brand-holder can do.  Defensive registrations of domain names are all well and good, but only 1.9% of phishing attacks in the second half of 2014 actually featured a brand name or variant of.  Our minds are programmed to read what we think we need to read rather than what is actually presented to them.  So when a victim sees a ‘o’ or and ‘I’ they could really be reading a ‘1’ or ‘0’.

Whilst prevention is better than the cure, could brand holders be doing more to reduce phishing?  The 1.9% of domain names registered with brand names, or variants thereof, is a relatively low number, could that have even been avoidable with a brand protection strategy?  It is impractical for all brand holders to register every variant of their brands and trademarks in all of the new gTLDs but there are solutions available that would alert them to third party, infringing, registrations.  Once they have the knowledge they can then decide to act.

The new gTLD programme has introduced a number of Rights Protection Mechanisms that offer brand holders tools that have never existed before.  The Trademark Clearinghouse provides a warning system to any potential infringers in the first few months of a new Top Level Domain’s life which, according to statistics provided by Deloitte who run the TMCH, is around 90% effective in where a warning is served to a potential registrant and intellectual property infringer.  The Domains Protected Marks List (DPML) offers a cost effective way to block trademark terms, and variants of, across nearly 50% of the total open generic TLDs.

Domain name and intellectual property law has never really worked on the side of the rights holder.  It has been far too easy for a bad actor to register a domain name that includes the intellectual property of a brand holder.  IP law means that a number of tests have to be proved before a brand holder can look to reclaim their property through the correct channels.  The new gTLD programme saw the introduction of a more lightweight, cost effective and above all, fast process that allowed brand holders to take action quickly against any infringers.

The Uniform Rapid Suspension (URS) process was actually first used for a dotPW domain name but has since been used in 109 other Top Level Domains by over 130 global brands including the likes of 3M, Audi, Facebook, IBM and Yves Saint Laurent.  Some brands seem to think that URS is an extension of their brand protection strategy.  Lufthansa for instance, has filed 28 cases to date whilst Nissan Motor Company and Virgin Enterprises have filed 17 apiece.  Whilst the costs of filing a URS are low and the chances of success are high due to the burden of proof, the infringed domain names are only suspended.  A brand holder will still need register them once the initial registration period has ended.  They will still incur the same costs as they would have if they had registered the names in the first place.

With the number of Top Level Domains increasing on a monthly basis, it is doubtful that the number of phishing attacks or Uniform Rapid Suspension cases will drop when the APWG publish their next report in six months’ time, looking at the activity in the first half of 2015.  Whilst the vast majority of phishing attacks are carried out using domain names that do not feature exact brand names or variants of, organisations should take steps to review their brand protection strategy to ensure they mitigate these avoidable risks not only to their brand reputation but also to innocent consumers who are tricked by phishing attacks.