It Is There for a Reason, So Why Not Use It?

It seems like every week, news of yet another high-profile domain hijacking occurs. Whether it’s stolen credentials, SQL injection attacks, or even the work of disgruntled employees, the number of incidents has been on the rise. 

At the beginning of last year, MarkMonitor participated in VeriSign’s beta program to test server-level protections which were designed to mitigate the potential for unintended domain name changes, deletions and transfers. When VeriSign finally released their Registry Locking Program to all registrars, I expected to see the owners of highly trafficked sites flocking to this new offering. 

However, after a review of the top 300 most highly trafficked sites, I was shocked to uncover that less than 10% of these valuable domains were protected using these newly available security measures. 

So why aren’t more companies protecting themselves? 

Given the value of these highly trafficked domains, I cannot imagine that the additional fees associated with employing this level of service are the deterrent. 

I can only imagine that either the offering hasn’t been made widely available, or that confusion as to whether a domain is locked it to blame.

When it comes to domain locking, there is often quite a bit of confusion as to how to determine whether a domain is 1) “locked” within a portal, or 2) “locked” at the Registrar, or 3) “locked” at the Registry. 

Only domains that have the following statuses are considered to be “locked” at the Registry, and cannot be modified using standard protocols. 

• client delete prohibited
• client transfer prohibited
• client update prohibited
• server delete prohibited
• server transfer prohibited
• server update prohibited 

For the owners of highly trafficked domains, I would strongly recommend adding this level of security to protect valuable domains. It is there for a reason, so why not use it?

Category: Brand Abuse, Domains, Security | No Comments »

Tags: Brand Abuse, Domains, registries, Security

Smart Phishing for Smartphones

A common security prediction for 2010 is the continued rise of malware and phishing attacks on mobile phones. The MarkMonitor SOC recently detected an interesting twist on this theme involving a popular smartphone and the latest smart technologies used by cybercriminals. In this case, instead of compromising a smartphone to steal its information, cybercriminals used phishing techniques to clone smartphones.

Here’s how it works. Emails which offer a free one-year warranty extension for a popular smartphone, link to a company-branded web page. That web page asks for an email address and then smartphone serial number, IMEI number, type of phone, and capacity of phone. See below for examples of the phishing web page.

Cybercriminals use the information requested on the web page to clone the smartphone for various uses, including stealing long-distance service from the subscriber or simply using a deniable, disposable smartphone for other criminal activities. In effect, the cybercriminals used phishing techniques to clone smartphones.

This recent attack also stands out because it utilizes some advanced technologies and suggests possible directions of future cybercriminal activity. First, the attack uses server-side logic that hides the phishing site unless it is accessed through the browser produced by the smartphone company. Second, the attack uses additional protective technology in the form of a fast-flux network, which hides the phishing site behind a dynamic network of ever-changing proxies. These two smart technologies demonstrate how cybercriminals continue to focus their efforts on making their attacks targeted, stealthy, and resilient.

Category: Phishing, Security, malware | No Comments »

Tags: Phishing, smart phones

Avalanche Fast-flux and Blended Attacks

Phishing attacks have become more sophisticated with the use of fast-flux botnets as resilient attack platforms. The fast-fluxing among hundreds of compromised computers which serve as proxies for phishing sites means that detection and shutdown become more difficult.

One particular fast-flux botnet called Avalanche has received much attention in recent months as a major platform for hosting phishing sites. What has not been discussed as much is how the distinction between phishing and malware has ceased to exist.

Avalanche offers a prime example of how blended attacks are launched from a fast-flux botnet platform. Arbor Networks reported earlier this month that the cybercriminal gangs behind the Avalanche botnet and the Zeus/Zbot malware have entered a partnership whereby the Zeus malware gang is using the Avalanche fast-flux botnet to launch its attacks. “We appear to be seeing one of the groups, Avalanche, promoting Zeus malware,” observed botnet security researcher Jose Nazario. “They don’t compete, and they both have good market positions, so they can grow each other.”

Recent blended attacks hosted on Avalanche reported this month targeted a major credit card company and a large Spanish bank operating in Latin America. Cybercriminals have teamed up their best-of-breed fast-flux and malware capabilities. MarkMonitor AntiFraud anticipated these developments with its unique preventive capabilities for preemptively detecting and shutting down fast-flux-based phishing and malware attacks.

More details about recent blended attacks hosted on the Avalanche platform:

December 11: http://news.zdnet.co.uk/security/0,1000000189,39933618,00.htm
December 12: http://garwarner.blogspot.com/2009/12/ongoing-visa-scam-drop-zeus-zbot.html
December 22: http://garwarner.blogspot.com/2009/12/donde-se-va-avalanche-bbva-y-united.html

Category: Phishing, Security, Uncategorized, malware | No Comments »

Tags: malware

Expressions of Interest a Requirement for New gTLDs?

Today ICANN published a draft model for soliciting Expressions of Interest for new generic top-level domains. According to the model, parties interested in submitting applications to acquire new gTLDs will be required to provide basic information about the application and a deposit of $55,000 which can be used as a credit against the full application fee of $185,000.

 The model is a direct result of community recommendations and is available for public comments until January 27^th, 2010. Public comments can be submitted at http://www.icann.org/en/public-comment/public-comment-201001.htm#draft-eoi.

Based on public comments, the ICANN Board will convene to review feedback and determine possible next steps in the first quarter of 2010.

Highlights of the proposed plan include:

• Participation in the EOI is mandatory for eligibility to submit a gTLD application in the first round. Subsequent application rounds will be open to any eligible applicants.
• A deposit of US$55,000 is required for the EOI, and will be used as a credit against the US$185,000 evaluation fee.
• The deposit is refundable if the New gTLD Program does not launch within a specific time period. Details will be outlined in the final EOI model.
• Participants are notified that there may be subsequent amendments to the Draft Applicant Guidebook. It is the intention to conclude many current open issues prior to initiation of the EOI process.
• A fully executed communications campaign, intended to ensure global awareness about the EOI, will precede the opening of the process.
• Participants will be required to provide specific information concerning the participating entity and the requested string.
• The participant and string information will be made public.
• The EOI launch is conditional on the conclusion of many of the outstanding issues, for example, issues concerning vertical separation and the IDN three-character string requirements. Solutions for these and other issues are expected to be included in the Draft Applicant Guidebook, version 4.

The plan as outlined by ICANN raises a number of concerns. MarkMonitor intends to submit its own comments and encourages its clients to do the same.

Category: Domains, ICANN, gTLDs | No Comments »

Tags: Domains, gTLDs, icann, top level domains

Paid Search Ads Can Lead to Fake Goods

MarkMonitor recently investigated to what extent popular product searches led to websites offering counterfeit and pirated goods via paid search ads. The research examined 20 of the top 1,000 product-related searches in 2008 and focused on paid search ads across the three major search engines – Google, Yahoo! and Bing. In total, 583 unique websites (to which the ads pointed) were analyzed.

So, what did we find? Roughly 17% of the paid search ads for popular consumer products – such as designer handbags and shoes, music, movies, and hi-tech gadgets – led to sites likely offering counterfeit or pirated goods. This number gets even higher for certain categories, such as “designer handbags,” where an eye-opening 32% of the paid search ads led to sites appearing to sell fake handbags.

Another way to stir up more ads for counterfeit or pirated goods is by adding terms like “cheap,” “discount” or “wholesale” to a product name or category. Across all 20 product searches, for example, the share of paid search ads linking to sites selling counterfeits increased from 17% to 19% when these terms were added. In the designer handbag example, the share of paid search ads linking to suspect counterfeit sites jumped from 32% to 49%.

From these results, it is evident that counterfeiters have mastered the art of targeting buyers looking for unbelievable deals. As such, consumers need to be that much more vigilant if they’re seeking authentic products at good prices. Brand owners also need to be cognizant of the strategies employed by fraudsters and monitor not only for the use of their trademarks or product categories as keywords, but also in conjunction with terms signaling counterfeit or pirated products.

Category: Brand Abuse, Counterfeit, Piracy | No Comments »

Tags: counterfeits, Paid Search, Piracy, search engines

Open Phishing Season

For retailers and consumers, Cyber Monday marked the beginning of the online holiday shopping season. For cybercriminals, however, it marked the opening of their winter phishing season.

Here at MarkMonitor, we are currently seeing an uptick in cybercriminal activity targeting online retailers’ brands. Linked here is an example of a phish attack involving a well-known national retailer.

Clearly, brand-based phish and malware attacks such as this one, possess great potential to harm consumers. They also pose a great risk to customer trust and loyalty in your brand. As a result, the range of advice which you can give to your customers to promote safe online holiday shopping is extensive. Customers should:

• confirm emails from retailers which request their action through links and attachments
• confirm retailers who are highly ranked in search engine results, but are obscure or little known
• be wary of website download files
• ensure an https connection when entering financial credentials into a website
• use temporary credit card numbers
• use up-to-date anti-virus/malware software
• check their financial statements regularly

These are all useful recommendations. Unfortunately, the consumer attitude toward security, and the preventive actions they are willing to take, depends on the convenience of those actions. Consumers choose to shop online, after all, because they value convenience over other considerations, including concern about using their credit cards online.

When brand-based attacks harm consumers, they damage retailers’ brands, customer relationships, and the trust which customers have in Internet channels. As a result, these attacks present a very real business problem.

We recommend that online retailers adopt a proactive security stance toward phish and malware. This approach should include adopting preventive measures against brand hijackings and attacks in the planning stages, quickly detecting attacks which are underway, immediately responding with layered security, and analyzing attack data to refine security strategy and tactics. By educating customers and putting in place a proactive security strategy against phish and malware attacks, retailers can ensure a more enjoyable holiday season for customers and retailers alike.

Category: Brand Abuse, Phishing, Security | No Comments »

Tags: malware, Phishing

Open Enrollment = Open Season for Scammers

You have to give scammers credit, as they are a creative bunch.  While most of us think of the annual open enrollment period for employee benefits as a non-event, scammers see it as an opportunity.  

Just last month we’ve seen suspicious sites targeting employees of some of the largest corporations.  In one particular example, a cybersquatter registered a domain name that closely mimicked the open enrollment benefits page of a Fortune 500 company. To illustrate using a generic company name, the squatted domain was ‘enrollcorporation.com,’ whereas the real company benefits page resided on the subdomain ‘enroll.corporation.com.’  The cybersquatter obviously was anticipating that employees would forget to type the period in the subdomain and land on its fake site. 

The squatted site contained numerous links to benefits-related pay-per-click sites (see screenshot). While it may have been the intention of the scammer to generate incremental revenue from employees who clicked through on the links, it is also very possible that the scammer was planning on changing the content to something more malicious – such as a phishing site.  We often see scammers employ this tactic to avoid any immediate takedown action and to maximize their ploys.

Fortunately, the Fortune 500 company in this case was actively monitoring for potential attacks on its brand and caught and remedied the situation quickly.  (The squatted domain was recovered and now redirects to the company’s real benefits page.)  If the site had gone undetected, you can just imagine the havoc this would have created if the site morphed into a phishing site and even a minute percentage of the company’s tens of thousands of employees had unknowingly landed on the site and disclosed their personal credentials.  

So, what’s the takeaway from this?  While most brand owners know to monitor for online scams associated with new product launches or announcements, they also need to be extra vigilant around recurring company events – such as open enrollment periods, sales events, community events, etc.  If an event is predictable, it’s very easy for scammers to devise a socially engineered scam that that preys on customers and employees’ anticipation of the event.

Category: Brand Abuse, Brandjacking, Phishing, Security | No Comments »

Tags: cybersquatting, Phishing

2009 Domain Name Year In Review

To say that it’s been quite a year in the world of domain names would be an understatement. From compromised ccTLD registries, to the delay of new gTLDs, some of the events of the past year have been surprising, while others could easily have been predicted.
 
Regardless of whether you could have seen these coming, please find below my list of 2009’s most important domain name events…at least, as I see them. 

• 10 – Toys.com is sold for a staggering $5.1 million dollars.  read more 
• 9 – With 115 million current gTLDs, registration growth slows from 11% in 2008 down to 6%   in 2009.
• 8 – Oversee.net and SnapNames.com admit that a company executive acted as a shill bidder in the auctions of thousands of domains over a four-year period.
• 7 – UDRP marks its 10-year anniversary with more than 16,000 disputes and more than 10,000 domain name transfers.  read more
• 6 - Germany (.DE) and .BIZ announce the release of one- and two-character domain name registrations.
• 5 – Mexico (.MX), Tunisia (.TN) and Cameroon (.CM) announce the release of second-level domain registrations and the European Union (.EU), Bulgaria (.BG) Singapore (.SG) and .NAME announce the release of Internationalized Domain Names (IDNs).
• 4 – Corporate registration trends move away from the practice of registering large numbers of defensive domains as more companies adopt aggressive monitoring and policing policies.  read more
• 3 – Both registries and registrars are exploited by hackers as SQL vulnerabilities are uncovered.  read more 
• 2 – ICANN’s IDN Fast Track process is approved and applications for Top-Level Internationalized Country Codes are accepted.  read more 
• 1 – The launch of ICANN’s new gTLD program is delayed as commitments to addressing and resolving overarching issues related to trademark protection, stability and security, malicious conduct and economic demand are made.  read more 

So what can we expect in 2010?
 
While I don’t have a crystal ball, I expect to see the launch of a number of the Top-Level Internationalized Country Code extensions in the first half of next year. Corporations should begin planning now by identifying non-Latin trademark portfolios so that they are prepared as Sunrise periods begin.
 
I also anticipate that we will see a final version of the new gTLD Guidebook by the end of next year. I would encourage companies to actively participate with ICANN in relation to the new gTLD process and in particular with the development of rights protection mechanisms. Again, although there is a delay in the process, companies should continue to move down a path of due diligence to determine the right approach – whether it’s to focus solely on defensive measures or to apply for a custom TLD.

We’ll continue to see liberalizations of ccTLDs. However, we may also start seeing the introduction of new, more stringent requirements on ccTLDs which were once unrestricted or minimally restricted in an effort to reduce criminal activity.
 
Although I am hopeful that we’ve seen the last of these registry and registrar security breaches, I am sure that we’ll continue to see the efforts of hackers rearing their ugly heads.
 
While 2009 was certainly a year to remember, I think that 2010 will bring even bigger changes and bigger challenges.

Category: Domains, ICANN, Security, Trademarks, gTLDs | No Comments »

Tags: Domains, gTLDs, icann, registries, top level domains

A Sigh of Relief for Brand Owners…Not So .Fast

All indications from the ICANN meetings in Seoul are that significant delays for the release of new gTLDs (Generic Top Level Domains) are expected.

According to Rod Beckstrom, ICANN’s CEO, new gTLDs will be made available when, “we’ve adequately addressed the important issues that are on the table.” These important issues include efforts to address malicious conduct, root scaling, economic analysis, trademark protections, and vertical separation as related to the new gTLDs.

Consequently, no timelines for the launch of new gTLDs have been released. ICANN had most recently stated that the application period would begin in the second half of 2010.

While companies who have been building business plans around the launch of new gTLDs are up in arms, brand owners should take comfort in knowing that additional work will be completed to ensure that adequate rights protection mechanisms are implemented prior to the launch of new gTLDs.

However, while it looks like the gTLD Express is slowing down a bit so that adequate protections can be incorporated into the process, the IDN ccTLD Train (Internationalized Country Code Top Level Domain Names) is full steam ahead and nearing its destination. After years of research, development and market demand, starting on November 16th, ccTLD registry managers will be allowed to submit applications to operate TLDs in native character sets representing their respective country or territory names. To date, 25 countries including China, Japan and the Russian Federation have expressed interest in participating.

Although brand owners may not have to worry about the launch of new gTLDs next year, understanding how, where, and what to register in these new ccTLD IDNs will present a host of new issues – many of which have been overshadowed until now by the anticipated launch of the new gTLDs.

As with similar types of launches in the past, many of these ccTLD registries may allow for special “Sunrise” and “Grandfather” periods so that owners of trademarks and existing IDNs are given priority over others to register exact matches in the new offerings. While registration periods for these new IDN ccTLDs will likely not occur before the second half of next year, brand owners should consider preparing now by reviewing international trademark portfolio holdings and identifying important brands that should be promoted and protected.

Category: ICANN | No Comments »

Tags: Domains, icann, IDN, New gTLDs, top level domains, trademark

Ten Years of UDRP

In 1999, the Internet Corporation for Assigned Numbers and Names (“ICANN”) developed a policy to resolve disputes between trademark owners and registrants of domain names. This
policy, the UDRP, set out procedures, rules and guidelines that govern the process whereby an aggrieved trademark owner could petition an appointed arbitrator or group of arbitrators to cancel the domain name registration or transfer the domain name back to the trademark owner based on the trademark owner’s superior rights to the domain name and based upon the domain name registrant’s bad faith.
 
UDRP was made available for disputes concerning an alleged abusive registration of a domain name. Abusive registrations were those that met the following criteria:  

• The domain name registered by the domain name registrant is identical or confusingly similar to a trademark or service mark in which the complainant (the person or entity bringing the complaint) has rights.
• The domain name registrant had no rights or legitimate interests in respect of the domain name in question.
• The domain name had been registered and was being used in bad faith. 

In the past 10 years alone, more than 16,000 disputes have been filed resulting in more than 10,000 domain name transfers. While the transfer of 10,000 domains to their rightful owners over the past ten years is impressive, it is worthwhile to note that the top 30 Interbrand-ranked brands suffer more domain name abuse than this in a single day.

To mark this 10 year anniversary, WIPO (World Intellectual Property Organization) held a conference on October 12th which drew more than 200 attendees including intellectual property counsel, UDRP and DNS stakeholders, and WIPO domain name panelists.
 
The conference provided attendees with the opportunity to discuss potential enhancements including electronic filings, and the possibility for respondents to express early consent to transfer or to participate in the UDRP proceedings through the filing of a response. Discussions related to the launch of ICANN’s new gTLDs also generated significant interest.

Category: Brandjacking, Domains, Trademarks | No Comments »

Tags: Domains, icann, Trademarks