Month: January 2009

A little-known wave of massive-scale online infringement called affiliate fraud is gathering steam on the Internet. Affiliate fraud earns cybersquatters 50-100 times the fee per action of pay-per-click (PPC) sites and targets brand owners–all undetected.

Some brands offer affiliate programs, which allow Web site owners to post links and banners to that brand’s product or service on their site; in return, the owner of the site that is hosting the link receives a commission for every click-through that results in a purchase. These affiliate programs are meant to be mutually beneficial; brands get traffic funneled to their sites and their affiliates can earn a profit by providing that service.

Most Internet affiliate programs prohibit enrollees from using trademark-infringing domain names, yet many are doing just that.

Rather than using their unique affiliate identifiers to post links, cybersquatters are registering domains that contain a famous trademark or a typographical variation of one and redirect visitors to the very Web site that they expect to find. They then collect a commission once a sale is completed or once a visitor requests information. Some banks, for example, will pay Internet affiliates a commission as high as $30 each time a referred visitor submits a credit card application.

The best way to understand the practice of affiliate fraud is to actually see how it works.

One example is a typo of the large US cable operator “Comcast”—COMCASFT.COM—which redirects to a Comcast authorized retailer who pays commissions for referrals. When you enter COMCASFT.COM, you will see it eventually resolves tohttp://www.comcastadvantage.com/index.html?PID=cj:1735985. “cj: 1735985” identifies who should get paid the commission and—you guessed it—that person is the owner of COMCASFT.COM.

According to Comcast’s affiliate program terms, leads like this are worth as much as $35, which is many times more than the 50 cents or less that cybersquatters typically receive per click on the PPC sites that we’re all familiar with.

Unlike redirecting infringing domains to a PPC site loaded with ads, this scam delivers a more fluid online experience and a completely expected result to the end user; end users are less likely to recognize this as an infringement and many will simply assume that the legitimate company has done the redirecting. In-house counsel and brand protection companies of all kinds also typically fail to detect this use. As a result, this practice often flies under the radar of enforcement. That, along with the fact that it is a particularly lucrative endeavor, makes this practice extremely appealing to cybercriminals.

Bloomberg News recently reported that Verizon won $33.2 million in a lawsuit against OnlineNIC, an Internet services company, that it claimed had registered hundreds of domain names with Verizon trademarks. Evidently, Verizon’s brands weren’t the only ones targeted. Nearly a million cybersquatted domains were identified, and they included many of the best-known brand names.

It’s great that OnlineNIC took a hit for their cybersquatting practices, but there really are so few of these large-scale cybersquatters out there. The majority of infringements are held by “small time” cybersquatters, hobbyists who only own a few names. The ACPA’s current statutory damage range per domain name is rather low—this requires brand owners to identify cybersquatters with large numbers of infringements in order for the award to offset the cost of filing the complaint. As a result, the vast majority of cybersquatters seldom fall into an ACPA complaint and the sort of large damage award seen in the Verizon case is a rarity.

As I told SC Magazine, cybersquatting is really about death by a thousand cuts. Take for example the 239 typo variations that are just one character off of “facebook” in the dot-COM, dot-NET, dot-ORG, dot-BIZ and dot-INFO extensions. These domain names are registered under 163 different registrants. That is just 1.46 domains per registrant. We treated each privacy-protected registration as a unique registrant to make this calculation.

I find that large-scale cybersquatters tend to have some of the least attractive infringements. They hold vast quantities of marginally attractive infringements that receive meaningful traffic only when you add up the traffic from each. Interestingly, I often find that hobbyists own the best infringements—the ones that get the most traffic—because they were first to the feast and gobbled up a potent set of the most intuitive combinations and common typos ahead of the large-scale operators.

There needs to be an adequate deterrent to prevent cybersquatting in all its forms—cybersquatting even one domain name should be a risk that no one would want to take.