Gimme Shelter: Can New gTLDs Protect Your Business from Cyber Attacks?

Most of us are pretty familiar with the concept of a hacker attacking a website – and, in fact, downloadable tools to help hackers break into a site and steal information are readily available.  But what happens when a top-level domain registry is hacked, as appears to have been the case for Google’s Palestinian domain earlier this week?

From what TechCrunch reported as of Monday morning, “…it seems that Google’s Palestinian domain was hijacked and redirected to another server altogether. How that was done, exactly, is unclear. One current theory is that Google’s top-level domain provider for the region was compromised, allowing hackers to point the domain somewhere else.”

The Trouble with some ccTLDs

Tuesday The Washington Post’s tech blog, The Switch, posted Google’s response: “Some users visiting google.ps have been getting redirected to a different website; Google services for the google.ps domain were not hacked. We’re in contact with the organization responsible for managing this domain name so we can help resolve the problem.”

So how do companies like Google ensure that they have a back-up in case of malicious attacks on the domain registry in a particular region or country?

Phil Lodico, Managing Partner at FairWinds, explained that “some ccTLDs present a greater risk for being hacked than others. For example, when the root servers for a ccTLD are located at an institution without top-tier security, perhaps a university, for example, the likelihood that the server will be compromised is higher.”

Owning a .BRAND Can Help Protect Your Business from Cyber Attacks

Lodico went on to explain that new top level domains, specifically .BRANDs, not only present an infinite number of opportunities for their owners and customers, but also offer a new level of security for brand owners and their customers. “By running a .BRAND – or moving from BRAND.country to country.BRAND (after making the appropriate arrangements per the New gTLD Applicant Guidebook) – companies can build their sites on a more robust infrastructure and ultimately a more secure platform.”

Because Google applied for and is likely to win .GOOGLE, the Internet giant could (and we would guess is likely to) redirect or relocate  geographic or regional content related to a country within the .GOOGLE space – and avoid redirects like the one experienced by google.ps earlier this week.

 

What About Baidu?

Google’s been up to a lot lately: It recently signed on to an intellectual property best practices document aimed at cutting off ad revenue to cybersquatters. Its investment in new generic top-level domains (gTLDs) will (or won’t) come to bear soon. It announced the launch of Chromecast. And it continues to generate privacy issue buzz with Google Glass.

So what’s Baidu, China’s answer to Google, up to these days?

As Bloomberg reported at the end of July, Baidu is doing very well financially. “The Bloomberg China-US Equity Index of the most-traded Chinese stocks in the U.S. rose 3.3 percent last week to 92.88. Baidu, which reported second-quarter profits after buying a mobile application store earlier this month, jumped 15 percent in each of the past two weeks, beating forecasts. NQ Mobile Inc. (NQ) posted a record 11-day winning streak as it formed a partnership with Baidu. Online fashion retailer Vipshop Holdings Ltd. (VIPS) surged 13 percent after an analyst said it may be acquired.”

As far as new gTLDs, Baidu applied for .BAIDU. Like the monsters in this summer’s blockbuster “Pacific Rim”, is this an indication that the Chinese search giant is planning to cross the ocean and battle Google on its own turf? Possibly, though the Chinese company could also be securing the space defensively, atleast initially, in order to try to prevent it from falling into the wrong hands. Last month, in its latest communiqué, the Governmental Advisory Committee (GAC) recommended that the Internet Corporation for Assigned Names and Numbers (ICANN) delay processing applications for certain new gTLDs such as .GUANGZHOU, .SHENZHEN, .SPA and .YUN  “until the agreements between the relevant parties are reached.”

While the relevant parties (the applicants hoping to run one of these new gTLDs in the future) duke it out, Baidu has taken it upon itself to release an “Anti-Fraud Guide for Eight High Risk Areas on the Internet.” According to a recent post on danwei.com, a site that tracks Chinese media outlets, the Beijing Evening News devoted serious real-estate to breaking down the information in the guide, informing readers that websites involving “financial management, value recharge, pharmaceuticals, online shopping, ticket bookings, after-sales services, express delivery, and prize draws” are the top eight types of websites to be wary of when navigating the Internet.

China

The guide goes on to cite data from the Anti-Phishing Alliance of China, including the disturbing finding that 30 percent of all online shoppers have been victims of scams AND that over “60 million netizens had already lost money to online fraudsters.” This is particularly relevant to note because of the possible connection between the new, large, swaths of Internet real estate – new gTLDs – and cybersquatting, which can be connected to other cybercrimes like phishing.

The introduction of new gTLDs, particularly those that involve brand names, could represent a significant development in the fight against this type of online scamming and abuse. For example, the applicant behind the new gTLD .PHARMACY is likely to only allow licensed pharmacies and other trusted entities in the industry to register .PHARMACY second-level domain names, thereby creating a safe and trusted space for consumers. Similarly, the applicant behind the new gTLD for .BANK is likely to only allow legitimate financial institutions to register .BANK domain names.

Even new “branded” gTLDs like .NIKE could help consumers in China and around the world know, for sure, that they’re buying genuine goods and not counterfeit items – no matter which search engine they use to find those goods.

What a Difference a Dot Makes: Don’t Overlook The Last Two Letters

Our own Josh Bourne recently published a piece on the Blackberry Z10 and the surprising fact that Blackberry did not own www.Z10.com.

Last week, as phablet fans in the United States awaited the arrival of Samsung’s Mega this Friday (it was first released in South Korea, Europe and Russia), an intrepid analyst here recently discovered that samsu.ng is not owned by the tech manufacturer. Instead, according to the WHOIS database, samsu.ng (which takes advantage of the ccTLD .ng of Nigeria) is registered to Howard Ku and resolves to a pay-per-click site that showcases links to the “latest Samsung phone,” and to “Samsung Galaxy apps”.  Could be worse – the site could show links to Apple smartphones, right?

So do all brands overlook the last two letters of their name when capturing key Internet locations?

Of the top 100 brands we researched, only three companies have used ccTLDs to create clever and intuitive domain names: pep.si points to the Pepsi Pulse page, ninten.do points to the Country locator for Nintendo,
and phili.ps points to the official Philips homepage.

After analyzing the WHOIS data for each domain, we confirmed that the target company owned each domain name. Other major companies do own domain names containing ccTLDs such as swat.ch and vi.sa, which match their brand names; however, the given domain names do not point to relevant official content.

We did find instances of domain names that contain both a brand name and, thanks to the dot placement, a ccTLD, that are used by either a different company or a third party who may be attempting to capitalize on the brand’s image. Here are some examples:

  • The m.tv site features a pay-per-click site with links to cellular providers and deals. This could be costly to MTV in the future, particularly if it hopes to build a stronger online presence. A WHOIS lookup confirms that the registrant is Tien Chau, not MTV.
  • The domain name b.mw points to a hosting site, which indicates that the given domain name is for sale for US $1,250,000.
  • Pampe.rs points to a blank page, which alerts the viewer that he or she is  “Executing in an invalid environment for the supplied user,” and the registrant information is privacy protected on DomainTools.

And finally, the domain names of other brands in the Fortune 100 with ccTLD ‘endings’ are already registered by the corresponding Fortune 100 brand but do not resolve. It’s possible that the owners may not know the intrinsic value of these domain names – like cocaco.la, adid.as, and hyund.ai.

If these companies simply redirected the page to an existing homepage – an action that requires minimal resources – additional (even if minimal) traffic to these sites could be captured.

TRADEMARK REGISTRATION FOR YOUR NEW gTLD? MAYBE…

The United States Patent and Trademark Office (USPTO.gov) has proposed that certain new dot-brand gTLDs could be eligible for registration as trademarks – if the gTLDs meet certain criteria.  These criteria include owning a prior registration for the exact mark of the TLD, proving that the mark is famous, and showing that “legitimate services for the benefit of others” are provided under the gTLD.  As expected, dot-generic gTLDs are excluded since they don’t function as trademarks.

While this may seem novel, some of this is really just old wine in new bottles. It has always been the rule that use of a brand solely for a company’s own marketing initiatives does not function as a trademark and is not eligible for registration. Why? Because marketing and promotion are technically not “services” provided to customers. However, in the context of new gTLDs, this may mean that a closed registry – one in which only the brand owner may register domains – might be excluded under the USPTO’s rules if its only purpose is to promote the company’s products. On the other hand, if the gTLD is opened up for use by the company’s distributors, partners, customers, etc., or if the company uses the gTLD to actually make online sales or provide support services, then its use may be “for the benefit of others” and registration will be considered.

The next question is why the owner of a prior trademark registration for the identical mark would care about getting a new registration – which only adds the dot (the one that appears before the gTLD). This may be a tougher question to answer and will depend on whether the brand owner wishes to protect its mark for some new service which is being offered under the gTLD (ex. domain-name registration or registry services, vanity email addresses, etc.).  However, if the goods or services provided under the new gTLD are exactly the same as those covered by prior trademark registrations, a brand owner could choose to forego the new gTLD mark and save some money.

Since the USPTO proposal is currently open for public comment, the final version may change from what’s been proposed. This should be an interesting process to watch even though, in the end, it will only affect a very small number of trademark applicants.

Dive, Dive, Dive!

A recent UDRP case handled by the National Arbitration Forum (NAF) should serve as a lesson to other potential complainants that the UDRP is not the place to air one’s dirty corporate laundry. The complaint, which was filed by MSubs Limited against Marlin Submarines/Paul Moorhouse over the domain names marlinsubs.com and msubsltd.com, was ultimately denied, but featured heated arguments and serious accusations from both sides.

MSubs (Complainant) operates a business in the manufacturing and sale of specialized submersible vessels. In its filing, the Complainant states that:

  • It was given the rights to the MSUBS and MARLIN SUBMARINES marks in the UK and the US by the Respondent after incorporation.
  • The Respondent was a former director for the Complainant, responsible for all intellectual property for the company.
  • The Respondent registered the domain names on November 1, 2012 but was removed from his position on November 30, 2012.
  • The Respondent then went on to create a competing business, making use of the domain names and copying text from the Complainant’s websites.
  • The Respondent is trying to pass itself off as the Complainant, after leaving the company on bad terms.

In response, Marlin Submarines/Paul Moorhouse (Repondent) stated that:

  • The Complainant has no rights to the use of the MSUBS and MARLIN SUBMARINES marks, which still belong to him.
  • He has run a business using the MARLIN SUBS mark since 1979 and has designed submarines since 1983.
  • He has the right to carry on as a submarine builder just as he had done for decades prior to the Complainant’s creation.
  • The Complainant is owned by Submergence Group LLC and operates using that name, not by either of the aforementioned marks.

In its decision, the NAF Panel had to consider the preliminary issue of whether this was a business dispute beyond the scope of the UDRP. It ultimately came to the conclusion that, given the fact that the UDRP arguments play a secondary role to the main ongoing business issue, the case falls outside the scope of the UDRP. The purpose of the UDRP is to combat abusive domain name registrations – it is not meant to be used to resolve complex trademark disputes or questions of contractual interpretation or corporate ownership.

As a result, the Panel had no choice but to deny the complaint and to order that the domain names remain with the Respondent. Given the nature of business, it’s not uncommon to see relationships sour, for allegations to be made, and for things to get messy.  However, this case should serve as a reminder that the UDRP is not the place to try to resolve such issues.

New gTLDs Security Study Released – Delays Up Ahead

The results of a new study on the security risks of proposed new generic top-level domain (new gTLDs) names likely will lead to delays of many new gTLD applications by at least four months. The majority of new gTLDs are “low risk” and got the green light to proceed, although these “low risk” applicants must still wait 120 days after signing their contracts before they can activate any domain names in their gTLDs. Higher risk applications could be delayed longer.

It is common practice among enterprises to use extensions that look like gTLDs when creating and naming networks, and so the Internet Corporation for Assigned Names and Numbers (ICANN) commissioned this security study to look into instances where conflicts occur. In some cases, such a conflict could cause users to be redirected to different locations if networks are not properly secured, but in more extreme cases, these conflicts could result in increased opportunities for hackers to penetrate corporate networks.

Based on the number of conflicts found, categorized each as “low risk” or “high risk” for confusion. The study was unable to find enough information on certain gTLDs, which were labeled as “uncalculated risk”. ICANN’s recommendations for each category is as follows:

  • gTLDs categorized as “low risk” can proceed to delegation, though applicants must wait 120 days after signing the Registry Agreement before they can activate any domain names in their gTLD.
    • This applies to 80 percent of the total applied-for strings.
    • Because all applicants must also complete pre-delegation testing and request delegation from IANA after signing the Registry Agreement before they can delegate and begin actively using their gTLD, the 120-day delay is unlikely to substantially delay the delegation of these gTLDs.
    • After the gTLD is delegated, applicants must wait an additional 30 days before activating domain names. During this time, if any conflicts mentioned above occur, the applicant (now the gTLD Registry Operator) is responsible for notifying the points of contact of the IP addresses that make conflicting requests.
  • gTLDs categorized as “uncalculated risk” will not proceed to delegation until they have been further studied; ICANN expects these additional studies to take an 3-6 months to complete.
    • This applies to 20 percent of the total applied-for strings.
    • These gTLDs are likely to experience delays longer than the aforementioned 3-6 months, since it’s likely that they’ll have to implement additional mitigation measures as well.
  • The two “high risk” gTLDs will be delayed indefinitely until something can be done to place them in the “low risk” category.
    • This applies to .HOME and .CORP

This is a good topic to bring up with your IT department. ICANN’s recommendations are currently up for public comment on ICANN’s site.

Ghosts of Past Complaints

Microsoft Corporation recently experienced success after filing a UDRP complaint with the National Arbitration Forum disputing 13 domain names containing a number of its trademarks. The respondent, simply listed as “Admin” from the Republic of Korea, failed to submit a response, but this was not why the NAF Panel ruled in favor of Microsoft. Even with no reply from a respondent, a complainant must still prove the three elements of the UDRP:

  1. the domain name registered by Respondent is identical or confusingly similar to a trademark or service mark in which Complainant has rights; and
  2. Respondent has no rights or legitimate interests in respect of the domain name; and
  3. the domain name has been registered and is being used in bad faith.

In considering all of the domain names included in this complaint, the Panel found them to be confusingly similar to marks owned by Microsoft, specifically WINDOWS, WINDOWS XP, WINDOWS AZURE, and MICROSOFT. Neither the fact that the respondent resides in Korea, the subtraction of the letter “s”, or the addition of a generic word or number made a difference to the Panel and it cited an unusually large number of previous UDRP cases in explaining its decision.

  • See W.W. Grainger, Inc. v. Above.com Domain Privacy, FA 1334458 (Nat. Arb. Forum Aug. 24, 2010)
    • “the Panel finds that USPTO registration is sufficient to establish these [Policy ¶ 4(a)(i)] rights even when Respondent lives or operates in a different country.”
  • See Am. Int’l Group, Inc. v. Domain Admin. Ltd., FA 1106369 (Nat. Arb. Forum Dec. 31, 2007)
    • “spaces are impermissible and a generic top-level domain, such as ‘.com,’ ‘.net,’ ‘.biz,’ or ‘.org,’ is required in domain names.  Therefore, the panel finds that the disputed domain name [<americangenerallifeinsurance.com>] is confusingly similar to the complainant’s [AMERICAN GENERAL] mark.”
  • See Royal Bank of Scotland Grp. plc et al. v. Demand Domains, FA 714952 (Nat. Arb. Forum Aug. 2, 2006)
    • “The Panel finds that merely by misspelling Complainants’ mark, Respondent has not sufficiently differentiated the <privelage.com> domain name from the PRIVILEGE mark under Policy ¶ 4(a)(i).”
  • See Gillette Co. v. RFK Assocs., FA 492867 (Nat. Arb. Forum July 28, 2005)
    • finding that the additions of the term “batteries,” which described the complainant’s products, and the generic top-level domain “.com” were insufficient to distinguish the respondent’s <duracellbatteries.com> from the complainant’s DURACELL mark
  • See Am. Express Co. v. MustNeed.com, FA 257901 (Nat. Arb. Forum June 7, 2004)
    • finding the respondent’s <amextravel.com> domain name confusingly similar to Complainant’s AMEX mark because the “mere addition of a generic or descriptive word to a registered mark does not negate” a finding of confusing similarity under Policy ¶ 4(a)(i)
  • See also Warner Bros. Entm’t Inc. v. Sadler, FA 250236 (Nat. Arb. Forum May 19, 2004)
    • finding the addition of generic terms to Complainant’s HARRY POTTER mark in the respondent’s <shop4harrypotter.com> and <shopforharrypotter.com> domain names failed to alleviate the confusing similarity between the mark and the domain names
  • See Dell Inc. v. Nelson laptopshoppe, FA 1469084 (Nat. Arb. Forum Dec. 5, 2012)
    • “Complainant contends that Respondent’s <delllaptopstore.com> domain name is . . . incorporates the DELL mark and adds the descriptive terms “laptop” and “store.” The Panel finds that the addition of descriptive terms does not distinguish Respondent’s disputed domain name from Complainant’s DELL mark.”

It’s a great victory for Microsoft to have recovered so many domain names in one UDRP complaint. It was also interesting, though, to see a Panel refer to so many previous UDRP complaints. It goes to show both how well established the UDRP is and how many precedents have been set by past cases and panelists. It is also a great learning opportunity for potential UDRP complainants to get some insight into how their cases might be viewed based on similar cases from the past.