Cybersquatting: When the Battle for Domains Turns Ugly
Luxury brands are popular targets for cybercriminals; one is just as likely to encounter a trunk-full of phony name brand products online as on the streets of New York City. Not only can online fraud tarnish the brand equity of any luxury retailer, it comes with a hefty price tag. According to the International Trademark Association, over $460 billion of counterfeit goods were bought and sold last year, mostly online. And the problem doesn’t end with phony goods–sometimes luxury names are used as lures for other kinds of crime, such as credit card theft, with or without delivery of faux items.
One way cybercriminals commit this type of fraud is by luring unsuspecting consumers to impostor websites to purchase counterfeit goods. They do this by abusing the Domain Name System (DNS), a critical part of the underlying infrastructure of the Internet that connects fully qualified domain names (e.g. www.ralphlauren.com) to the numeric IP addresses associated with the site. Just like regular company trademarks, domain names are considered authentic online brand ambassadors by both corporations and their customers, and as a result, they are increasingly targeted by cybercriminals.
DomainTools teamed up with Farsight Security to take a closer look at four major international luxury brands (Burberry, Cartier, Gucci, and Prada) and learned the extent of potential abuse of their brand by counterfeiting and other malicious activities.
Below, we outline the findings of our report, “Luxury Brands, Cheap Domains: Why Retailers Are Losing The Fight Against Online Counterfeiting”.
The Problem: How Do “Bad Guys” Abuse DNS to Commit Fraud?
While every major brand owns its “flagship” domains (e.g. cartier.com, prada.com, burberry.com, gucci.com), there are many other top-level domains (TLDs) and brand variations that non-brand owners use to register impostor domains. Cybercriminals often register a domain name that is close to a targeted brand such as “cheapcartier.com” or “prada-handbags.cn”. They are confident that consumers will overlook their intentionally misspelled or otherwise slightly modified variation, and trust that the site is legitimate. Due to the availability of inexpensive domains, criminals will often register, use, and abandon new domains within minutes.
Findings: Burberry, Cartier, Gucci, and Prada
After a deep dive into potential fraudulent domains that are targeting Burberry, Cartier, Gucci, and Prada (e.g. any website with the term “Burberry”, “Prada”, etc.), we discovered each brand had its name included in thousands of domain names. Some of the names had more “incidental” occurrences than others—for example, “Prada” is a string of letters that can sometimes occur as part of entirely unrelated words. But, even controlling for domains owned by the brand-holder and domains that are incidental “by-catch,” there are thousands of domains containing each brand that do not have any connection to that company. Here are some troubling stats from our research:
- Gucci: More than 3,100 domains with “Gucci” are not registered by the company
- Prada: More than 4,366 domains with “Prada” are not registered by Prada
- Burberry: More than 1,100 domains with “Burberry” are not registered by the company. Incidentally, 537 of the domains are one year old or younger
- Cartier: More than 1,800 domains with “Cartier” are not registered by the company. Many are registered with privacy services both legitimate and improvised (such as the 17 domains registered to “Ano Nymous”)
Guidelines for Retailers
- Don’t immediately pursue a takedown. Takedowns can be tricky for several reasons. Some locales or jurisdictions may not be especially cooperative with enforcement activities, so you could spend a lot of time and effort on an ultimately frustrating mission. If you do wish to take action, a logical first stop is with the abuse contact from the domain’s registrar (found in the Whois record). Procedures such as the Uniform Domain-name Dispute Resolution Policy (UDRP) can bring relief but can be complex and time-consuming to carry out.
- Don’t try to purchase all domains containing your brand By adding any of the possible word combinations to the brand that are related to the process of commerce (e.g. “shoe”, “outlet”, “sales”), a given brand could easily have 100,000 or more possible domain names each. There are too many possible domains to purchase, and that won’t stop fraud from occurring. However,
- Do be strategic about which combinations of name and TLD are most valuable, and protect those. You may wish to use services that measure web traffic to determine which impostor domains are receiving high levels of traffic.
- Do keep track, and litigate if necessary Gucci America, Inc. recently won judgments worth more than $9 million against a group of nearly 100 web sites selling knock-off merchandise. Sites that used “Gucci” in their domain names were ordered to pay additional damages totaling $110,000.