Protecting Your Organization from Cybersquatting

No, this blog post is not about virtual yoga or Pilates! Cybersquatting (also known as domain squatting) is the practice of registering, trafficking in or using an internet domain name with a bad faith intent to profit from the goodwill of a trademark belonging to someone else. Cybersquatting raises cybersecurity concerns because hackers commonly register domain names that are confusingly similar to an organization’s domain name in an effort to trick employees or customers of the organization into clicking malicious links or providing credentials or other sensitive information. 

A hacker, for example, could register a confusingly similar domain to “discover-motors.com” such as “isaca.com” or “isaco.org.” Then a hacker wanting access to ISACA could send a phishing email from “isaca.com/password verification” to employees requesting that they verify their password by entering their username and password on a lookalike site. 

An extremely tricky version of cybersquatting, sometimes referred to as “script spoofing” or a “homograph attack,” involves registering domain names with special “Unicode” characters (e.g., Cyrillic, Greek, or Latin characters) that look almost identical to the standard English alphabet. For example, the English character “a” looks almost identical to the Cyrillic character “а,” but if “discover-motors.com” domain was registered with one Cyrillic “a,” it would be an entirely different domain name that is almost indistinguishable from ISACA’s.

Here are a few tips for organizations to help reduce the impact of cybersquatting and related techniques:

1. Register and trademark your domain: First, secure domain names relevant to your brand or business. Consider registering domains for longer periods to deter cybersquatters and set an electronic alert to remind you when you will need to extend your domain registration. Also, consider registering any trademarks related to the domain in order to establish legal rights to your brand.

2. Consider registering common misspellings of your domain: It is generally not feasible to buy every possible domain name that is similar to your organization’s domain name, but your organization should consider purchasing the most common misspellings before someone else does. Several websites purport to help you identify the most common misspellings of a domain name, like Domain Name Misspellings and Free Online Tools to Find Common Domain Misspellings. Other tools purport to help determine the degree to which a domain name can be spoofed.

3. Monitor for cybersquatting: Organizations should monitor for registrations of confusingly similar domain names both to protect their trademark and reduce cyber risk. There are many organizations that offer cybersquatting monitoring services, including MarkMonitor and BrandVerity.

4. Enable DMARC: Enable Domain-Based Message Authentication, Reporting and Conformance (DMARC) along with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to help your organization protect its domain from email spoofing and phishing attempts by allowing it to specify how email authentication should be handled and providing insights into the email traffic using your domain. DMARC, SPF and DKIM enhance email security and help recipients verify the legitimacy of incoming email.

5. Train employees: Train employees to report cybersquatting and spoofed domains. Also reduce the impact of phishing through regular phishing exercises and email security solutions.

6. Respond to cybersquatting: If you identify cybersquatting, consult ICANN’s Uniform Domain-Name Dispute-Resolution Policy (UDRP). Ultimately, you may have to bring litigation against the improperly registered domain names themselves, seeking to have the court order that the domains be transferred to you. One option is to file a claim with the World Intellectual Property Organization (WIPO). Here is a good example of one such lawsuit filed in US federal court. In many instances, nobody will show up to defend these lawsuits and the court will enter a default judgment in your favor. But be prepared for the rare defendant that actually wants to litigate. 

Like other aspects of cyber and intellectual property crime, there is no silver bullet to preventing cybersquatting, but these techniques can significantly impact an organization’s risk. If you have questions or need additional information, please feel free to reach out on LinkedIn.