Copycat domains pose security risk

With the Internet having planted itself firmly in the middle of today’s business arena, protecting your organization’s reputation now means going beyond the physical world and into the digital realm.

In the virtual world, a company’s domain name is the gateway to its Internet presence, and protecting that name is becoming more apparent as phishers continue to trick users by using domains that closely resemble popular corporate domain names.

Many of these copycats are up for sale on some domain name reseller sites such as and, according to Mikko Hypponen, chief research officer at Helsinki-based Internet security firm F-Secure Corp. These sites often act as a middleman for people who have registered these domains, only to put them up for sale to the highest bidder.

“There is nothing wrong in reselling cool domains like, or to anyone who wants to buy them,” wrote Hypponen on his F-Secure blog. “But how about reselling domains that obviously belong to banks or other financial institutions?”

Domain names like, and were some of the domains being resold at

The more obvious purpose for buying such domains, said Hypponen, is to conduct phishing trips that trick users into believing that these are legitimate sites of their financial institutions.

This practice is easy to carry out, since the domain registration process doesn’t usually include stringent background checks.

Whether the person or entity registering a domain can pay for it is frequently the only criteria involved, explained the F-Secure executive in an interview with ComputerWorld Canada.

The process is different with top-level domains such as .gov or .mil, however, which usually involves background checking and verification of legitimacy before any such domain extension can be granted, said Hypponen.

Firms such as and of Pampano, Fla., operate in an industry that brings in an estimated US$1 billion in registration fees annually. The registration price is usually US$10 but some names can easily resell for over six figures, such as which Moniker sold for US$1.69 million recently.

While the potential for fraud exists, it is not the job of domain resellers to go after phishing operators, according to Monte Cahn, president and CEO of The firm handles some 1.5 million domain names. “It’s not our job to police the industry,” he said.

The domain reseller, however, said they have policies in place to ensure that complaints against spam and fraud are investigated. “If we receive a complaint we investigate, and if evidence warrants, point out the site to authorities.”

F-Secure’s Hypponen suggests that organizations, especially financial institutions that have an online presence, should remain vigilant on the Web.

“One way to safeguard (your company) is to try to monitor the list of newly registered domains or domains that are being resold (on the Web), for example, searching your own company name at a site like And if you see these things being sold, buy them,” said Hypponen.

This may not be the most ideal solution, but it can be a short-term remediation to the problem, he added. The price for second-hand domains sold on reseller sites range from $100 to several thousand dollars.

As always, user education is vital to maintaining your business’s online integrity and the more informed your customers are about the risks of phishing attacks, the smarter they will be about their Internet transactions.

“Make sure that [your users] know the right URL and…not to follow links from e-mails,” said Hypponen, noting that banks today are “doing a pretty good job” in educating their customers.

There are also some legal remedies that Canadian organizations can resort to if they believe their name is illegitimately being used for unscrupulous deeds on the Internet, according to Toronto lawyer Jason Young, an associate at Deeth Williams Wall LLP.

The dispute resolution process of the Canadian Internet Registration Authority can be an avenue for companies to file complaints against individuals or entities trying to imitate their names on the Web, Young said.

Firms bringing the complaint must be able to prove three things: that the domain in question is “confusingly similar to the complainant’s mark;” that the registrant in question was acting in bad faith at the time of registration, such as whether he or she registered the domain with the purpose of selling it; and that the registrant has no rights in Canada.

“If the registrant has a legitimate reason for registering that domain name, they still may, in the end, be successful in keeping it,” Young explained. For instance, by using a company’s acronyms in its domain name, such as CIBC for the Canadian Imperial Bank of Commerce and BMO for Bank of Montreal, there’s a good chance these firms will have a similar domain name as another legitimate organization with the same acronym.

Many of the complaints in Canada, however, end up getting settled before they go into the formal dispute resolution process to save both parties time and money, said Young.

QuickLink 069163

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now