Domain squatting is a versatile and highly prevalent cyber threat tactic used by digital adversaries to impersonate your brand, divert traffic away from your website, and defraud your users, fans, and customers.
In this week’s blog post, we’re taking a deep dive into the world of domain squatting. You’ll learn what domain squatting is, how it works, and how you can protect your company and brands from cyber criminals with the bad faith intention to abuse your trademarks, defraud your community, and damage your reputation.
What is Domain Squatting?
Domain squatting, also known as cybersquatting, takes place when a cyber adversary either:
- Registers an Internet domain name containing your name, company name, or trademark with the bad faith intent of selling it back to you at an inflated price, or
- Registers an Internet domain name that resembles your personal or business domain with the bad faith intent to divert traffic away from your domain and/or defraud your employees and customers.
How Does Domain Squatting Work?
Domain squatters can generally be separated into two categories: opportunistic and malicious.
For opportunistic domain squatters, the goal is to register new domains that include the names of rich companies or celebrities, then sell the domains back to the targeted entities at inflated prices.
Opportunistic domain squatters do things like:
- Monitor listings of soon-expiring domain names to identify squatting opportunities,
- Register domains that include the names of upcoming celebrities and early-stage companies, and
- Monitor listings of recently registered corporations and attempt to register domains in their names.
For a malicious domain squatter, the goal is to register a domain that allows the squatter to impersonate the targeted organization, divert its web traffic, and launch cyber attacks against its employees and customers.
Malicious domain squatters use techniques like:
- Typosquatting – The squatter registers a variation of the target domain name that contains a slight typographical error.
- Homograph Squatting – The squatter abuses the Internationalized Domain Name (IDN) registration process, registering a variation of the target domain where one or more characters are replaced with visually similar characters in another language.
- Homophone Squatting – The squatter registers a variation of the target domain name, replacing a word or sound in the target domain name with a similar-sounding word. Homophone squatting is becoming increasingly prevalent as text-to-speech search platforms like Amazon Alexa and Google Assistant grow in popularity.
- TLD Squatting – The squatter registers a domain with an identical or similar name to yours, but on a different top-level domain (TLD).
- Combo Squatting – The squatter registers a variation of the target domain name where a word like “payment”, “verification”, “support” or “rewards” appears in the URL. For example, a squatter wanting to impersonate ACME Bank’s customer support department might attempt to register a domain like “ACME-support[.]com”.
- Level Squatting – The squatter registers a domain that includes the target’s domain name as a subdomain. Mobile users are especially vulnerable to level squatting attacks, as the address bar on a mobile browser may not be wide enough to display the entire URL.
While opportunistic cybersquatters attempt to sell domains back to companies for an inflated price, malicious domain squatters use the domains they create to launch cyber attacks. Malicious domains have been used to support phishing campaigns, distribute malware, execute command-and-control (C2) attacks, capture sensitive data, and fraudulently generate advertising revenue.
Is Domain Squatting Illegal?
Domain squatting is illegal in the United States under the Anticybersquatting Consumer Protection Act (ACPA), 15 U.S.C. § 1125(d), passed in 1999.
The ACPA allows the owner of a distinctive trademark to take legal action against a domain name registrant who registers a domain name that is either identical or “confusingly similar” to a distinctive trademark, and who has a bad faith intent to profit from the mark.
An ACPA claim often succeeds if:
- There is a distinctive trademark,
- The defendant’s registered domain name is confusing similar to the trademark, and
- The defendant registered the domain name with bad faith intent to profit from the trademark.
Winning an ACPA claim can be a lengthy and expensive process. ACPA claims can also be complicated by extenuating circumstances, such as when the domain registrant lives outside of the United States, or when the defendant successfully argues “fair use” of the trademark.
Domain Squatting Examples You Should Know
Kevin Spacey (1996-2002)
Actor Kevin Spacey was born in 1959 and had already won his first Academy Award when his namesake domain “kevinspacey.com” was registered by a Canadian company called “Alberta Hot Rods” in 1996.
Following the introduction of the ACPA act in 1999, Spacey attempted to reclaim his namesake domain by suing Alberta Hot Rods under the ACPA. The company was using the domain to operate an unauthorized fan club that ultimately directed traffic to the company’s primary website, “celebrity1000.com”.
Spacey’s ACPA lawsuit was eventually dismissed due to the lack of jurisdiction over an American company. Still seeking a resolution, Spacey brought his claim to the National Arbitration Forum (NAF) which eventually decided in his favor.
Key Lesson: In this case of domain squatting, the NAF found that Alberta Hot Rods had no permission or rights to use the name “Kevin Spacey”, and that using the name to misleadingly divert users to their own website constitutes “bad faith intent”. The ACPA works best when the defendant lives in the United States.
.CM/.OM Typosquatting (2018)
A clever and creative typosquatting threat was documented in 2018 that utilized country code top-level domains (ccTLDs) to target users who misspell the world’s most popular dot-com domain names.
The country-code top-level domain extensions “.cm” (Cameroon) and “.om” (Oman) are both typos of “.com”. Domain squatters have registered domains like “espn.cm” and “itunes.cm” to divert and defraud users who misspell these common domain names when typing them into the URL address bar of their browser.
Journalist Brian Krebs reported that dot-cm typosquatting websites were visited more than 12 million times in 2018.
Key Lesson: More than 200 ccTLDs have been added over the past decade, massively increasing the number of available domain names and expanding the attack surface for domain squatting attacks.
How to Protect Against Domain Squatting
Register the Domains You Need (Even Before You Need Them)
The first and most important way to protect yourself against a domain squatting attack is by registering the domains you absolutely need for your business or personal brand. Even if you’re not planning to build a website right away, simply owning the domain name prevents anyone else from hijacking it.
It’s also important to list yourself as the owner of record to ensure that nobody else can hold your domain name hostage against your will.
If you’re registering an LLC before you own the corresponding domain name, there’s a good chance it will be snapped up by an opportunistic squatter who may try to sell it back to you at an exorbitant cost.
Register Similar Domain Names
Once you’ve grabbed the domain name(s) you want, another step you can take is registering any domain names that are similar to yours. This will make it more difficult for cyber adversaries to successfully impersonate you or divert traffic away from your website.
As you work to register domain names similar to yours, you may wish to include:
- Domain names that are typographical errors of your domain name,
- Domain names that look similar to your domain name, with just one or two character differences,
- Similar or identical domain names under other top-level domains (e.g. dot-info, dot-co, dot-biz, etc.
Register Your Brand with the Trademark Clearinghouse (TMCH)
The Trademark Clearinghouse (TMCH) is a centralized database of verified trademarks maintained by the Internet Corporation for Assigned Names and Numbers (ICANN).
Registering your trademark data with the TMCH gives you first priority to register your trademark domain on newly released TLDs. It also gives you standing to respond to any domain squatting attacks you detect by launching a Uniform Rapid Suspension (URS) with the National Arbitration Forum under the Uniform Domain-Name Dispute-Resolution Policy (UDRP).
Monitor the Public Attack Surface
Cyber adversaries often host malicious domains in the deep web where they remain hidden from search engines but can still be accessed using conventional browsers. This allows cyber adversaries to hide their domain squatting infrastructure from cybersecurity professionals while they use it to carry out phishing attacks or deliver malware.
Modern threat intelligence platforms like ZeroFox leverage artificial intelligence to detect and identify domain squatting threats across the public attack surface, including the indexed, deep, and dark web.
How to Disrupt a Domain Squatting Attack
What do you do when your security team discovers a domain squatting attack against your business?
When you see a cyber adversary using a fraudulent domain to impersonate your brand and defraud your customers, it’s time to take action. Here are four steps you can take to disrupt the attack and protect the reputation of your business.
Contact the Domain Squatter
As a first step, you can try to contact the domain squatter. You can ask them to stop what they’re doing, try to purchase the fraudulent domain from them, or send them a cease-and-desist letter that asserts your intellectual property rights and directs them to stop impersonating your brand.
If the cyber attacker is determined to cause trouble, simple communication probably won’t solve the problem. In that case, it’s time to move on to the next step.
Contact the Domain Registrar and Hosting Company
A domain registrar is a company that handles the registration of Internet domain names, while hosting companies provide the servers that cyber adversaries use to host malicious domains.
Domain registrars have the power to remove or deactivate domains they’ve created, and they’ll usually do so if it’s clear that the domain is being used for nefarious purposes. As for hosting companies, malicious domains violate their terms-of-service and they’re usually happy to remove domain squatting infrastructure from their servers.
File a Complaint under UDRP
If you have registered your brand with the trademark clearinghouse (TMCH), you may invoke the UDRP by filing a complaint in court against the domain-name holder or submitting a complaint to an ICANN-approved dispute-resolution service provider.
Under the UDRP, disputes that arise from abusive registration of domain names (e.g. domain squatting abuses) can be resolved through an accelerated administrative process initiated by the trademark holder. This allows trademark holders to fight back against domain squatters without the time, cost, and complexity of taking legal action or winning in arbitration.
Sue the Domain Squatter Under the ACPA
As an alternative, or in addition to filing a UDRP complaint, you may choose to sue a domain squatter under the ACPA. Here’s the difference:
When you succeed in a UDRP complaint, the domain registrar may be compelled to cancel, suspend, or transfer the domain name – but that’s the extent of the remedy that you can receive. If you wish to claim statutory damages and hold domain squatters truly accountable, you’ll need to seek a legal remedy under the ACPA.
Plaintiffs suing domain squatters in the United States can seek statutory damages of between $1,000 and $100,000 for each domain name registered in bad faith by the defendant.
Leverage ZeroFox Adversary Disruption and Takedown-as-a-Service
The ZeroFox platform provides access to adversary disruption and automated takedown services that take action on your behalf to address the root cause of a digital threat.
Once a domain squatting attack has been identified and validated by our global analyst team, ZeroFox acts on your behalf to disrupt and dismantle the fraudulent infrastructure before it can be used to harm your business, employees, or customers.
Detect and Disrupt Domain Squatting Attacks with ZeroFox
ZeroFox provides enterprises digital risk protection, threat intelligence, and adversary disruption services to dismantle external threats across the public attack surface, in one comprehensive platform.
Ready to learn more?
Request a Demo and see how ZeroFox helps you fight back against external cyber threats.
Or, watch our free on-demand webinar ATT&CK or Be Attacked: Using Threat Intelligence to Disrupt Targeted Threats to Your Brand’s Perimeter to learn more about the tactics used by cyber adversaries and how you can discover, disrupt, and dismantle threats to your brand.