Dealing with cybersquatting: the wisdom of thinking ahead


David Weslow and Ari Meltzer

Dealing with cybersquatting: the wisdom of thinking ahead

ra2studio /

As the ways to misuse domain names continue to evolve, trademark owners should consider modernising their anti-cybersquatting practices to adapt to these changes, say David Weslow and Ari Meltzer of Wiley Rein.

The introduction of new generic top-level domain names (gTLDs) has resulted in the creation of innovative and sometimes more secure uses for domain names. It has also coincided with new and, in certain cases, increasingly dangerous ways to use domain names for deviant purposes.

In the not-too-distant past, a trademark owner’s primary concern was that someone would register a similar domain name to trade upon the value of the trademark by displaying pay-per-click advertisements or a generic ‘for sale’ landing page. Today, the most problematic domain name misuses include spam, phishing, distribution of malware and bloatware, and other types of scams and cyberattacks.

1)  The changing nature of domain name misuse

The elaborate ways persons with ill intent are using domain names to further their schemes continue to evolve. According to recent studies by information security firms, in certain new gTLD extensions, more than 95% of the issued domain names are being used for spam, phishing, distribution of malware and bloatware, and other types of scams.

The studies attribute this to the increased availability of domain names at low cost and the lax registration and anti-abuse policies of certain registries. Due to these factors, spam alone now accounts for up to 70% of the domains in certain new gTLDs, according to one study. But spam is far from the only problem.

Cybersquatted domain names have been used in furtherance of a number of recent high profile cybersecurity breaches. For example, in early 2015 Chinese hackers gained access to the names, social security numbers, and birth dates of more than 78 million customers of health insurance company Anthem. To facilitate the attack, the hackers reportedly registered the domain name, which looked like WellPoint, Anthem’s former name, and used an email address from that domain to entice an employee to click a link in an email designed to look like an internal message.

Later last year, a breach at the US government’s Office of Personnel Management exposed the social security numbers of more than 20 million applicants for federal positions along with usernames and passwords used to complete background information forms, the findings of some background interviews, and fingerprints. That breach apparently was facilitated through the use of the domain names and, which replicated legitimate government sites such as

In another recent incident, Twitter’s stock price shot up by more than 8% after a news article posted to a site displayed at the domain name claimed that “Twitter is working closely with bankers after receiving an offer to be bought out for $31 billion.”

The site, which was made to look like the real Bloomberg news site, was quickly taken down through the commendable action of the registry operator, but the impact the fake news article had on Twitter’s stock price may serve as an eye-opener.

Distribution of malware through domain name misuse is a particular focus of certain cybersquatters and criminal syndicates. Earlier this year, malefactors registered the expired domain names of internet advertising companies and reportedly used them to serve malicious software through third party advertisements displayed on the websites for The New York Times, Newsweek, BBC, and AOL, among others.

Once systems are infiltrated by malware, the threat to the domain name system (DNS) is far from over. A 2016 report by network equipment provider Cisco estimates that 91.3% of malware uses the DNS to gain command and control, exfiltrate data, or redirect traffic.

2) Yesterday’s advice for internet trademark protection is no longer appropriate

Just a few years ago, the conventional wisdom was that trademark owners could protect their trademarks online simply by defensively registering their marks across the most popular TLD extensions and engaging in aggressive monitoring and letter campaigns to target copycat domains.

With up to 1,400 gTLDs launched or launching, and increased use of country-code domains, third-level domains, and social media platforms, those strategies are no longer practical. The cost of registering a single mark defensively across all new gTLDs would run into the tens of thousands of dollars alone, not accounting for typos, which would push the costs into six figures or beyond.

“Trademark owners should develop in advance a protocol for prioritisation of the inevitable internet-related incidents that will arise.” 

Overzealous demand letter campaigns likewise can no longer be justified. Pursuing marginally problematic sites with a low likelihood of consumer or brand harm merely increases costs and is not necessary to protect the brand. For example, it may not be necessary to pursue a domain with an extension unrelated to the brand’s products/services and that is merely being used to display generic pay-per-click content, given the low risk of consumer confusion or brand harm.

Another popular defensive strategy from years past—sending automated or rote cease-and-desist letters—is similarly inappropriate and can raise issues of laches and acquiescence in subsequent enforcement efforts that are truly important to protect consumers and the goodwill that a company has established in its mark.

3) Best practices for modern times

Rather than rely on outdated tactics that can be ineffective and, in some instances, counterproductive, trademark owners should adjust their online enforcement strategies for the fast-changing online ecosphere.

As an initial step, trademark owners should register their marks with the Trademark Clearinghouse (TMCH). Registration carries a number of benefits. The owner of a mark registered at the TMCH has the opportunity to register the mark during the sunrise period for new gTLDs. Although it almost certainly will not make sense to register the mark in every new gTLD, the ability to register a domain name during the sunrise period can help avoid subsequent disputes.

The TMCH also provides a notification service to would-be registrants for a limited time following the launch of new gTLDs and to trademark owners notifying them when a domain has been registered corresponding to the trademark.

Trademark owners should be prepared to file complaints under the Uniform Rapid Suspension (URS) procedure, where appropriate, and a TMCH-validated mark can satisfy the trademark owner’s burden of establishing the validity of the trademark under the URS.

Trademark owners should also develop a strategy for very limited defensive registrations, focusing on the TLDs that are most likely to cause consumer confusion or harm to their brand.

For example, a hospital operator may want to register domain names corresponding to its trademarks in the .healthcare gTLD, but may not need to defensively register domain names in unrelated domains including .coffee or .dating. To complement limited defensive registration efforts, trademark owners should consider the various brand protection and domain name registration monitoring options.

Finally, and most important, trademark owners should develop in advance a protocol for prioritisation of the inevitable internet-related incidents that will arise. An effective protocol should include a procedure for identifying which domain name registrations merit action and for dealing with those names in the appropriate forum.

Based on the severity of the potential for harm, escalation options may include engagement with the registrar, registry, or other service provider, or pursuit of a URS, Uniform Domain-Name Dispute-Resolution Policy (UDRP), or judicial action, and for consolidating actions for efficiency.

We have had success on behalf of a number of clients in the last year bringing consolidated court cases under the US Anticybersquatting Consumer Protection Act (ACPA) against dozens, or even hundreds, of domain names, in a single action. In other cases, where only one or two domain names are at stake, it may be more appropriate to bring an action under the UDRP and, in some cases, it may be appropriate to refrain from taking action.

Development of a protocol for prioritisation of domain name and internet issues will provide a clear roadmap of options, and will facilitate the avoidance of ad hoc decisions and unnecessary or overly aggressive enforcement actions.

Prioritisation protocols also facilitate the creation of internal records as to why certain domain names or sites were not pursued, reducing the potential for negative consequences in future enforcement efforts arising from prior inaction or partial action (such as sending a cease-and-desist letter but not pursuing the matter).

Although internet infringements and misuses of domain names are likely to continue, such incidents can be more readily and efficiently addressed by pre-event modernisation of online trademark enforcement protocols.

David Weslow is a partner at Wiley Rein. He can be contacted at:

Ari Meltzer is an associate at Wiley Rein. He can be contacted at:

David Weslow, Ari Meltzer, Wiley Rein, cybersquatting, gTLDs, UDRP, URS, trademark, TMCH, Cisco,

Trademarks and Brands Online