Domain name cybersquatting: the rise of fast flux DNS

Steven Levy, president of the Accent Law Group, takes a look at new threats facing internet users and brand owners seeking to protect their rights.

Cybersquatting has moved from being a risk primarily to one’s brand reputation and has entered a phase where it poses a cybersecurity threat.

In the olden days of cybersquatting (about two years ago) the worst thing you had to worry about was inputting a typo of your favourite brand and winding up at a pay-per-click website—a bunch of monetised links to third-party businesses. 

This takes advantage of users by confusing them into thinking they’ve arrived at some sort of sponsored directory site with helpful suggestions on where to go next.

New threat on the block?

Recently, a more sinister exploit called fast flux DNS (FFDNS) is gaining ground among cybersquatters. 

Through this technique, users who type in the wrong domain name will find themselves quickly and automatically redirected through a series of other URLs and will ultimately land on a page that could be a legitimate business but could also be one that attempts to deposit malware onto their computer.

In the first scenario, the domain owner is likely seeking to gain affiliate revenue by forwarding users to the commercial site. 

In the second one, it may be getting paid to feed a criminal network that seeks to commit identity theft by infecting a user’s computer with a virus that can read sensitive information.

You’ve always wanted to visit new places!

Another feature of this FFDNS technique is that it rarely leads a user to the same final website twice. 

In an attempt to avoid detection by law enforcement, investigators, and brand owners, the initial cybersquatted domain often leads to a different series of redirects and final websites each time it is used. 

When it detects multiple access attempts from the same computer, it may ultimately and then consistently redirect to something like a search engine page showing results relating to the affected trademark.

When someone discovers a squatted domain name using FFDNS to redirect to a malware site, the next time they try going to that domain they won’t be able to get a screenshot to support a legal complaint.

While this problem is not completely new, it has spiked over the past six months and many cybersquatters (or their registrars) are shifting to FFDNS from pay-per-click pages.

One UDRP case, while not using the term FFDNS, referred to this as “a rotating number of websites”, some of which are “designed for phishing or distribution of malware”.

The panel held that using a domain name in this manner is not a bona fide service or offering of goods under the policy and does not provide any rights or legitimate interests to the domain owner.

It went on to find that the “respondent acted in bad faith by attempting to trade on the goodwill and reputation of the complainant’s trademark by operating websites that redirect visitors to competitor websites or to websites distributing malicious code”.

It’s clearly bad faith but is it targeting your brand?

One issue that I expect will present itself in upcoming UDRP decisions is how to gauge bad faith when the domain comprises a generic term that also functions as someone’s trademark (for example, Apple or Dove).

With pay-per-click websites it’s often quite clear that the domain is leveraging the value of the brand based on the nature of the links that appear on the page. However, with FFDNS it may be less clear where the user is redirected to a malware page.

This particular issue is not really new, though, and UDRP participants have had to deal with it in all manner of cases where the website that results from the disputed domain name doesn’t specifically mention the affected trademark (such as registrar parking pages, non-resolving websites, and other arguably neutral website content).

But, as in these established case scenarios, complainants may need to rely on other evidence to show that the brand was actually targeted by the domain owner.

Extra vigilance

How can brand owners best address this increase in FFDNS activity? 

A first step is to be vigilant and consider this a cybersecurity matter rather than simply one of brand protection.

Infected customers may not only be unhappy with your brand, they may also be at risk of all the dangers presented by malware such as identity theft and loss of data.

If a virus infects company machines through a domain name related FFDNS exploit, it could become a gateway for hackers by spreading to other parts of the network and compromising data security, including customer accounts, employee information, confidential information about vendors and other business partners.

Finally, since you may not see the same website result twice, it has become very important to get a screenshot the first time you visit a cybersquatted domain name in order to preserve evidence for a possible future UDRP complaint or other enforcement effort.

An even better option is to use a video capture app so that you can see and reproduce the fast redirects step by step.

This helps prove that the disputed domain name does, in fact, redirect to the final website and also avoids the risk that a panellist, dispute provider staffer, or others might be exposed to malware from reviewing the FFDNS process first-hand.

Efforts are underway to have these video files accepted as evidence by the major UDRP dispute providers, since some of them list technical requirements for submitted pleadings in their supplemental rules.

This is an area that is likely to evolve over the next year but, for now, the best approach is continued vigilance and recognising FFDNS, in policy and budget discussions, for the cyberthreat that it is.

Steven Levy is the president of Accent Law Group and works with clients of FairWinds Partners, a domain name advisory company based in Washington, DC. He can be contacted at: slevy@accentlawgroup.com