Article on Combo-squatting study conducted by Georgia Instutute of Technology and Stony Brook University affecting our discussion of Trademark + Industry Terms in the TMCH, Sunrise and Claims (among other RPMs that it may also implicate)
http://www.worldtrademarkreview.com/Blog/detail.aspx?g=cf4bc6c3-272f-4ccd-85... A few quotes from the article for those with less time: · “Combosquatting is a type of domain name squatting in which website addresses confusingly similar to well-known brands are deliberately registered, often with a view to committing fraudulent activity. Specifically, it involves the registration of a popular trademark combined with another phrase – for example, ‘brand-shop.com’.” · “Among the striking findings is that there were over 2.7 million combosquatting domains targeting the 268 most popular US trademarks – a prevalence over 100 times greater than typosquatting domains.” · “The problem seems to be getting worse with the number of queries to these domains growing year-on-year, also in contrast with typosquatting sites.” · “This potential to more effectively dupe consumers has serious consequences for both internet users and brand owners. To date, combosquatting domains have been used for phishing, spamming, hacking, and affiliate abuse.” Here is a link to the Full Study: http://iisp.gatech.edu/sites/default/files/images/hiding_in_plain_sight-_a_l... Here is the Conclusion Section (I’ve taken the liberty of highlighting a few phrases): “In this paper, we study a type of domain squatting termed “combosquatting,” which has yet to be extensively studied by the security community. By registering domains that include popular trademarks (e.g., paypal-members[.]com), attackers are able to capitalize on a trademark’s recognition to perform social engineering, phishing, affiliate abuse, trademark abuse, and even targeted attacks. We performed the first large-scale, empirical study of combosquatting using 468 billion DNS records from both active and passive DNS datasets, which were collected over an almost six year time period. Lexical analysis of combosquatting domains revealed that, while there is an almost infinite pool of potential combosquatting domains, most instances add only a single token to the original combosquatted domain. Furthermore, the chosen tokens were often specifically targeted to a particular business category. These results can help brands limit the potential search space for combosquatting domains. Additionally, our results show that most combosquatting domains were not remediated for extended periods of times—up to 1,000 days in many cases. Furthermore, many instances of combosquatting abuse were seen active significantly before they were discovered by public blacklists or malware feeds. Consequently, our findings suggests that current protections do not do a good job at addressing the threat of combosquatting. This is particularly concerning because our results also show that combosquatting is becoming more prevalent year over year. Lastly, we found numerous instances of combosquatting abuse in the real world by crawling 1.3 million combosquatting domains and manually analyzing the results. Based on our findings we discuss the role of different parties in the domain name ecosystem and how each party can help tackle the overall combosquatting problem. Ultimately, our results suggest that combosquatting is a real and growing threat, and the security community needs to develop better protections to defend against it.” I’m asking Staff to enter this study into the record of this WG Actual, growing problem identified and verified by external research: Let’s get down to business solving it by enhancing the RPMs to address it in order to protect end users of the Internet. I don’t think we need to wait for the rest of the studies to come back to get underway. It is laid out pretty plainly in the Georgia Tech Study. Best, Paul ________________________________ The contents of this message may be privileged and confidential. If this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author. Any tax advice contained in this email was not intended to be used, and cannot be used, by you (or any other taxpayer) to avoid penalties under applicable tax laws and regulations.
FWIW, while I’ve actually never before heard the phrase “combosquatting,” WIPO’s newest “Overview” of the UDRP (updated earlier this year) makes clear that such domain names fall within the UDRP’s “confusingly similar” test. The Overview says: “While each case is judged on its own merits, in cases where a domain name incorporates the entirety of a trademark, or where at least a dominant feature of the relevant mark is recognizable in the domain name, the domain name will normally be considered confusingly similar to that mark for purposes of UDRP standing.” That is, inclusion of another word in a domain name that contains a trademark normally means that the domain name is confusingly similar to the trademark (and, therefore, satisfies the first of the UDRP’s three tests). This has been going on for so long that I would not have thought it was getting worse, but I look forward to reading the study. Douglas M. Isenberg Attorney at Law <https://giga.law/> Phone: 1-404-348-0368 Email: <mailto:Doug@Giga.Law> Doug@Giga.Law Website: <https://giga.law/> Giga.Law From: gnso-rpm-wg [mailto:gnso-rpm-wg-bounces@icann.org] On Behalf Of icannlists Sent: Thursday, November 16, 2017 10:29 AM To: gnso-rpm-wg@icann.org Subject: [gnso-rpm-wg] Article on Combo-squatting study conducted by Georgia Instutute of Technology and Stony Brook University affecting our discussion of Trademark + Industry Terms in the TMCH, Sunrise and Claims (among other RPMs that it may also implicate) http://www.worldtrademarkreview.com/Blog/detail.aspx?g=cf4bc6c3-272f-4ccd-85... A few quotes from the article for those with less time: * “Combosquatting is a type of domain name squatting in which website addresses confusingly similar to well-known brands are deliberately registered, often with a view to committing fraudulent activity. Specifically, it involves the registration of a popular trademark combined with another phrase – for example, ‘brand-shop.com’.” * “Among the striking findings is that there were over 2.7 million combosquatting domains targeting the 268 most popular US trademarks – a prevalence over 100 times greater than typosquatting domains.” * “The problem seems to be getting worse with the number of queries to these domains growing year-on-year, also in contrast with typosquatting sites.” * “This potential to more effectively dupe consumers has serious consequences for both internet users and brand owners. To date, combosquatting domains have been used for phishing, spamming, hacking, and affiliate abuse.” Here is a link to the Full Study: http://iisp.gatech.edu/sites/default/files/images/hiding_in_plain_sight-_a_l... Here is the Conclusion Section (I’ve taken the liberty of highlighting a few phrases): “In this paper, we study a type of domain squatting termed “combosquatting,” which has yet to be extensively studied by the security community. By registering domains that include popular trademarks (e.g., paypal-members[.]com), attackers are able to capitalize on a trademark’s recognition to perform social engineering, phishing, affiliate abuse, trademark abuse, and even targeted attacks. We performed the first large-scale, empirical study of combosquatting using 468 billion DNS records from both active and passive DNS datasets, which were collected over an almost six year time period. Lexical analysis of combosquatting domains revealed that, while there is an almost infinite pool of potential combosquatting domains, most instances add only a single token to the original combosquatted domain. Furthermore, the chosen tokens were often specifically targeted to a particular business category. These results can help brands limit the potential search space for combosquatting domains. Additionally, our results show that most combosquatting domains were not remediated for extended periods of times—up to 1,000 days in many cases. Furthermore, many instances of combosquatting abuse were seen active significantly before they were discovered by public blacklists or malware feeds. Consequently, our findings suggests that current protections do not do a good job at addressing the threat of combosquatting. This is particularly concerning because our results also show that combosquatting is becoming more prevalent year over year. Lastly, we found numerous instances of combosquatting abuse in the real world by crawling 1.3 million combosquatting domains and manually analyzing the results. Based on our findings we discuss the role of different parties in the domain name ecosystem and how each party can help tackle the overall combosquatting problem. Ultimately, our results suggest that combosquatting is a real and growing threat, and the security community needs to develop better protections to defend against it.” I’m asking Staff to enter this study into the record of this WG Actual, growing problem identified and verified by external research: Let’s get down to business solving it by enhancing the RPMs to address it in order to protect end users of the Internet. I don’t think we need to wait for the rest of the studies to come back to get underway. It is laid out pretty plainly in the Georgia Tech Study. Best, Paul _____ The contents of this message may be privileged and confidential. If this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author. Any tax advice contained in this email was not intended to be used, and cannot be used, by you (or any other taxpayer) to avoid penalties under applicable tax laws and regulations.
The numbers appear overstated. After a first pass, I don't see the complete list of all 268 of the marks they studied (maybe I missed it), but several (Amazon, Adobe, Delta, Yahoo) still appear to be dictionary words where it would be false to claim that Mark+Dictionary word is automatically "bad." Indeed, when you look at table 7 at the top right of page 11, they classify 86.6% of the so-called "combosquatting pages" as "Unknown", and only 13.39% as "Malicious". And of those alleged "malicious" ones, 69.9% were an ambiguous "trademark abuse" (not phishing, social engineering, or "affiliate abuse"), which seems likely to yield even more false positives. Their attempt at detecting "false positives" leaves much to be desired, i.e. whitelisting only the top 10,000 Alexa domains (see page 4, Alexa list). My company's math.com domain name wouldn't get white-listed by that standard (and it gets millions of visitors/year). Neither would school.com. Alexa Top 10,000 sites get enormous traffic --- many legitimate but lower traffic sites wouldn't be whitelisted by their methodology. Importantly, they didn't seem to use WHOIS or Zone Files in their data sets (see page 4, section 3.2). i.e. they trumpet the "468 billion DNS records" (many DNS requests and website visits are generated by bots, not human beings, these days), but there are perhaps roughly 150 million gTLD domain names for which ICANN makes policy. And it would seem, by their methodology, that they might even count defensive registrations by brand owners themselves as "combo squatting". e.g. if Microsoft owns MicrosoftOffice.com, does that get accounted for properly? 2.7 million domains divided by 268 marks equals 10,074 domains/mark, which sounds like a lot, but Microsoft already owns tens of thousands of domains, according to DomainTools: https://whois.domaintools.com/microsoft.com as do many of the other markholders like Google, Yahoo, etc. I hope those weren't counted improperly. I think seeing the results by TLD would also be useful (e.g. .TK domains are free, and openly abused), as well as what effect the "promos" from new gTLDs has had (e.g. domains under $1/yr), and whether historic domain tasting might have also accounted for some of the measurements. Not saying the problem doesn't exist, as there are lots of bad actors. But, if it was a "growing threat" as claimed, the evidence would be directly observable via increased lawsuits, increased UDRP filings, etc. More important would be to discern whether there is an increase in the number of bad actors, rather than just measuring things by domains. e.g. 2.7 million bad actors registering one domain name each is a lot different than 10 bad actors registering 270,000 bad domains each. I think the latter situation is to be preferred, from a policy perspective (i.e. better to have tools to handle the industrial-cybersquatter, where the incidence of false positives and collateral damage from policymaking will be lower). Others might correct me, but it's my sense from media reports that more of the bad actors have shifted their focus to social media and apps abuse, rather than domain abuse, to generate traffic (e.g. Facebook, Android apps, etc.). Due to tools like Chrome "Safebrowing" blacklists, rarely do I ever actually encounter abusive domains these days. Sincerely, George Kirikos 416-588-0269 http://www.leap.com/
P.S. Where the math really starts to break down is if one attempts to extrapolate this to the larger population of all markholders and marks worldwide. Remember, this was just 268 *US* ones. Even "Lego" wouldn't have been on the list (famous for their voluminous UDRP filings), since their Alexa rank is around 2647 worldwide, 1,785 in the USA (see https://www.alexa.com/siteinfo/lego.com ), and thus not in the top 500. Many of those pharma brands that are famous and see a lot of cybersquatting aren't in the Alexa top 500 either (I won't name them, lest they trigger spam warnings). What % of worldwide marks is 268? Far below 1%. But, let's suppose that they represent 1% of cybersquatting. Would it be argued that 2.7 million "bad" domains for that subset of 268 marks means that the number of "bad" domains classified as "combosquatting" must be 100 times 2.7 million, or 270 million? Depending on how one extrapolates, one might even generate a claimed total abuse (just from combosquatting, not even counting all the other types of typosquatting, etc.) that exceeds the actual total number of domain name registrations quite easily (which is absurd). Sincerely, George Kirikos 416-588-0269 http://www.leap.com/ On Thu, Nov 16, 2017 at 5:23 PM, George Kirikos <icann@leap.com> wrote:
The numbers appear overstated. After a first pass, I don't see the complete list of all 268 of the marks they studied (maybe I missed it), but several (Amazon, Adobe, Delta, Yahoo) still appear to be dictionary words where it would be false to claim that Mark+Dictionary word is automatically "bad." Indeed, when you look at table 7 at the top right of page 11, they classify 86.6% of the so-called "combosquatting pages" as "Unknown", and only 13.39% as "Malicious". And of those alleged "malicious" ones, 69.9% were an ambiguous "trademark abuse" (not phishing, social engineering, or "affiliate abuse"), which seems likely to yield even more false positives.
Their attempt at detecting "false positives" leaves much to be desired, i.e. whitelisting only the top 10,000 Alexa domains (see page 4, Alexa list). My company's math.com domain name wouldn't get white-listed by that standard (and it gets millions of visitors/year). Neither would school.com. Alexa Top 10,000 sites get enormous traffic --- many legitimate but lower traffic sites wouldn't be whitelisted by their methodology.
Importantly, they didn't seem to use WHOIS or Zone Files in their data sets (see page 4, section 3.2). i.e. they trumpet the "468 billion DNS records" (many DNS requests and website visits are generated by bots, not human beings, these days), but there are perhaps roughly 150 million gTLD domain names for which ICANN makes policy.
And it would seem, by their methodology, that they might even count defensive registrations by brand owners themselves as "combo squatting". e.g. if Microsoft owns MicrosoftOffice.com, does that get accounted for properly? 2.7 million domains divided by 268 marks equals 10,074 domains/mark, which sounds like a lot, but Microsoft already owns tens of thousands of domains, according to DomainTools:
https://whois.domaintools.com/microsoft.com
as do many of the other markholders like Google, Yahoo, etc. I hope those weren't counted improperly.
I think seeing the results by TLD would also be useful (e.g. .TK domains are free, and openly abused), as well as what effect the "promos" from new gTLDs has had (e.g. domains under $1/yr), and whether historic domain tasting might have also accounted for some of the measurements.
Not saying the problem doesn't exist, as there are lots of bad actors. But, if it was a "growing threat" as claimed, the evidence would be directly observable via increased lawsuits, increased UDRP filings, etc. More important would be to discern whether there is an increase in the number of bad actors, rather than just measuring things by domains. e.g. 2.7 million bad actors registering one domain name each is a lot different than 10 bad actors registering 270,000 bad domains each. I think the latter situation is to be preferred, from a policy perspective (i.e. better to have tools to handle the industrial-cybersquatter, where the incidence of false positives and collateral damage from policymaking will be lower). Others might correct me, but it's my sense from media reports that more of the bad actors have shifted their focus to social media and apps abuse, rather than domain abuse, to generate traffic (e.g. Facebook, Android apps, etc.). Due to tools like Chrome "Safebrowing" blacklists, rarely do I ever actually encounter abusive domains these days.
Sincerely,
George Kirikos 416-588-0269 http://www.leap.com/
Hi George, You raise a fair point. With just 268 US based marks examined, the abuse is beyond rampant. If we are to extrapolate to other well-known marks, for example the excellent examples you mention - pharma, childrens toys, the abuse moves from beyond rampant to just plain old staggering, even without assuming (as you did in your note) of a 1 to 1 ration of abuse between the 268 noted examples and the remaining marks in the world. Unfortunately for the abusers in the domain name industry, it will not be possible to un-shine the light that the Georgia Tech study has shown on them. It is up to all of us to deal with the head on. Glad to see you joining in that effort!! Best, Paul -----Original Message----- From: gnso-rpm-wg [mailto:gnso-rpm-wg-bounces@icann.org] On Behalf Of George Kirikos Sent: Thursday, November 16, 2017 5:49 PM To: gnso-rpm-wg <gnso-rpm-wg@icann.org> Subject: Re: [gnso-rpm-wg] Article on Combo-squatting study conducted by Georgia Instutute of Technology and Stony Brook University affecting our discussion of Trademark + Industry Terms in the TMCH, Sunrise and Claims (among other RPMs that it may also implicate) P.S. Where the math really starts to break down is if one attempts to extrapolate this to the larger population of all markholders and marks worldwide. Remember, this was just 268 *US* ones. Even "Lego" wouldn't have been on the list (famous for their voluminous UDRP filings), since their Alexa rank is around 2647 worldwide, 1,785 in the USA (see https://www.alexa.com/siteinfo/lego.com ), and thus not in the top 500. Many of those pharma brands that are famous and see a lot of cybersquatting aren't in the Alexa top 500 either (I won't name them, lest they trigger spam warnings). What % of worldwide marks is 268? Far below 1%. But, let's suppose that they represent 1% of cybersquatting. Would it be argued that 2.7 million "bad" domains for that subset of 268 marks means that the number of "bad" domains classified as "combosquatting" must be 100 times 2.7 million, or 270 million? Depending on how one extrapolates, one might even generate a claimed total abuse (just from combosquatting, not even counting all the other types of typosquatting, etc.) that exceeds the actual total number of domain name registrations quite easily (which is absurd). Sincerely, George Kirikos 416-588-0269 http://www.leap.com/ On Thu, Nov 16, 2017 at 5:23 PM, George Kirikos <icann@leap.com> wrote:
The numbers appear overstated. After a first pass, I don't see the complete list of all 268 of the marks they studied (maybe I missed it), but several (Amazon, Adobe, Delta, Yahoo) still appear to be dictionary words where it would be false to claim that Mark+Dictionary word is automatically "bad." Indeed, when you look at table 7 at the top right of page 11, they classify 86.6% of the so-called "combosquatting pages" as "Unknown", and only 13.39% as "Malicious". And of those alleged "malicious" ones, 69.9% were an ambiguous "trademark abuse" (not phishing, social engineering, or "affiliate abuse"), which seems likely to yield even more false positives.
Their attempt at detecting "false positives" leaves much to be desired, i.e. whitelisting only the top 10,000 Alexa domains (see page 4, Alexa list). My company's math.com domain name wouldn't get white-listed by that standard (and it gets millions of visitors/year). Neither would school.com. Alexa Top 10,000 sites get enormous traffic --- many legitimate but lower traffic sites wouldn't be whitelisted by their methodology.
Importantly, they didn't seem to use WHOIS or Zone Files in their data sets (see page 4, section 3.2). i.e. they trumpet the "468 billion DNS records" (many DNS requests and website visits are generated by bots, not human beings, these days), but there are perhaps roughly 150 million gTLD domain names for which ICANN makes policy.
And it would seem, by their methodology, that they might even count defensive registrations by brand owners themselves as "combo squatting". e.g. if Microsoft owns MicrosoftOffice.com, does that get accounted for properly? 2.7 million domains divided by 268 marks equals 10,074 domains/mark, which sounds like a lot, but Microsoft already owns tens of thousands of domains, according to DomainTools:
https://whois.domaintools.com/microsoft.com
as do many of the other markholders like Google, Yahoo, etc. I hope those weren't counted improperly.
I think seeing the results by TLD would also be useful (e.g. .TK domains are free, and openly abused), as well as what effect the "promos" from new gTLDs has had (e.g. domains under $1/yr), and whether historic domain tasting might have also accounted for some of the measurements.
Not saying the problem doesn't exist, as there are lots of bad actors. But, if it was a "growing threat" as claimed, the evidence would be directly observable via increased lawsuits, increased UDRP filings, etc. More important would be to discern whether there is an increase in the number of bad actors, rather than just measuring things by domains. e.g. 2.7 million bad actors registering one domain name each is a lot different than 10 bad actors registering 270,000 bad domains each. I think the latter situation is to be preferred, from a policy perspective (i.e. better to have tools to handle the industrial-cybersquatter, where the incidence of false positives and collateral damage from policymaking will be lower). Others might correct me, but it's my sense from media reports that more of the bad actors have shifted their focus to social media and apps abuse, rather than domain abuse, to generate traffic (e.g. Facebook, Android apps, etc.). Due to tools like Chrome "Safebrowing" blacklists, rarely do I ever actually encounter abusive domains these days.
Sincerely,
George Kirikos 416-588-0269 http://www.leap.com/
gnso-rpm-wg mailing list gnso-rpm-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rpm-wg ________________________________ The contents of this message may be privileged and confidential. If this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author. Any tax advice contained in this email was not intended to be used, and cannot be used, by you (or any other taxpayer) to avoid penalties under applicable tax laws and regulations.
Paul I am not sure what your basis of jurisprudence is but where i come from the law is intended to protect the rights of those presumed innocent. I have never seen any credible system of jurisprudence that elevates efficiency over such rights. Nor have i seen one that is built around a presumption of badness. I for one will not support a system with known problems simply because the majority of cases brought concern abuse or clearly offensive conduct. Thus, the report is of little significance other than to confirm that there is a problem. The issue of what system is used to address the problem or what rules are used remains to be seen. Paul Sent from my iPad
On 17 Nov 2017, at 14:30, icannlists <icannlists@winston.com> wrote:
Hi George,
You raise a fair point. With just 268 US based marks examined, the abuse is beyond rampant. If we are to extrapolate to other well-known marks, for example the excellent examples you mention - pharma, childrens toys, the abuse moves from beyond rampant to just plain old staggering, even without assuming (as you did in your note) of a 1 to 1 ration of abuse between the 268 noted examples and the remaining marks in the world.
Unfortunately for the abusers in the domain name industry, it will not be possible to un-shine the light that the Georgia Tech study has shown on them. It is up to all of us to deal with the head on. Glad to see you joining in that effort!!
Best, Paul
-----Original Message----- From: gnso-rpm-wg [mailto:gnso-rpm-wg-bounces@icann.org] On Behalf Of George Kirikos Sent: Thursday, November 16, 2017 5:49 PM To: gnso-rpm-wg <gnso-rpm-wg@icann.org> Subject: Re: [gnso-rpm-wg] Article on Combo-squatting study conducted by Georgia Instutute of Technology and Stony Brook University affecting our discussion of Trademark + Industry Terms in the TMCH, Sunrise and Claims (among other RPMs that it may also implicate)
P.S. Where the math really starts to break down is if one attempts to extrapolate this to the larger population of all markholders and marks worldwide. Remember, this was just 268 *US* ones. Even "Lego" wouldn't have been on the list (famous for their voluminous UDRP filings), since their Alexa rank is around 2647 worldwide, 1,785 in the USA (see https://www.alexa.com/siteinfo/lego.com ), and thus not in the top 500. Many of those pharma brands that are famous and see a lot of cybersquatting aren't in the Alexa top 500 either (I won't name them, lest they trigger spam warnings).
What % of worldwide marks is 268? Far below 1%. But, let's suppose that they represent 1% of cybersquatting. Would it be argued that 2.7 million "bad" domains for that subset of 268 marks means that the number of "bad" domains classified as "combosquatting" must be 100 times 2.7 million, or 270 million? Depending on how one extrapolates, one might even generate a claimed total abuse (just from combosquatting, not even counting all the other types of typosquatting, etc.) that exceeds the actual total number of domain name registrations quite easily (which is absurd).
Sincerely,
George Kirikos 416-588-0269 http://www.leap.com/
On Thu, Nov 16, 2017 at 5:23 PM, George Kirikos <icann@leap.com> wrote: The numbers appear overstated. After a first pass, I don't see the complete list of all 268 of the marks they studied (maybe I missed it), but several (Amazon, Adobe, Delta, Yahoo) still appear to be dictionary words where it would be false to claim that Mark+Dictionary word is automatically "bad." Indeed, when you look at table 7 at the top right of page 11, they classify 86.6% of the so-called "combosquatting pages" as "Unknown", and only 13.39% as "Malicious". And of those alleged "malicious" ones, 69.9% were an ambiguous "trademark abuse" (not phishing, social engineering, or "affiliate abuse"), which seems likely to yield even more false positives.
Their attempt at detecting "false positives" leaves much to be desired, i.e. whitelisting only the top 10,000 Alexa domains (see page 4, Alexa list). My company's math.com domain name wouldn't get white-listed by that standard (and it gets millions of visitors/year). Neither would school.com. Alexa Top 10,000 sites get enormous traffic --- many legitimate but lower traffic sites wouldn't be whitelisted by their methodology.
Importantly, they didn't seem to use WHOIS or Zone Files in their data sets (see page 4, section 3.2). i.e. they trumpet the "468 billion DNS records" (many DNS requests and website visits are generated by bots, not human beings, these days), but there are perhaps roughly 150 million gTLD domain names for which ICANN makes policy.
And it would seem, by their methodology, that they might even count defensive registrations by brand owners themselves as "combo squatting". e.g. if Microsoft owns MicrosoftOffice.com, does that get accounted for properly? 2.7 million domains divided by 268 marks equals 10,074 domains/mark, which sounds like a lot, but Microsoft already owns tens of thousands of domains, according to DomainTools:
https://whois.domaintools.com/microsoft.com
as do many of the other markholders like Google, Yahoo, etc. I hope those weren't counted improperly.
I think seeing the results by TLD would also be useful (e.g. .TK domains are free, and openly abused), as well as what effect the "promos" from new gTLDs has had (e.g. domains under $1/yr), and whether historic domain tasting might have also accounted for some of the measurements.
Not saying the problem doesn't exist, as there are lots of bad actors. But, if it was a "growing threat" as claimed, the evidence would be directly observable via increased lawsuits, increased UDRP filings, etc. More important would be to discern whether there is an increase in the number of bad actors, rather than just measuring things by domains. e.g. 2.7 million bad actors registering one domain name each is a lot different than 10 bad actors registering 270,000 bad domains each. I think the latter situation is to be preferred, from a policy perspective (i.e. better to have tools to handle the industrial-cybersquatter, where the incidence of false positives and collateral damage from policymaking will be lower). Others might correct me, but it's my sense from media reports that more of the bad actors have shifted their focus to social media and apps abuse, rather than domain abuse, to generate traffic (e.g. Facebook, Android apps, etc.). Due to tools like Chrome "Safebrowing" blacklists, rarely do I ever actually encounter abusive domains these days.
Sincerely,
George Kirikos 416-588-0269 http://www.leap.com/
gnso-rpm-wg mailing list gnso-rpm-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rpm-wg
________________________________ The contents of this message may be privileged and confidential. If this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author. Any tax advice contained in this email was not intended to be used, and cannot be used, by you (or any other taxpayer) to avoid penalties under applicable tax laws and regulations. _______________________________________________ gnso-rpm-wg mailing list gnso-rpm-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rpm-wg
Hi Paul, I’m not sure that it is of little significance other than to confirm there is a problem, but the important point is that it does confirm there is a problem and I am happy to see you confirming too. The report might be helpful in assisting us in fashioning fixes, but it is up to this group to come up with something that is appropriate for the ICANN ecosystem, so we can lean on the report, but not to the exclusion of all the other good ideas we come up with. Thanks for taking the time to respond to my initial post! As far as the basis for jurisprudence, I guess mine is multi-faceted with some of the components being the protection of the rights of those presumed innocent and also protection of the innocent from known harms. In other words, we can presume the innocence at the start of the trial for the person who got the ticket for allegedly running the stop sign, but that doesn’t prohibit us from putting up the stop signs in the first place. Thanks for taking the time to respond to my initial post! I’m looking forward to working with you and others toward a constructive way to address the problem identified in the Georgia Tech study. Best, Paul From: Paul Keating [mailto:paul@law.es] Sent: Friday, November 17, 2017 7:56 AM To: icannlists <icannlists@winston.com> Cc: George Kirikos <icann@leap.com>; gnso-rpm-wg <gnso-rpm-wg@icann.org> Subject: Re: [gnso-rpm-wg] Article on Combo-squatting study conducted by Georgia Instutute of Technology and Stony Brook University affecting our discussion of Trademark + Industry Terms in the TMCH, Sunrise and Claims (among other RPMs that it may also implicate) Paul I am not sure what your basis of jurisprudence is but where i come from the law is intended to protect the rights of those presumed innocent. I have never seen any credible system of jurisprudence that elevates efficiency over such rights. Nor have i seen one that is built around a presumption of badness. I for one will not support a system with known problems simply because the majority of cases brought concern abuse or clearly offensive conduct. Thus, the report is of little significance other than to confirm that there is a problem. The issue of what system is used to address the problem or what rules are used remains to be seen. Paul Sent from my iPad On 17 Nov 2017, at 14:30, icannlists <icannlists@winston.com<mailto:icannlists@winston.com>> wrote: Hi George, You raise a fair point. With just 268 US based marks examined, the abuse is beyond rampant. If we are to extrapolate to other well-known marks, for example the excellent examples you mention - pharma, childrens toys, the abuse moves from beyond rampant to just plain old staggering, even without assuming (as you did in your note) of a 1 to 1 ration of abuse between the 268 noted examples and the remaining marks in the world. Unfortunately for the abusers in the domain name industry, it will not be possible to un-shine the light that the Georgia Tech study has shown on them. It is up to all of us to deal with the head on. Glad to see you joining in that effort!! Best, Paul -----Original Message----- From: gnso-rpm-wg [mailto:gnso-rpm-wg-bounces@icann.org] On Behalf Of George Kirikos Sent: Thursday, November 16, 2017 5:49 PM To: gnso-rpm-wg <gnso-rpm-wg@icann.org<mailto:gnso-rpm-wg@icann.org>> Subject: Re: [gnso-rpm-wg] Article on Combo-squatting study conducted by Georgia Instutute of Technology and Stony Brook University affecting our discussion of Trademark + Industry Terms in the TMCH, Sunrise and Claims (among other RPMs that it may also implicate) P.S. Where the math really starts to break down is if one attempts to extrapolate this to the larger population of all markholders and marks worldwide. Remember, this was just 268 *US* ones. Even "Lego" wouldn't have been on the list (famous for their voluminous UDRP filings), since their Alexa rank is around 2647 worldwide, 1,785 in the USA (see https://www.alexa.com/siteinfo/lego.com ), and thus not in the top 500. Many of those pharma brands that are famous and see a lot of cybersquatting aren't in the Alexa top 500 either (I won't name them, lest they trigger spam warnings). What % of worldwide marks is 268? Far below 1%. But, let's suppose that they represent 1% of cybersquatting. Would it be argued that 2.7 million "bad" domains for that subset of 268 marks means that the number of "bad" domains classified as "combosquatting" must be 100 times 2.7 million, or 270 million? Depending on how one extrapolates, one might even generate a claimed total abuse (just from combosquatting, not even counting all the other types of typosquatting, etc.) that exceeds the actual total number of domain name registrations quite easily (which is absurd). Sincerely, George Kirikos 416-588-0269 http://www.leap.com/ On Thu, Nov 16, 2017 at 5:23 PM, George Kirikos <icann@leap.com<mailto:icann@leap.com>> wrote: The numbers appear overstated. After a first pass, I don't see the complete list of all 268 of the marks they studied (maybe I missed it), but several (Amazon, Adobe, Delta, Yahoo) still appear to be dictionary words where it would be false to claim that Mark+Dictionary word is automatically "bad." Indeed, when you look at table 7 at the top right of page 11, they classify 86.6% of the so-called "combosquatting pages" as "Unknown", and only 13.39% as "Malicious". And of those alleged "malicious" ones, 69.9% were an ambiguous "trademark abuse" (not phishing, social engineering, or "affiliate abuse"), which seems likely to yield even more false positives. Their attempt at detecting "false positives" leaves much to be desired, i.e. whitelisting only the top 10,000 Alexa domains (see page 4, Alexa list). My company's math.com<http://math.com> domain name wouldn't get white-listed by that standard (and it gets millions of visitors/year). Neither would school.com<http://school.com>. Alexa Top 10,000 sites get enormous traffic --- many legitimate but lower traffic sites wouldn't be whitelisted by their methodology. Importantly, they didn't seem to use WHOIS or Zone Files in their data sets (see page 4, section 3.2). i.e. they trumpet the "468 billion DNS records" (many DNS requests and website visits are generated by bots, not human beings, these days), but there are perhaps roughly 150 million gTLD domain names for which ICANN makes policy. And it would seem, by their methodology, that they might even count defensive registrations by brand owners themselves as "combo squatting". e.g. if Microsoft owns MicrosoftOffice.com<http://MicrosoftOffice.com>, does that get accounted for properly? 2.7 million domains divided by 268 marks equals 10,074 domains/mark, which sounds like a lot, but Microsoft already owns tens of thousands of domains, according to DomainTools: https://whois.domaintools.com/microsoft.com as do many of the other markholders like Google, Yahoo, etc. I hope those weren't counted improperly. I think seeing the results by TLD would also be useful (e.g. .TK domains are free, and openly abused), as well as what effect the "promos" from new gTLDs has had (e.g. domains under $1/yr), and whether historic domain tasting might have also accounted for some of the measurements. Not saying the problem doesn't exist, as there are lots of bad actors. But, if it was a "growing threat" as claimed, the evidence would be directly observable via increased lawsuits, increased UDRP filings, etc. More important would be to discern whether there is an increase in the number of bad actors, rather than just measuring things by domains. e.g. 2.7 million bad actors registering one domain name each is a lot different than 10 bad actors registering 270,000 bad domains each. I think the latter situation is to be preferred, from a policy perspective (i.e. better to have tools to handle the industrial-cybersquatter, where the incidence of false positives and collateral damage from policymaking will be lower). Others might correct me, but it's my sense from media reports that more of the bad actors have shifted their focus to social media and apps abuse, rather than domain abuse, to generate traffic (e.g. Facebook, Android apps, etc.). Due to tools like Chrome "Safebrowing" blacklists, rarely do I ever actually encounter abusive domains these days. Sincerely, George Kirikos 416-588-0269 http://www.leap.com/ _______________________________________________ gnso-rpm-wg mailing list gnso-rpm-wg@icann.org<mailto:gnso-rpm-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rpm-wg ________________________________ The contents of this message may be privileged and confidential. If this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author. Any tax advice contained in this email was not intended to be used, and cannot be used, by you (or any other taxpayer) to avoid penalties under applicable tax laws and regulations. _______________________________________________ gnso-rpm-wg mailing list gnso-rpm-wg@icann.org<mailto:gnso-rpm-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rpm-wg
Hi Paul, I'm not sure if that was a parody post, or whether the point I was making was missed. If one reasonably extrapolates and gets to a point where one has to claim that more than 100% of all domains are abusive, that implies something is wrong with one's starting point (i.e. the claimed abuse for the small sample was likely overstated; or as Zhou Heng noted earlier, was unrepresentative, just like the poorly done INTA study). To get a sense of scale, 268 marks is less than 1% of just the TMCH-listed marks. And the set of TMCH-listed marks (what was it, 40K or 50K total?) are a small subset of all TMs. Another data point was the number from Nominet released earlier this week: https://www.nominet.uk/collaboration-keeps-uk-safe-record-16000-domains-susp... "The criminality report shows that the number of .UK domains suspended between 1 November 2016 and 31 October 2017 has once again doubled year on year to 16,632, which represents around 0.14% of the more than 12 million .UK domains currently registered." I think that's perhaps a more realistic metric of the incidence of criminality (0.14%), and those suspensions *include* IP-related crime. Sincerely, George Kirikos 416-588-0269 http://www.leap.com/ On Fri, Nov 17, 2017 at 8:29 AM, icannlists <icannlists@winston.com> wrote:
Hi George,
You raise a fair point. With just 268 US based marks examined, the abuse is beyond rampant. If we are to extrapolate to other well-known marks, for example the excellent examples you mention - pharma, childrens toys, the abuse moves from beyond rampant to just plain old staggering, even without assuming (as you did in your note) of a 1 to 1 ration of abuse between the 268 noted examples and the remaining marks in the world.
Unfortunately for the abusers in the domain name industry, it will not be possible to un-shine the light that the Georgia Tech study has shown on them. It is up to all of us to deal with the head on. Glad to see you joining in that effort!!
Best, Paul
-----Original Message----- From: gnso-rpm-wg [mailto:gnso-rpm-wg-bounces@icann.org] On Behalf Of George Kirikos Sent: Thursday, November 16, 2017 5:49 PM To: gnso-rpm-wg <gnso-rpm-wg@icann.org> Subject: Re: [gnso-rpm-wg] Article on Combo-squatting study conducted by Georgia Instutute of Technology and Stony Brook University affecting our discussion of Trademark + Industry Terms in the TMCH, Sunrise and Claims (among other RPMs that it may also implicate)
P.S. Where the math really starts to break down is if one attempts to extrapolate this to the larger population of all markholders and marks worldwide. Remember, this was just 268 *US* ones. Even "Lego" wouldn't have been on the list (famous for their voluminous UDRP filings), since their Alexa rank is around 2647 worldwide, 1,785 in the USA (see https://www.alexa.com/siteinfo/lego.com ), and thus not in the top 500. Many of those pharma brands that are famous and see a lot of cybersquatting aren't in the Alexa top 500 either (I won't name them, lest they trigger spam warnings).
What % of worldwide marks is 268? Far below 1%. But, let's suppose that they represent 1% of cybersquatting. Would it be argued that 2.7 million "bad" domains for that subset of 268 marks means that the number of "bad" domains classified as "combosquatting" must be 100 times 2.7 million, or 270 million? Depending on how one extrapolates, one might even generate a claimed total abuse (just from combosquatting, not even counting all the other types of typosquatting, etc.) that exceeds the actual total number of domain name registrations quite easily (which is absurd).
Sincerely,
George Kirikos 416-588-0269 http://www.leap.com/
On Thu, Nov 16, 2017 at 5:23 PM, George Kirikos <icann@leap.com> wrote:
The numbers appear overstated. After a first pass, I don't see the complete list of all 268 of the marks they studied (maybe I missed it), but several (Amazon, Adobe, Delta, Yahoo) still appear to be dictionary words where it would be false to claim that Mark+Dictionary word is automatically "bad." Indeed, when you look at table 7 at the top right of page 11, they classify 86.6% of the so-called "combosquatting pages" as "Unknown", and only 13.39% as "Malicious". And of those alleged "malicious" ones, 69.9% were an ambiguous "trademark abuse" (not phishing, social engineering, or "affiliate abuse"), which seems likely to yield even more false positives.
Their attempt at detecting "false positives" leaves much to be desired, i.e. whitelisting only the top 10,000 Alexa domains (see page 4, Alexa list). My company's math.com domain name wouldn't get white-listed by that standard (and it gets millions of visitors/year). Neither would school.com. Alexa Top 10,000 sites get enormous traffic --- many legitimate but lower traffic sites wouldn't be whitelisted by their methodology.
Importantly, they didn't seem to use WHOIS or Zone Files in their data sets (see page 4, section 3.2). i.e. they trumpet the "468 billion DNS records" (many DNS requests and website visits are generated by bots, not human beings, these days), but there are perhaps roughly 150 million gTLD domain names for which ICANN makes policy.
And it would seem, by their methodology, that they might even count defensive registrations by brand owners themselves as "combo squatting". e.g. if Microsoft owns MicrosoftOffice.com, does that get accounted for properly? 2.7 million domains divided by 268 marks equals 10,074 domains/mark, which sounds like a lot, but Microsoft already owns tens of thousands of domains, according to DomainTools:
https://whois.domaintools.com/microsoft.com
as do many of the other markholders like Google, Yahoo, etc. I hope those weren't counted improperly.
I think seeing the results by TLD would also be useful (e.g. .TK domains are free, and openly abused), as well as what effect the "promos" from new gTLDs has had (e.g. domains under $1/yr), and whether historic domain tasting might have also accounted for some of the measurements.
Not saying the problem doesn't exist, as there are lots of bad actors. But, if it was a "growing threat" as claimed, the evidence would be directly observable via increased lawsuits, increased UDRP filings, etc. More important would be to discern whether there is an increase in the number of bad actors, rather than just measuring things by domains. e.g. 2.7 million bad actors registering one domain name each is a lot different than 10 bad actors registering 270,000 bad domains each. I think the latter situation is to be preferred, from a policy perspective (i.e. better to have tools to handle the industrial-cybersquatter, where the incidence of false positives and collateral damage from policymaking will be lower). Others might correct me, but it's my sense from media reports that more of the bad actors have shifted their focus to social media and apps abuse, rather than domain abuse, to generate traffic (e.g. Facebook, Android apps, etc.). Due to tools like Chrome "Safebrowing" blacklists, rarely do I ever actually encounter abusive domains these days.
Sincerely,
George Kirikos 416-588-0269 http://www.leap.com/
gnso-rpm-wg mailing list gnso-rpm-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rpm-wg
________________________________ The contents of this message may be privileged and confidential. If this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author. Any tax advice contained in this email was not intended to be used, and cannot be used, by you (or any other taxpayer) to avoid penalties under applicable tax laws and regulations.
George, just one quick observation: You comment that "if it was a 'growing threat' as claimed, the evidence would be directly observable via increased lawsuits, increased UDRP filings, etc." While it is tempting to draw such a connection, this overlooks important factors such as brand owners' defensive (and sometimes quite large) portfolios taking infringing names out of circulation, the fact that brand owners more often purchase names directly before going to the UDRP or court (these are both often referred to as an enforcement option of last resort), related preventative programs such as Sunrises or the DPML, and most importantly the reality that brand owners cannot possibly go after all infringements but must increasingly take a more targeted approach. Best regards, Brian
+1 ________________________________________ Brian J. Winterfeldt Principal Winterfeldt IP Group 1200 17th St NW, Ste 501 Washington, DC 20036 brian@winterfeldt.law<mailto:brian@winterfeldt.law> +1 202 903 4422 On Nov 17, 2017, at 7:21 AM, BECKHAM, Brian <brian.beckham@wipo.int<mailto:brian.beckham@wipo.int>> wrote: George, just one quick observation: You comment that "if it was a 'growing threat' as claimed, the evidence would be directly observable via increased lawsuits, increased UDRP filings, etc." While it is tempting to draw such a connection, this overlooks important factors such as brand owners' defensive (and sometimes quite large) portfolios taking infringing names out of circulation, the fact that brand owners more often purchase names directly before going to the UDRP or court (these are both often referred to as an enforcement option of last resort), related preventative programs such as Sunrises or the DPML, and most importantly the reality that brand owners cannot possibly go after all infringements but must increasingly take a more targeted approach. Best regards, Brian _______________________________________________ gnso-rpm-wg mailing list gnso-rpm-wg@icann.org<mailto:gnso-rpm-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rpm-wg
Dear WG members, My name is Zhouheng, a Ph.d Candidate in Renmin University of China (RUC), majored in Intellectual Property Law. Before my research career in RUC, I used to become a policy analyst in China Organizational Name Administration Center (CONAC), a domain name registry for ".政务" TLD. For this article, I do agree with George Kirikos that the number in the article is lack of representativeness, it's hard to say the 268 marks is enough to evaluate the whole situations. However, I hope to remind you guys, for some small enterprises, even the 300 dollar URS fee or 150 dollar TMCH fee is too high. They are lack of tools to detect the potential registration. For me, it's pretty hard to surf the right TMCH website, the trademarkclearinghouse.com doesn't belong to deloitte or ICANN. So the number of "bad" domains classified as "combosquatting" may not be 270 million, it will also cause some serious confusion. As I am a new member to this WG, and this is my first emails in ICANN WG, If there is any inapporiate words in my email, please feel free to inform me. -- Zhou Heng Ph.d Candidate Renmin University of China 在 2017-11-16 23:28:59,icannlists <icannlists@winston.com> 写道: http://www.worldtrademarkreview.com/Blog/detail.aspx?g=cf4bc6c3-272f-4ccd-85... A few quotes from the article for those with less time: · “Combosquatting is a type of domain name squatting in which website addresses confusingly similar to well-known brands are deliberately registered, often with a view to committing fraudulent activity. Specifically, it involves the registration of a popular trademark combined with another phrase – for example, ‘brand-shop.com’.” · “Among the striking findings is that there were over 2.7 million combosquatting domains targeting the 268 most popular US trademarks – a prevalence over 100 times greater than typosquatting domains.” · “The problem seems to be getting worse with the number of queries to these domains growing year-on-year, also in contrast with typosquatting sites.” · “This potential to more effectively dupe consumers has serious consequences for both internet users and brand owners. To date, combosquatting domains have been used for phishing, spamming, hacking, and affiliate abuse.” Here is a link to the Full Study: http://iisp.gatech.edu/sites/default/files/images/hiding_in_plain_sight-_a_l... Here is the Conclusion Section (I’ve taken the liberty of highlighting a few phrases): “In this paper, we study a type of domain squatting termed “combosquatting,” which has yet to be extensively studied by the security community. By registering domains that include popular trademarks (e.g., paypal-members[.]com), attackers are able to capitalize on a trademark’s recognition to perform social engineering, phishing, affiliate abuse, trademark abuse, and even targeted attacks. We performed the first large-scale, empirical study of combosquatting using 468 billion DNS records from both active and passive DNS datasets, which were collected over an almost six year time period. Lexical analysis of combosquatting domains revealed that, while there is an almost infinite pool of potential combosquatting domains, most instances add only a single token to the original combosquatted domain. Furthermore, the chosen tokens were often specifically targeted to a particular business category. These results can help brands limit the potential search space for combosquatting domains. Additionally, our results show that most combosquatting domains were not remediated for extended periods of times—up to 1,000 days in many cases. Furthermore, many instances of combosquatting abuse were seen active significantly before they were discovered by public blacklists or malware feeds. Consequently, our findings suggests that current protections do not do a good job at addressing the threat of combosquatting. This is particularly concerning because our results also show that combosquatting is becoming more prevalent year over year. Lastly, we found numerous instances of combosquatting abuse in the real world by crawling 1.3 million combosquatting domains and manually analyzing the results. Based on our findings we discuss the role of different parties in the domain name ecosystem and how each party can help tackle the overall combosquatting problem. Ultimately, our results suggest that combosquatting is a real and growing threat, and the security community needs to develop better protections to defend against it.” I’m asking Staff to enter this study into the record of this WG Actual, growing problem identified and verified by external research: Let’s get down to business solving it by enhancing the RPMs to address it in order to protect end users of the Internet. I don’t think we need to wait for the rest of the studies to come back to get underway. It is laid out pretty plainly in the Georgia Tech Study. Best, Paul The contents of this message may be privileged and confidential. If this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author. Any tax advice contained in this email was not intended to be used, and cannot be used, by you (or any other taxpayer) to avoid penalties under applicable tax laws and regulations.
participants (7)
-
BECKHAM, Brian -
Brian Winterfeldt -
Doug Isenberg -
George Kirikos -
icannlists -
Paul Keating -
socata