Creating a cost-effective domain name watching programme

This is an Insight article, written by a selected partner as part of WTR's co-published content. Read more on Insight

Introduction

The management and monitoring of domain names are central components of the business administration and brand protection activities of any organisation with an online presence. Companies typically maintain a portfolio of official domains, which include:

  • core domains used in the day-to-day execution of their business, such as those used to host the official company websites and email infrastructure; and
  • a wider group of tactical domains, including defensive registrations (ie, those held to avoid them being used by third parties) and others intended for potential future use, such as those relating to planned brand or product launches.

Careful management of these official domains – ideally using an enterprise-class service provider – is key to keeping them secure, maintaining business continuity and circumventing the threat vectors that can lead to phishing, and domain name system (DNS) or distributed denial of service attacks, among other things. A range of industry solutions can provide protection, including registry lock; domain name system security extensions (DNSSEC); enterprise-grade DNS hosting; and domain-based message authentication, reporting and conformance (DMARC).

However, no organisation can defensively register domains that contain every possible permutation of its brand name and associated keywords that could potentially be used by an infringer; it is neither sustainable nor cost-effective to do so. Accordingly, a brand protection programme – incorporating domain name monitoring – that tracks third-party activity outside the firewall (ie, on the open internet) is essential for any organisation looking to defend its brand online.

Third-party brand-related activity can comprise several threat types:

  • lower threat brand abuse categories, such as negative comments or non-compliance with brand guidelines;
  • instances of brand infringement, comprising contravention of IP protection; and
  • actively criminal brand fraud activity, such as phishing or counterfeit sales.

A brand protection programme identifies these threats via internet monitoring and, where possible or appropriate, takes down infringements using a toolkit of enforcement approaches. This not only directly defends revenue and reputation but also makes the brand less attractive for potential infringers to target.

All brand threats can occur across a range of online channels, although arguably the most significant are those occurring on websites hosted on brand-specific domain names. This is true for several reasons:

  • branded domains typically rank higher in search engines, creating greater visibility to potential customers; and
  • branded domains comprise more explicit abuse of IP rights, although this means more enforcement options are available.

Consequently, a domain monitoring component is vital to any comprehensive brand protection solution. There is a wide universe of domain names to consider. Verisign's Domain Name Industry Brief reported that, as of the end of Q3 2021, there were a total of 364.6 million registered domains.

Domain monitoring and brand protection

Domain name monitoring identifies the registration of third-party domains containing a brand name of interest (or variations) in as close to real time as possible. This allows content to be analysed and tracked, and – where found to be infringing – for enforcement actions, such as website or content takedowns, or domain disputes to be launched to minimise brand damage and revenue loss.

Domain detection can be key even when the domain has no active website content. In some cases, domains are registered purely for their email functionality. This allows bad actors to construct email addresses that appear confusingly similar to that of the official organisation being targeted.

The presence of an active mail exchanger (MX) record indicates that the domain is configured to send and/or receive emails. This can be an early indicator that the domain is intended for use in phishing or business email compromise scams. In other cases, pay-per-click links may be included on a domain parking page, which can be a source of revenue for the domain owner – hijacking web traffic that is arguably intended for the brand owner's organisation.

Domains containing a range of brand variants or keyword variations are often registered for short periods to determine which attract the greatest number of visitors, either through search engine queries or mistyped browser requests.

Methodology

A primary data source for domain name monitoring is the set of zone files, published by registry organisations on a regular, often daily, basis. These include lists of all registered domains across a particular domain name extension, or top-level domain (TLD). A wildcard search will identify all domains containing a brand term of interest. Comparing each version of a zone file with that from the previous day makes it possible to identify both new registrations and lapsed domains.

Zone files are typically available across a range of TLDs, particularly global or generic TLDs (gTLDs), such as .com and .net, and the range of new gTLDs launched since 2012. They are less readily available, and may be less comprehensive, across other extensions such as country-specific TLDs.

For this reason, an effective domain monitoring solution usually requires additional data sources to identify as many relevant domains as possible; however, completely comprehensive coverage is never possible. The additional techniques include:

  • Parallel look-ups – this method involves performing queries based on the domains identified via zone file analysis to determine whether equivalently named domains (ie, those with the same second-level domain name (the part of the domain name before the TLD)) exist across other extensions.
  • Exact-match/direct queries – this approach is used when one or more search strings of high relevance exist (eg, the brand name in isolation). It involves querying every possible domain name comprising just the string itself and any TLD to check whether the domain is registered.
  • Internet meta-searching – this is the same method used to find general internet content in a basic brand monitoring service. It involves submitting brand-related queries to search engines and, optionally, further crawling of relevant links on the pages identified.

A recent study by CSC highlighted that, following the launch of a new TLD, the registration of new domains by potential infringers is usually extremely rapid. This highlights the importance of having a brand monitoring programme that can cover new extensions as soon as they launch.

Furthermore, the most effective domain monitoring services cover not just the brand name itself but variations, such as misspellings. Infringers use domain names incorporating brand variants in numerous ways. These include constructing web addresses (URLs) or email addresses that appear deceptively similar to those used by the genuine brand and the misdirection of web traffic through mistyped addresses or corrupted DNS requests (eg, bit-squatted domains). The domain name variants typically covered by a sophisticated monitoring programme might include:

  • instances where any character in the monitored string (ie, the brand name) is missing or has been replaced by another;
  • instances where an additional character has been inserted; and
  • other types of fuzzy match, such as Soundex (homophonic or metaphonic) variations.

The most effective monitoring solutions also cover domains featuring non-Latin characters (internationalised domain names), which might include the use of homoglyphs (a non-Latin character visually similar to a Latin one). These can be highly convincing in creating a deceptive domain name.

Similarly, the replacement of one standard Latin or other ASCII character with another (or a combination thereof) is frequently used to construct lookalike domain names.

The table below shows the most common character substitutions observed in phishing domains, as identified by CSC's 2021 Domain Security Report:

i → lm → rni → 1s → 5
o → 0e → 3l → 1l → i

The use of homoglyphs by infringers is a well-established and widely used technique. CSC's 2021 study found that 70% of homoglyph variants of official corporate domain names are owned by third parties, with 43% having active MX records and 6% actively resolving to impersonation sites or sites distributing malicious content.

Even covering all the above approaches, there may still be instances of threatening domains that cannot be detected easily. Examples might include phishing sites hosted on TLDs without zone file coverage, or with obscure or no brand variants in the domain name, and where most of the traffic is driven to the site via associated spam emails.

For this reason, it may be appropriate to augment the domain monitoring techniques discussed thus far with additional data sources specifically designed to detect fraudulent activity. This includes the use of spam traps and honeypots, as well as information derived from the brand owner's web server logs to detect instances of phishing sites drawing content from, or redirecting to, official corporate websites.

Creating a cost-effective solution

Detecting potentially infringing domain names is only part of the process of creating an effective brand protection solution. An enforcement programme for infringing domain names is also necessary to defend the brand and protect revenue.

Some enforcement approaches, particularly those involving domain disputes or acquisitions, can be time consuming and costly. They may also only be appropriate when the organisation or brand owner wishes to reclaim the domain for its own use.

It is therefore important to have a toolkit of enforcement approaches, including cease-and-desist notices, host-level content removal, registrar- or registry-level suspensions, etc, that allows the most effective approach to be selected in any given case while reserving other options for escalation.

The use of appropriate technology can help to automate the analysis and enforcement processes, making them more efficient. Technology-based analysis of site content, as offered by several brand protection service providers, can be an important element of the brand protection process for the following reasons:

  • Detailed content analysis and automated categorisation of results by infringement type and severity can help identify the findings that require prioritised follow-up action. This is particularly important for brands where large numbers of results have been identified.
  • A domain name of potential concern may not feature any significant content at the point of detection but have the potential for more egregious use in the future. In those cases, the enforcement options are limited, except where there is proof of fraudulent use. It may therefore be more appropriate to monitor the site on an ongoing basis, with a view to detecting the potential appearance of infringing content. Sophisticated brand monitoring tools include 're-visitor' technology to determine and quantify the extent of the change to the site content between successive visits. It can also monitor explicitly for the appearance of specific content types.

Clustering technology and artificial intelligence (AI) can establish links between otherwise apparently unrelated infringements, based on shared characteristics such as registrant contact details and hosting information. This can help build compelling cases of bad faith (eg, where a domain owner can be determined to be a serial infringer) and can also provide the potential for bulk takedown actions, where several linked infringements can be taken down via a single action, increasing the efficiency of the enforcement process.

Quantifying the value of a brand protection programme that comprises both monitoring and enforcement can be the final part of the picture. There are a range of ways to calculate return on investment, which may incorporate some or all of the following ideas:

  • Calculating the value of a domain that has been reclaimed by an organisation or brand owner into its official portfolio via a dispute process. This is determined using the amount of web traffic (number of visitors) to the site and is based on the principle that any traffic from the reclaimed site can be redirected to the organisation or brand owner's main corporate transactional website.
  • Calculating the value of goods sold through an infringing site featuring e-commerce content and determining the proportion of the revenue that is reclaimable. This calculation assumes that, following enforcement, a certain proportion of the users who would have bought an infringing item will instead buy a legitimate item from an approved source.
  • Determining the amount of reclaimable revenue following the removal of infringing content that previously resulted in traffic misdirection. This calculation is based on factors such as the traffic received by the infringing site and the mix of different brands or content types featured on the site.

It may also be appropriate to consider other less defined concepts, such as the impact of pre-existing infringements on brand equity and value.

Conclusion

Consideration of domain names should be a core activity for any brand owner. As part of their business-as-usual activities, organisations typically own and operate a portfolio of domains that should be protected by a range of security products and services, defending them against threat vectors and protecting business operations and corporate revenue and reputation.

However, third-party branded domain names can be associated with a range of brand infringements and other threats. A domain name monitoring programme – generally as part of a wider brand protection initiative – is key to detecting infringements outside the firewall and enabling enforcement actions to take down damaging content.

For this programme to be efficient, comprehensive and cost-effective, the following points are relevant:

  • Using an automated monitoring technology product yields numerous benefits:
    • it encompasses a range of data sources and monitoring techniques to allow the monitoring coverage, across both brand name variants and TLDs, to be as comprehensive as possible;
    • it can enable automatic analysis and prioritisation of concerning domains according to site content, resulting in more efficient and timely identification of the most threatening examples for enforcement action;
    • a product incorporating AI and clustering technology can establish links between infringements, resulting in the determination of bad-faith activity by serial infringers and the ability for bulk takedowns; and
    • use of re-visitor technology can be used to monitor domains that do not currently feature significant live content to identify infringing content in the future.
  • Infringements should be tackled with a timely enforcement process. This should incorporate a toolkit of possible approaches so that the most appropriate methodology can be selected for each individual case. This helps to avoid the unnecessary use of highly complex, costly techniques while retaining options for escalation if an initial enforcement action is unsuccessful.
  • Automated technology should be complemented by a team of expert analysts, who can both prioritise the raw data, identifying the key targets for follow-up action, and establish and implement the most appropriate takedown routes.

The above ideas highlight the importance for organisations to partner with an enterprise-class service provider that can provide both the necessary products and services and the analyst insight to ensure the smooth running of domain management and brand protection services. Enterprise-class providers can also work with the brand owner to establish the most appropriate methodologies for quantifying the return on investment of these programmes and carry out the associated analysis.

Unlock unlimited access to all WTR content