Industry View | Battling Brandjackers

MarkMonitor's CSO Ihab Shraim offers strategies against domain kiting, pay-per-click abuses and other attacks on your brand

The Internet has changed the world in astonishing ways—both good and bad—and all in the last 10 to 15 years. We marvel at the good: immediate access to even the most obscure information, free and secure worldwide person-to-person communication, and the ability to access almost any product or service with just the click of a mouse.

But its mass appeal and reach combined with anonymity and complex, constantly evolving technologies also make the digital world an unsafe place. Criminals and hackers are wreaking havoc on increasing numbers of well-known brands for their own profit. These 'brandjackers' have fine-tuned the techniques of online marketing and are exploiting them to their advantage and at the expense of true brand owners. As a result, organizations face serious online threats to their reputations, customer relationships, and ultimately, their revenues.

Just as the CSO role was created to combat heightened IT security threats in the '90s, increasingly sophisticated Internet schemes have made it necessary for the CSOs to take up arms in defense of their company brands. As Brian Burke, program director of security products at IDC has noted, "Protecting brand reputations, customer relationships and revenues from online abuses is becoming as important to enterprises as securing their networks, data and systems from Internet-borne threats."

In order to shed light on the "brandjacking" phenomenon, MarkMonitor, an enterprise brand protection firm, created the Brandjacking Index, a quarterly report that measures the effect of online threats to the world's strongest brands. The latest edition of the Brandjacking Index tracked millions of emails and billions of Web pages over a full year to examine how brandjacking tactics such as: cybersquatting (the registration of domain names containing a trademark to which the registrant has no right); pay-per-click (PPC) fraud; domain kiting (the process whereby domains are registered and dropped within the 5 day ICANN grace period, and then registered again for another 5 days); offensive content; unauthorized sales channels; and phishing have evolved.

Among our most striking findings were continued declines in domain kiting and pay-per-click abuses. We believe these declines can be attributed to increased litigation efforts by brandholders and ICANN scrutiny. What this tells us is that targets of attacks have proven they can fight back successfully. This should encourage CSOs, working alongside their colleagues in the C-suite and the General Counsel's office, to be vigilant about protecting their brands and their customers against evolving threats.

Summary Findings and 2007 in Review

While overall brand abuse continues to increase, the distribution of attacks is evolving over the past year. Cybersquatting continues to be the most common method observed with more than 380,000 exploits in the last quarter of 2007. This represents a 33 percent increase for the year. Using brand names as part of a domain name is an easy way to drive traffic through search engines, and since most common dictionary words are already used for domains, fraudsters and criminals continue to turn to brand names and trademarks when they register domains. We continue to observe sites that abuse popular children's brands and place offensive and adult content on the squatted domains.

While brand abusers and criminals can be located anywhere, the geographic distribution of sites hosting brand abuse demonstrates a consistent trend throughout 2007: The U.S., Germany and the U.K. lead all countries with 68 percent, 9 percent and 4 percent of domains hosting abuse, respectively.

Brandjackers have begun to target more mainstream packaged goods including food and beverages, automotive products, and consumer goods. In fact, the biggest growth in brandjacking abuse during 2007 was in mainstream product categories, such as automotive with an 83 percent increase and food and beverage products with a 67 percent increase. Overall abuse continued to rise by 31 percent. We have begun to observe "blended abuse" whereby pay-per-click and fraudulent phishing pop-up ads have been combined to lure unsuspecting prey.

The good news is that domain kiting and PPC activity has dropped off. Kiting threats actually dropped in the last quarter, and were below levels observed at the beginning of 2007. The same was observed for pay-per-click attacks.

There are several reasons for these decreases. First, a number of highly-publicized lawsuits and large damages sought by Microsoft, Dell and Verizon to protect their brands may have had an effect on the most abusive and permissive domain registrars. By using both cybersquatting and counterfeiting laws against domain abusers, these leading brands have 'upped the ante,' making the practice far less attractive from a financial point of view. Next, the more desirable keywords for paid searches are getting more expensive, and both Yahoo and Microsoft MSN are making it more difficult for these kinds of abuses. Finally, ICANN has increased its scrutiny of these practices, bringing greater industry attention to these abuses. With the recent announcement by Google that it will turn off Ad Sense revenue for domains that are younger than six days old, kiters should see a further significant drop in their revenue streams.

Still, kiting has been profitable: Industry sources mention that one kiter received more than $3 million in pay-per-click revenues, and this for sites that never had to pay for their domain names!

The recent proposal by ICANN to institute a 'restocking fee' for domain name registrations may cut into kiters' profits, further decreasing the practice. However, as long as there is money to be made, we can be sure to see the practice continue.

Phishing Trends

The recent news on phishing continues to be worrisome. Phishers are carefully picking the most desirable targets. During the last quarter of 2007, there was profound growth in the number of new organizations targeted by phishers, with 122 companies observed for the first time as the subjects of an attack. This is the biggest increase in any quarter of the year, showing that the phishers are widening their focus. We also saw seasonal shifts in the types of target industries, and continued increasing sophistication in the types of exploits used by phishers to obtain individual user account information.

As an example of this last trend, exploit researchers at Face Time Security Labs have uncovered a hacking site that is a complete do-it-yourself phishing construction kit. The site can be used to generate phish emails that steal login information from popular social networking sites.

Overall, 412 different organizations were targets of phishing attacks last year, which represents an increase of 37 percent over the number observed in 2006. November was a record month for phishing targets, with 275 targeted organizations.

We saw a 44 percent increase in auction site abuse from the third to fourth quarters. The largest percentage increase in attacks was in the retail service sector, which went from 1 percent of attacks in the first quarter to 5 percent in the last quarter.

The U.S. continues to host the majority of phishing attack sites, with a 21 percent share during the last quarter of 2007. However, we observed a shift in the most popular foreign hosting sources in the fourth quarter, with Ecuador moving into the number two spot with 9 percent of attacks and Japan, Thailand, and Canada leaving the list of top five sources. The Republic of Korea still accounts for 7 percent of phishing attacks.

The bottom line? While brandjackers are becoming ever more sophisticated in their techniques and diversifying their targets, active brand defense strategies deliver positive returns. A well-defended brand is the most effective means of deterring brandjacking and the negative consequences they bring.

A strong defense begins with education. Internal education programs are key to making sure your employees don't fall for social engineering schemes that could hurt your brand. Set clear, understandable policies for behavior and share information and techniques for avoiding the latest dangers. Strongly consider creating an intranet site or wiki for fostering information-share and ensure employees have an easy mechanism for reporting suspicious activities so that IT can investigate.

Help your customers to stay informed. Work with the marketing organization to create an area on your Web site where you post information about your direct mail policies and standards so customers know how to evaluate e-mails that use your brand. Give customers an easy reporting mechanism, too, so they can let you know about suspicious emails or suspicious sites taking advantage of your brand.

As CSO, take the lead in your organization and include a brand protection component in our overall Internet security strategy&,dash;and work with your peers in the C-suite and the general counsel's office to extend that brand protection strategy to every part of your company.

Ihab Shraim is the chief security officer for MarkMonitor. To download a copy of the complete Brandjacking Index, please visit

Copyright © 2008 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline