October 14, 2014

Last Updated on October 14, 2014

ISO 27001 works great—assuming that you are great at risk assessment.  If you miss a risk, you may be vulnerable, and unfortunately some risks are often not fully considered. One such risk is Domain Name Ransom, aka cybersquatting.
This topic is on my mind because I had an interesting call today with a potential client who reached out to us because his organization was being held “ransom” over a like domain name. It’s one of those risks that too few organizations consider.
For illustrative purposes, say we’re talking about a professional services firm named “Platt & Verry” with the domain plattverry.com.  The squatter registered a company Verry & Platt with the domain name verryplatt.com, and set up a highly similar site that advertised the same services.  This was not only causing marketplace confusion but had resulted in clients and potential clients disclosing sensitive information on the client portal and Contact Us portions of the site as well as via general email addresses. Interestingly, even after consultation with their counsel, there was no legal recourse. They were still debating how to handle the $50K “request” to purchase the domain name.
They had two questions for us:

  • Did we agree with their counsel that there was no legal recourse?
  • How could they prevent this from happening again?

For advice on the former question, we referred them to a law firm that specializes in cases of this nature.
On the latter, we discussed including the risk of cybersquatting in their information security risk assessments. There are various tools that an organization can use to rapidly determine if they own all of the logical “variants” of their domain name. Your SEO department can also be a valuable source of related information. With this information in hand you can decide whether registering these domains is a worthwhile risk mitigation strategy.
This issue has been around for a long time and doesn’t show any signs of going away. A “classic” example: Back in 2000, before Bell Atlantic and GTE announced the name Verizon, they proactively registered hundreds of variations on the name, including verizonsucks.com. Remarkably, shortly after they announced the name someone registered the name verizonreallysucks.com.
And here’s another example, this one squatting on the newborn Prince of Cambridge.
You can’t make this stuff up…