Categories
Advertising Project Management

The Domainjacking Primer

Avoid problems from improper domain and social media account management. Avoid domainjacking, a risk that can be particularly detrimental to brands.

Best Practices in Domain Management

Having produced scores of integrated interactive campaigns, I have seen unexpected problems arise from improper domain and social media account management.

I want to share my experience and offer advice on domainjacking, a risk that can be particularly detrimental to brands.

What is Domainjacking?

Jump to a section below
What is Domainjacking?
Types of Domainjacking
What Domainjacking Is Not
How to Defend Against Domainjacking
How to Respond to a Domainjacking
Domainjacking* is a bold type of brandjacking where domainjackers co-opt a brand’s identity and goodwill in bad faith at the point of domain registration. Domainjackers aim to steal traffic for personal profit or to smear a brand. They use search engine marketing and organic search results to generate profit in the form of PPC ad revenue and/or sales of similar products and services.

Unlike phishing scams that prey on victims through broadcast spam email, domainjackers build websites using branded domain names. Using SEM/SEO, brandjacked social media profiles, and conceivably through phishing, they drive traffic to their illicit sites.

Consequently, search engines are constantly adjusting their algorythms to avoid driving traffic to illegitimate domains. Social media platforms will need to implement Dispute Resolution Policies as brandjacking becomes more prevalent and as social media becomes more important to brands.

Types of Domainjacking

Here are a few examples of domainjacking, either by malicious parties or brand stewardship incompetence. Some tactics are illegal, some may not have a legal precedence.

  • Alternate TLD Registrations
    Many interactive campaigns only register the most popular top level domains like .com, .org and .net. A domainjacker often sweeps in to buy other TLDs like .info, .biz as well as country code TLDs like .us and .uk.
  • Similar Names
    Domainjackers may register domain misspellings, similar spellings or phrases with the brand name embedded.
  • Domain Disputes
    Small business marketing services companies like web developers, graphic designers and former employees have been known to hijack a domain they registered on behalf of their brand client for nonpayment of services.
  • “BrandSucks.com” Gripe Sites
    Vindictive and aggrieved customers may register a brandsucks site in order to voice their complaint or publicly trash a brand. In these cases, brand managers have to file official UDRP complaints with ICANN in order to affect site termination or transfer.
     
    Internet strategy consulting firm Fairwinds Partners maintains a list of UDRP brandsucks complaints, their outcomes and ICANN’s decision. Note many complaints did not rule in favor of the brand complainant. (Hat tip to IPKat’s Law Blog for links and opinions in this area.)
  • Outright Domain Theft
    Domainjackers may use a variety of methods to acquire access to a brand’s registrar account. With this information, a domainjacker could transfer ownership or temporarily redirect traffic to an alternate web server.

What Domainjacking Is Not

When trying to define what something is, it’s helpful to define what it is not.

  • Domaining
    Domaining is a multifaceted multibillion dollar industry involving domain sales, management, brokering, auctions and link generation. One can find successful “domainers” in the “domainersphere” who’ve profited from legitimate domain trading.
  • Legitimate Domain Ownership
    Domainjacking is not the legitimate transfer of domain ownership nor is it the legitimate aquisition of a domain following its term expiration. “Domain squatters” utilize software to grab domains when they expire and brand managers may be forced to bid on those domains in the open marketplace if they cannot demonstrate bad faith on behalf of the new registrant.
  • Lost Registrar Passwords
    In order to prevent domainjacking, registrars have numerous checks in place to verify domain administrators are who they say they are.
  • Registrar Parking
    Registrars can park domains on their own servers for nonpayment.
  • Phishing
    Phishing is a malicious type of brandjacking that preys on customers of a brand. This tactic is usually executed via spam email that asks the recipient to click on a bogus link to enter personal account information. The fake landing page often has branded subdomains and a similar visual identity intended to confuse and deceive.

How to Defend Against Domainjacking

To the extent a team can anticipate threats, domainjacking is largely avoidable.

  • Don’t be cheap
    Domain registration is a nominal cost of a campaign, but it can be a significant line item. Be prepared to explain the cost of not properly managing domain registrations in terms of harm to the brand, lost revenues, lost engagement opportunities, legal fees, misplaced resources, etc.
  • Mark Your Brand
    Where appropriate, get a trade or service mark on your brand. This won’t prevent DNS registration, but it will help support registrar domain disuptes and convincing hosting companies to comply with ceast and desist requests.
  • Perform a Simple Risk Analysis
    Start a list of domains ranked by high, moderate and low risk threats of domainjacking. This list would be considerate of the project’s domaining budget, media plan and forecasted impact. Popular brands should register all TLDs appropriate for a campaign. Read my Domain Checklist For Interactive Campaigns when planning & registering domains.
  • Avoid Social Media Brandjacking
    Invest time to register brands with popular social media & micromedia account profiles. Jeremy offers an excellent list of Brands that got Punk’d by Social Media. Follow my Social Media Checklist For Interactive Campaigns as a minimal social media strategy.
  • Register with a Generic DNS Admin
    When registering a domain, use a generic email account like [email protected]. Not only does this help control privacy of domain ownership, but you also remove your dependency on individual staff. When the producer or DNS manager leaves your company, you don’t need to go searching for passwords or log into your registrars to change all the contact. You can simply auto-forward the generic DNS admin accounts to a new account. Take care not to jeapordize security in this handoff.
  • Manage Domain Passwords
    This duty usually falls into the realm of the Interactive Producer, however, online brand stewards should take care to safeguard this content from the risk of threat. Resource managers may also consider assigning all domaining duties to a single Brand Domainer.
  • Long Registration Periods and Auto-renewals
    All registrars allow domain managers to registrar domains for extended periods of time. This can actually help SEO because search engines trust long-term domains more than those nearing expiration. Set accounts to auto-renew domains to prevent unintended expiration. Be sure to keep credit card info up to date with the registrar.
  • Lock Registrar Accounts
    Most registrars now allow account managers to lock the domain accounts to prevent accidental account changes.
  • Register Your Own Brandsucks Gripe Site
    “Sucks” and “stinks” are two common pejoratives in brand bashing. BrandChannel distributes a whitepaper on managing the destructive potential of brandsucks: The Power of Internet Gripe Sites. One notable example is the film theater chain Loews. The registered LoewsSucks.com and use the site as a customer feedback channel with its Guest Satisfaction Survey. Fairwinds Partners maintains a list of 100s of brands that have registered their own brandsucks domain name.

How to Respond to a Domainjacking

If you’ve been domainjacked, you need to mobilize your team and respond swiftly to limit damage to your brand. Here are a list of actions.

  • Know Your Enemy
    Perform a Whois search to determine who registered the domain and where it is hosted. Note, the domainjacker may have made this info private to thwart your effort, but you will be able to determine their registrar and the IP address of the host server.
  • File a UDPR with the ICANN Registrar
    ICANN publishes their Uniform Domain-Name Dispute-Reolution Policy or UDPR that is followed by all registrars. Here are considerations that help complainants win a favorable ruling.
     
    Trademark and Service Mark
    Demonstrate use of, or demonstrable preparations to use, the domain name in connection with a bona fide offering of goods or services. Note, weak and nonexistent trademark claims, aka reverse domainjacking, can harm a brand.
     
    Commonly Known
    Demonstrate being commonly known by the domain name, even if you never acquired trademark or service mark rights.
     
    Noncommercial Fair Use
    Demonstrate how the domainjacking either a) intends to mislead or divert customers, b) tarnishes the trademark or service mark or c) is not a noncommercial or fair use of the domain name.
     
    Even with an airtight claim and amid a customer service crisis, Panix, the oldest ISP in New York, faced crippling battles with MelbourneIT and Verisign when their email traffic got domainjacked.
  • Lawyerup and Counterpunch
    Attorney jokes are to Americans as Aggie jokes are Longhorns, but this is the time you want aggressive legal counsel in the are of Intellectual Property rights and domain management.
  • Attack on Multiple Fronts Simultaneously
    Send Cease and Desist letters to the registrant and to the hosting company. The sites are commonly self-hosted in a foreign country, so be sure to follow the ICANN domain dispute process and contact the hosting company directly.

In my next article, I will share my own own experiences on domainjacking.

Footnotes
* I love the English language because we can easily meld words to form new phrases without disrupting transmission. I prefer “domainjacking” over “domain jacking” or “domain-jacking” because a precendent has been set with “carjacking.” (OT: I once got carjacked in Oak Cliff near Dallas; ask me about it sometime.)

And for you SEO and domaining ninjas, I hope you appreciate my not-so-subtle effort to capture some alternative spelling traffic! In case your wondering, and so that I might mention the keyword just one more time, here are some domainjack conjugates (and their current Google results). I’ll spare you the H1 tag wraps 🙂

Domainjack (40)
Domainjacks (24)
Domainjacking (588)
Domainjacker (4)
Domainjackers (4)
Domainjacked (382)
Domainjackgate (1 result YES! I WIN!)
I’m claiming this one before the media constructs a scandalous ‘gate’ suffix!

6 replies on “The Domainjacking Primer”

Great info! Thank you, Shannon, for writing this. It’s helpful more than you know. Nice blog too 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *