Domain Dispute - don’t lose that great looking C2 domain

TL;DR: I purchased a cheap domain that was very similar to a company’s domain. If the domain was used during a Red Team operation, as a C2 domain it would have blended in with noise. However, before I could use it, I was in an administrative proceeding due to a Domain Dispute. The dispute was based on an ICANN policy that was created to protect trademarks from people purchasing domains in “bad faith”. I choose the option to settle and transfer the domain to the company at no additional cost. As a Red Teamer, in the future if I plan to purchase a domain that is similar to a company for any reason, I plan to search the WIPO site to see if there are other proceedings filed by that company. Additionally, don’t let your registrar park your purchased domains by default, that can be used against you in a complaint.

As a Red Teamer I buy many domains to use for research or for operations. There are many blogs out there about how to find good quality expired domains or how to categorize your domains to bypass filters. Especially when there are sales (such as on Black Friday), I may buy many domains at a cheap price for possible use in future operations. Earlier this year I had to deal with a Domain Dispute due to a purchased domain and learned a lot about the process. After talking to some friends and co-workers, it was suggested I put a blog together on it to help other Red Teamers in case they run into the same situation. Just remember I am not a lawyer and this is my research or details on how I dealt with the situation.

Background on Domain Disputes:

Domain Disputes were created to enable trademark holders to contest ownership of domains. This is to help the trademark owner protect themselves from domains purchased for malicious use to degrade the brand, financial impacts from similar names, or just ensure they keep the rights to their brand.

To support the trademark holders from these types of issues, the Internet Corporation for Assigned Names and Numbers (ICANN) created a policy to help resolve such disputes where multiple parities were claiming the right to a specific domain. This policy is called the Uniform Domain-Name Dispute Resolution Policy (UDRP). This policy was fully approved on 24OCT99. The policy is technically a policy between a registrar and its customers and is included in registration agreements for all ICANN-accredited registrars. Fun note, the first disputed domain was worldwrestlingfederation.com on 09DEC99.

With all that said, trademark holders can file a dispute through one of the approved dispute resolution service providers (list can be found here). In my case, the provider user was the World Intellectual Property Organization which was the first ever approved service provider. WIPO is a self-funded agency of the United Nations, with 193 member states.

Once the complainant files a domain dispute with a provider, the complainant must satisfy three requirements under paragraph 4(a) of the policy:

(i) the domain name registered by the respondent is identical or confusingly similar to a trade mark or service mark in which the complainant has rights;

(ii) the respondent has no rights or legitimate interests in respect of the domain name; and

(iii) the domain name has been registered and is being used in bad faith.

Once this is filed, the defendant in this case (current owner of the domain), will receive a notice through both email and mail. The notice will provide the complainants evidence that the domain was purchased in bad faith as described in the requirements above. There is a short deadline to provide this information before an “Administrative Proceeding” will occur. When this process is started, the registrar is also notified and use of the domain is suspended until proceedings are completed.

The defendant has two options. The defendant can provide the counter evidence and let the proceedings occur and wait for a ruling. The other option is to settle by agreeing to cancel or transfer the domain to the complainant.

Fees: All fees with an Administrative Panel are to be paid by the complainant, unless there is a request to elect to expand the panel from one person to three. In this case, the fees will be evenly split.

My Story:

It was around Christmas time and there are deals popping up all the time. A domain registrar gives a deal for new domains at a low low price. One of these deals is for the purchase of a the TLD .online for around a buck. As a Red Teamer, I can go through domains easily, so for a buck why not buy a few more. They can be used for testing, research, operations, etc. It was only a buck, so if not used within the year, not a huge waste.

As a Red Teamer, I want to have some decent looking domains. One domain purchased was similar to a known company, in this post I will refer to is as CompanyX. So for a buck, I purchased companyX.online. The thought was it could be used for research or possible as a simple C2 domain. If used during a Red Team operation, there was no plan to ever use it as part of a phishing or social engineering attack, but more as a domain for C2. The hope being that the domain would blend in to the traffic and become less noticeable to a Defender.

The holidays ended, I got busy with other stuff, the COVID-19 pandemic happened, and the domain was not touched until I discovered some unread emails, which were a few weeks old. The emails were from Domain.Disputes@wipo.int about how a complaint had been filed regarding the purchase and use of the domain companyX.online. My initial reaction was that this was some interesting phishing campaign. However, after research and subsequent emails, I discovered this was a legitimate Domain Dispute complaint.

Notification of Domain Dispute Commencement of Administrative Proceeding

The emails contained attachments explaining the rules of the proceedings forthcoming, the complaint and “evidence” of domain purchased in bad faith, and then a WIPO standard settlement form.

From the administrative proceedings information, a few interesting things of note:

• 20 calendar days to provide a response (4 additional days can be requested)
• notification that I may consent to remedy by agreeing to transfer or cancel the disputed domain name
• the single panelist will be selected by the WIPO from list of panelists (list)
• the fees for the administrative proceeding will be paid for entirety by the Complainant
• I can request a three-member administrative panel, but the cost will be 2,000 USD.
• The document and information is also sent to the domain registrar

or from the complaint documents, a few interesting things:

• the complaint was not by the named company but some other legal company that provides this as a paid service.
• information providing all the proof that companyX uses the name for business and has trademarks, to include social media presence with the name, etc.
• a claim that the domain currently hosted a Pay-Per-Click (PPC) advertising page and some of the links point to the websites of its competitors
• additional claim was that I was generating monetary revenue through misleadingly diverting online users to the domain

So after some investigation, I discovered that my registrar automatically parks purchased domains by default. On some domains, the parked domain site may include search engine links to things similar to the domain name category (hence the PPC allegation). There is information on the WIPO website explaining how the panels have viewed this situation in the past (can find this situation as well as others here). So I was not making any monetary gain as alleged and if anyone was, it was my Registrar. So in my future domain purchases I have made it a part of my procedures to ensure the domain is unparked if I am not immediately using it.

So with the allegations and the research I had performed, I had a few options. I could just not respond and the proceedings would occur forward and I would lose the domain. I could respond like @0xF4B0 did when he had to deal with one and hope it goes away. Or I could settle and just be done with it and move on.

A twitter response I received when asking if others Red Teamers have dealt with a Domain Dispute

With all my options, one of the big keys to me was that there was no additional cost to me. In the Domain Dispute process as I explain in the background, the Complainant covers all the fees. However, I did discover that if you do not respond and the administrative proceedings occur, you will most likely lose the domain and the results of the proceedings are published on the WIPO site. So if you are representing a company or do not desire your information on the Internet tied to one of these proceedings then consider settling.

As much as I have a tendency to fight back, especially regarding allegations that I was making revenue off this domain, I chose to settle. With everything else going on in the world and the domain costing only a buck, I just wanted to end this situation and move on.

To settle, you just have to fill out the standard settlement form that WIPO provides, sign the document and get the complainant to agree and send to the WIPO. The complainant will actually receive back some of the money they pay for the dispute if it does not go through the full proceedings requiring a panel member to view it. In my case, I tried to just cancel the domain but the complainant would not agree unless I requested to have the domain transferred.

So that was my story on how I was introduced to Domain Disputes. I had no idea this policy existed, I had always heard stories of when someone made thousands of dollars cybersquatting a domain before selling it to a company. The funny thing was, I only paid about a buck for the domain and would have easily given it up for a Chick-fil-A Spicy Chicken sandwich. However CompanyX pays whatever the cost of the service and the administrative panel initially costs 1500 USD until I settled and WIPO then kept a 500 USD fee (WIPO fees can be found here).

As I have looked more into the different domain dispute proceeding results on the WIPO website I have come up with a few thoughts. A large company trying to protect themselves and their brand from not just trademark infringement but social engineering attacks due to typosquating, may want to consider this protection. For example, a law firm filed a UDRP to stop the domain being used in fraudulent emails trying to solicit money representing their firm (https://giga.law/blog/2019/1/30/law-firms-udrp-mcguirewoods).

In conclusion, Red Teamers, be careful with those great domain names. You could lose them due to a Domain Dispute (hopefully not in the middle of an operation). I recommend searching the WIPO for the company of the domain name you may be mimicking to see if they regularly file complaints.

Searching WIPO for any proceedings for CompanyX

Website: www.maveris.com

Email: info@maveris.com

Maveris exists to help your organization reach its fullest potential by providing thought leadership in IT and cyber so you can connect fearlessly. To learn more visit us at: www.maveris.com