An Initial Call for a More Enhanced UDRP

Since its launch on December 1, 1999, the Uniform Domain-Name Dispute-Resolution Policy (“UDRP”) has been an effective tool to quickly remove domain names which infringe upon the trademark rights of others on the Internet. The Internet has changed dramatically since 1999, but the UDRP has remained the same and has not adapted to address the significant dangers associated with malware, phishing and spear attacks perpetrated by cybersquatters.

In the near future, a working group within Internet Corporation for Assigned Names and Numbers (“ICANN”) will conduct the first ever review of the UDRP and will be tasked to provide new policy recommendations regarding the UDRP*. It is my contention there needs to be an enhancement to the UDRP which will allow for the quick disabling of websites that are used by cybersquatters to engage in phishing and malware attacks (“Phishing Attack”) against Internet users.

UDRPs and Phishing Attacks

As it currently stands, a UDRP complaint that accuses a registrant of engaging in a Phishing Attack is not treated any differently than a complaint which alleges the registrant is trying to divert traffic or make money through pay-per-click advertising. This is a serious problem as it leads to a situation in which a Phishing Attack website can continue to operate and target individuals and companies for up to 2 months until the domain name is transferred. Frustratingly for trademark owners and internet users, by the time the domain is ordered transferred the cybersquatters have moved on to another attack without any real harm to their operation. Further, there has been an uptick in Phishing Attack websites in recent years as shown by the following representative decisions:

Teva Pharmaceutical Industries Ltd. v. Amy Kinjo, (2016-02-29 WIPO Case No. 101161) “Further, the Panel is satisfied that the Complainant showed that the disputed domain name was registered for purposes of carrying out phishing attacks spoofing the Complainant’s identity for its own financial gain....The Panel is also satisfied that the Respondent used disputed domain name as the use for carrying out phishing attacks spoofing the Complainant’s identity for its own financial gain...” (Ordering the transfer of <tevapharmaceuticalslimited.com>) http://udrp.adr.eu/adr/decisions/decision.php?dispute_id=100921

Electronic Frontier Foundation v. Shawanda Kirlin (WIPO Case No. D2015-1628) “[T]he Respondent has used the disputed domain name in connection with a website surreptitiously installing malicious software on the computers of unsuspecting visitors, and redirecting infected visitors to the Complainant’s official website.” (Ordering the transfer of <electronicfrontierfoundation.org>) http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2015-1628

LinkedIn Corporation v. Daphne Reynolds (WIPO Case No. D2015-1679) “According to the Complainant, the Respondent uses the Domain Name as part of an employment/phishing scam, in which the Respondent, impersonating the Complainant, sends fraudulent offers of employment via email using the Domain Name as the return address. In these emails, recipients are asked to submit ‘Interview Security Fees’ prior to a job interview.” (Ordering the transfer of <linkedinjobs.com>) http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2015-1679

FlexReceipts, Inc. v. Domain Administrator, PrivacyGuardian.org / Anthony Palmer (WIPO Case No. D2017-0536) “The Respondent appears to have acquired the Domain Name primarily for the purpose of targeting the Complainant’s mark in furtherance of a phishing scheme, which creates consumer confusion as to the source, sponsorship, affiliation, or endorsement of the Domain Name, and to target the Complainant’s trademark and customers, and diverting its users into a phishing scheme.” (Ordering the transfer of <flexreceipts.net>) http://www.wipo.int/amc/en/domains/decisions/text/2017/d2017-0536.html

AB Electrolux v. Piotr Pardo (WIPO Case No. D2017-0368) “Respondent clearly registered and is using the disputed domain name in bad faith. Long after Complainant established its rights in its well-known trademark, Respondent acquired the disputed domain name and then engaged in creating fraudulent email addresses to use in a “phishing” scheme against Complainant even going so far as to impersonate the CFO and send a wire transfer request to an employee of Complainant.” (Ordering the transfer of <electrolvx.com>) http://www.wipo.int/amc/en/domains/decisions/text/2017/d2017-0368.html

Syngenta Participations AG v. Jon Hanna, Aljt (WIPO Case No. D2017-0616) “The Panel has already found the disputed domain name to be confusingly similar to the Complainant’s trade mark. Recipients of the bogus emails are Internet users and the address from which those emails were sent and to which replies were requested was an on-line location. The email requested an acknowledgement which would have disclosed or confirmed the recipient’s email address. The email did not actually mention the name or address of a payee or the amount of a payment (though that might have come later) but the mere disclosure or confirmation of the recipient’s email address would have been enough for the sender of that email to derive commercial gain as he could have used the disclosed or confirmed email address for spamming or sold it to a spammer. Under the circumstances it appears obvious that the intent of the Respondent was to obtain some commercial benefit.” (Ordering the transfer of <syngentaqroup.com>) http://www.wipo.int/amc/en/domains/decisions/text/2017/d2017-0616.html

Uniglobe Travel International Limited Partnership v. Gerhard W Lenzen, Greenberg Traurig Germany (WIPO Case No. D2017-0466) “Given that Respondent has used the disputed domain name to send what appear to be fraudulent emails and forms to job seekers that feature the UNIGLOBE name and mark, and has used the disputed domain for a website that features the name and mark UNIGLOBE TRAVEL, there can be no doubt that Respondent was aware of Complainant and its UNIGLOBE mark when Respondent registered the disputed domain name. Needless to say, given that the uncontested evidence shows that Respondent has used the disputed domain name to send apparently fraudulent emails to consumers to elicit personal information and to scam individuals into making alleged processing payments, it is clear that Respondent specifically targeted Complainant and its UNIGLOBE mark, and has done so opportunistically and in bad faith. Respondent’s bad faith is further established by the fact Respondent has sought to conceal its identity by registering the disputed domain name by using false contact information and by falsely claiming to be associated with the Greenberg Traurig Germany LLP law firm. Such actions by Respondent, when coupled with the sending of false and fraudulent emails to job seekers for alleged visa and work permit services, underscores Respondent’s overall bad faith registration and use of the disputed domain name.” (Ordering the transfer of <uniglobetravel.agency>) http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-0466

MasterCard International Incorporated v. Siegfried Waizenegger (WIPO Case No. D2012-0662) “Accordingly the Panel accepts the Respondent’s evidence that the Domain Name has been used in connection with activity which is intended to obtain data which can then in all probability be used in further fraudulent activity directed against the Complainant or its customers.” (Ordering the transfer of <sicherheit-mastercard.com>) http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2012-0662

MasterCard International Incorporated v. Kelvin Mackole (WIPO Case No. D2008-0702) “In the present case, as proved by the Complainant, the Respondent has not used the domain name at issue to resolve it to an active website, but only in connection with an e-mail address used to lure individuals to participate in a scam lottery. It is clear that the Respondent attempted to lure, for unlawful commercial gain, Internet users to the Respondent’s fraudulent scheme by creating a likelihood of confusion with the worldwide renown Complainant’s mark as to the source and affiliation of the emails (see Dow Jones & Company Inc. v. Julia Soroki, WIPO Case No. D2008-0027 and the The Coca-Cola Company v. Tony Williams, WIPO Case No. D2007-0479 mentioned by the Complainant. Under these circumstances, the Panel believes that Respondent registered and used the domain name in bad faith.” (Ordering the transfer of <mastercardmegajackpot.com>) http://www.wipo.int/amc/en/domains/decisions/html/2008/d2008-0702.html

Proposal to Address Phishing Attack

The increase in the number Phishing Attack websites exploiting trademarks is not something that was contemplated when the UDRP was created in 1999. Thus, there needs to be a new mechanism to address domain names which are used to engage in Phishing Attacks. My initial proposal is that if a Complainant believes the registrant is engaged in a Phishing Attack then there should be a mechanism to disable the website associated with the infringing domain name the same day a UDRP complaint is filed with a provider. The mechanism would be as follows:

1. The Complainant must affirmatively state that the infringing domain name is associated with a Phishing Attack

2. That the infringing domain name unless disabled immediately will present a risk to the public;

3. The Complainant must affirmatively state that the request to disable the website is not an attempt to harm a business competitor;

4. The Complainant must submit an additional $500 which will be given to the registrar as a processing fee; and

5. Once registrar receives the request it will disable the website and put up a page which states the infringing domain is subject to a Phishing Attack claim. The website will remain disabled pending the outcome of the pending UDRP action.

In addition to these steps there will be a need to modify the UDRP policy so that registrars will not be held liable from the domain name registrant if the Complainant in the UDRP action is not successful.

Conclusion

Phishing Attack websites are an ever increasing issue for both trademark owners and consumers. This is now the time to begin discussion on how best to ensure the public maintains its trust in the domain name system.

 

*The author is a member of the Review of all Rights Protection Mechanisms (RPMs) in all gTLDs PDP Working Group whose charter can be found here:  https://community.icann.org/display/RARPMRIAGPWG/WG+Charter?preview=/58729944/58730036/Charter%20for%20RPM%20PDP_final.pdf