Registrars can now block people from registering tens of thousands of domain names that look like, are spelling variations of, or otherwise infringe on brand names.
GlobalBlock, a solution already in use by leading registrars like GoDaddy Corporate Domains, 101domain, and MarkMonitor lets businesses pay a subscription fee to reserve a part of the domain space, as a means to protect their trademark. But, is there more to this than meets the eye?
Blocks similar domains, even homoglyphs
Traditionally, companies and brands have had to manually register multiple domain names with different extensions (TLDs) or variations of their spellings to both protect their trademark and prevent malicious usage.
As an example, owners of apple.com would be (and are) wise to also reserve apple.co.uk, apple.in, among others to prevent another business from using the name, or worse, having a threat actor misuse some 'apple' domains for running phishing and scam operations.
Furthermore, domain typosquatting attacks where threat actors set up domains that are slightly misspelled variations of legitimate services to direct visitors to their malicious websites aren't unheard of. For example, should a user intending to visit Google mistakenly type gooogle.com in their address bar, they could potentially fall victim to a typosquatting attack. Thankfully, Google has already reserved this particular example.
But where does it stop?
A domain name can consist of alphabets, numbers, and hyphens—from varying character sets, further leading to a possibility of homograph attacks, as we have previously seen.
Homograph attacks consist of attackers registering lookalike domains with homoglyphs: characters that look the same to the naked eye but are, in reality, distinct, due to different character sets and encoding.
For example, the Cyrillic letter 'а' looks exactly like the Latin alphabet 'a' but the two are vastly different. Copying-pasting аbc.com in your browser (try it) would not lead you to the real abc.com, but the Cyrillic text will first change to its ASCII-equivalent (punycode) version, sending you to a different domain.
Even by simply using the Latin alphabet, threat actors can and have crafted phishing emails directing readers to illicit domains with confusingly similar characters, such as Iimited.com (starting with an 'i') as opposed to limited.com, or e1onmusk.website ('1' instead of an 'l').
This existing set of problems is what GlobalBlock aims to address.
GlobalBlock, an initiative of Brand Safety Alliance (a GoDaddy subsidiary), allows brands to pay a subscription fee to their registrar, and select "labels" or terms they would want to block others from registering.
A user intending to register a new domain matching one or more labels, or its permutations, will not be able to proceed with the registration because of GlobalBlock in use by the registrar.
An FAQ on the website explains what kinds of "labels" are available and what each of these means.
BleepingComputer understands that by tomorrow, February 29th, GlobalBlock will be "generally available" across leading registrars.
Domains we could block: '70,094'
While the basic plan lets subscribers block specific domain names that read like their trademark across some 563 extensions (TLDs), the "plus" version takes a huge leap forward.
The extensive GlobalBlock+ plan can potentially restrict tens of thousands of domain names from being registered, including those with confusable homoglyph characters, and a 'main label'—that is any domain containing a particular term itself or its variations.
For example, in a test we used the service's "brand protection calculator" to see how many domains containing a variation of "Bleeping Computer" could we prevent others from squatting, and the result was an alarming 70,094, should we subscribe to GlobalBlock+.
At this time, the service protects both unregistered and registered trademarks, including geographical indicators, marks protected by statute or treaty, company or organization names, and celebrity names.
Furthermore, the service offers a priority "AutoCatch" feature, akin to drop-catching a domain, which means as soon as a previously registered domain that reads similar to a brand name expires or otherwise becomes available, GlobalBlock will snatch it for their paying customer.
Mind you, the service doesn't come cheap either.
Prices for the solution at registrar 101domain, for example, start at an annual $5,999 fee for a basic plan "to block over 560 extensions." The rigorous, "plus" blocking starts at $8,999 a year.
Perhaps for big corporations, the pricing structure may prove to be much more cost-effective and efficient than manually having to squat hundreds to thousands of domain names, manage them, and pay hefty annual renewal fees for each.
Free speech concerns
No doubt, a solution like GlobalBlock, when implemented by leading registrars can save brands the hassle of registering every domain that has its echoes. But, I couldn't help but wonder if an automated solution this vast could end up providing an undue advantage to companies in hoarding up the domain space.
Should a company or celebrity reserve their name and use "unlimited blocking of main labels," this would effectively prevent registration of a domain with that term.
In other words, could a famous JohnSmith now block you from registering JohnSmithSucks.com, or your next-door 'iPhone Repair Shop' be compelled to find a domain name that is free from a trademark?
At this time, it isn't clear if GlobalBlock would only restrict domain registrations that exactly contain a brand name (and its spelling variations), or will its scope expand to cover domain names containing any part of a brand name along with other terms (i.e. walmart.com vs. walmartsucks.com).
After the publication of this piece, we received the following answer from Tony Kirsch, Commercial Director of the Brand Safety Alliance, who also suggests using the Brand Protection Calculator or for brands to get in touch with a GlobalBlock Accredited Agent to better understand the scope of blocks and receive a full report for their brand.
“GlobalBlock is a revolutionary online brand protection service that, in one simple transaction, blocks available domain names that are an ‘exact match’ to the brand in hundreds of web extensions from around the world (567 as at Feb 28, 2024). In doing so, GlobalBlock helps brands protect their intellectual property and prevent unwarranted additions of keywords, plurals or other characters to the brand.
The value-add service, GlobalBlock+, retains this exact match concept but provides protection significantly beyond that of GlobalBlock. This is achieved by potentially blocking thousands of ‘variations’ of the brand, whereby Latin characters are replaced by non-Latin characters that could be visually confusing to end consumers and often used in phishing attacks or other similar impersonation activities."
- Tony Kirsch
More interestingly though, trademark protection generally applies to goods and services in a particular class and that too in specific jurisdictions thereby complicating matters.
It isn't hard to imagine a hypothetical Apple Clothing company that has nothing to do with the tech giant, being interested in purchasing a domain name.
Ironically, GlobalBlock itself acknowledges conflicting cases where it may be possible for a party to block someone else's trademark (in its FAQ, under "Can someone else block my trademark or rights?").
It may be possible "for multiple parties to hold matching verified rights, e.g., two or more identical marks registered by separate trademark owners that cover distinct goods or services, or that are registered in different jurisdictions," states the service.
In such instances, GlobalBlock's current answer states that "any label that is blocked by more than one rights holder cannot be unblocked without the consent of all applicable rights holders."
We also reached out to the Electronic Frontier Foundation (EFF) to explore potential concerns with a solution like GlobalBlock.
"The fundamental problem with services like this is that they suppress far more domains than merely those that would infringe trademark. Domain names are themselves a form of speech that we don't want to see constrained by overzealous attempts at brand enforcement," Kit Walsh, senior staff attorney at EFF told BleepingComputer in a statement.
Walsh, who also serves as EFF's Director of Artificial Intelligence & Access to Knowledge Legal Projects, explained that trademarks based on generic terms when combined with a tool like this, could interfere with free speech.
"Many trademarks are common words, like 'Apple,' surnames, like 'Ford,' or drawn from preexisting culture, like 'Nike.' Even if a trademark is a unique word, people have a right to talk about brands, products, and aspects of culture."
"To do otherwise silences critical speech, parody, fan works, or even unrelated but similar business names."
Giving variable examples like 'Boycott EFF,' 'Not The EFF,' and 'EFF Plumbers,' Walsh stressed that creators of such websites should have the right to get and keep their sites if they existed, much like the historical "walmartsucks.com."
Similarly, if a service was able to block any domain with "EFF" in it, says Walsh, it would eliminate a lot of words from the English language, like Effect, Effort, Effervescent, and so on.
The attorney further told BleepingComputer that these problems multiply when we consider that "English is far from the only language used on the internet."
"Common words in our language would impede expression in other languages, and vice versa. Some Ikea furniture names are quite similar to Thai slang for sex acts, for instance, Barf is a well-known Iranian soap brand."
Walsh referred to Ford's marketing fiasco from the seventies when the company's 'Pinto' car models had to be renamed to 'Corcel' in the Brazilian market for the former is slang for certain genitalia.
"'Protecting brands' isn't the end goal of trademark; the goal is preventing consumers from being confused about who's responsible for the goods and services they buy. Blocking speech that wouldn't be confusing anyway is simply a net loss for the public interest."
The expert advises that the Uniform Dispute Resolution Policy (UDRP) that registrars must follow, already empowers trademark owners with powerful tools to claim domain names that are likely to create confusion.
"Automated systems like these should not circumvent what protections exist for good-faith use of domain names that happen to be similar but have legitimate purposes."
Update, March 1, 2024 06:28 am ET: Added an answer from Brand Safety Alliance received after publication.
Comments
blackhatcat - 8 months ago
won't be very long at all before this is used by businesses and brands to attack other competing businesses and brands with similar names
ZeroYourHero - 8 months ago
Can you name an example of that?
rd0769 - 8 months ago
Apollo.com
Apollo.io
Apollo.ai
Apollo.org
Apollo.pk
Apollotyres.com
ApolloIndia.com
Apollohospitals.com
ApolloGroup.com
Apollopipes.com
Apollofmg.com
PK88 - 8 months ago
There are dozens of restaurants with the word “Zest” as part of their name. There are at least three in the same market of NYC , Zest Shusi”, “Zest Ramen, and Zest Szechuan. Does the first one that uses Zest in their domain name prevent the other three from using Zest in their domain name?
I think the only criteria should be, is the domain name meant to deceive, e.g. walmartsucks.com is fine, wa1mart.com is not.
There should also be simple and free way to appeal any automated blocking of domains that does not require both parties to agree. Given a choice, I am sure Walmart would not agree to walmartsucks.com, even though it is certainly not meant to deceive. Also zestramen.com can certainly coexist with zestshusi.com if they decided to use those domain names.
rd0769 - 8 months ago
What a nice example, Seems like you wrote this article for me as I own bleepingcomputer.io :P
CEO Lawrence Abrams does not accept request on linkedin, no email replies.
I was about to sell it for USD500 to someone but then I stopped, cuz I wanted you guys to get it.
As I am always thankful for him for providing COMBOFIX in my school days, where I used be cool guy for a decade with COMBOFIX in my pendrive all the time.
Dominique1 - 8 months ago
Although this is a very lucrative hack for registrars, this is certainly not the solution. Other registrars might disagree, the criminal creativity with names that won't be flagged by GlobalBlock, etc... The solution is having the ability to send a copyright complaint to the registrar and the host provider to have fake domain names neutralised before further damages are caused to the public. ICANN needs to impose new rules in these modern times.