Web.com is taking a $1 million per-quarter hit to its revenue as a result of August’s hacking attack.
It also incurred $400,000 in consulting, legal and credit monitoring fees in the third quarter as a result of the breach, CEO David Brown told analysts last night.
Some 93,000 credit card numbers were stolen during the attack, a small portion of its 3.3 million customers.
A number of customers jumped ship as a result of the attack, moving their domains elsewhere, which increased Web.com’s churn rate.
“Due to the subscription nature of our business, in the fourth and subsequent quarters we expect the breach will have about a $1 million negative impact on revenue per quarter due to the shortfall from Q3,” Brown said.
It added 15,000 customers in the quarter, lower than the 21,000 it added in Q2.
Net income for the quarter was $6.1 million, reversing a $3.4 million loss in the year-ago period, on revenue that was basically flat at $136.8 million, compared to $137.4 million a year ago.
In response to an analyst question, Brown also commented on the success, or lack thereof, of the company’s new gTLD business. He said:
That continues to be positive, but we’re not doing back-flips here. It’s not that positive. We think it’s good for the market, good for consumers and businesses to have more choices. But they’re not flying off the table. .com and .net and the original extensions still are the force in the marketplace. But as we see more gTLDs and as the market understands them and see the opportunity, we continue to believe that this will be a positive trend. But at this point, it’s not moving the needle in our business or likely in anyone’s business.
Web.com owns registrars including Network Solutions and Register.com.
Customers of at least half a dozen large registrars been targeted by an email malware attack that exploits confusion about takedown policies.
The fake suspension notices have been spammed to email addresses culled from Whois and are tailored to the registrar of record and the targeted domain name.
Customers of registrars including eNom, Web.com, Moniker, easyDNS, NameBright, Dynadot and Melbourne IT are among those definitely affected. I suspect it’s much more widespread.
The emails reportedly look like this:
The following domain names have been suspended for violation of the easyDNS Technologies, Inc. Abuse Policy:
Domain Name: DOMAIN.COM
Registrar: easyDNS Technologies, Inc.
Registrant Name: Domain Owner
Multiple warnings were sent by easyDNS Technologies, Inc. Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us by email at mailto:email@example.com for additional information regarding this notification.
easyDNS Technologies, Inc.
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101
The “click here” invitation leads to a downloadable file, presumably containing malware.
Of course, the best way to check whether your domain name has been genuinely suspended or not is to use it — visit its web site, use its email, etc.
As domain suspensions become more regularly occurrences, due to ICANN policies on Whois accuracy for one reason, we can only expect more scams like these.
The number of domain names registered via Go Daddy and pointing to social media profiles measures only in the “tens of thousands”, according to the company.
The market leading registrar put out a press release earlier this week stating that “in the last 18 months, customers pointing a domain name to social media sites increased by 37 percent.”
The company said it “attributes the rise in the redirects to customers wanting to control their online identity.”
While it’s an uptick for sure, the number of domains behaving this is actually still quite low.
A Go Daddy spokesperson told DI: “We’re not releasing exact numbers, but it’s in the tens of thousands.”
That’s a drop in the ocean compared to the over 60 million domains Go Daddy has under management.
The press release promoted the company’s new Personal Domains sales page, which offers buyers a streamlined way to point their domains to their Facebook, Twitter, LinkedIn or Tumblr profiles.
In one of the ongoing battles between registrars and the intellectual property lobby, ICANN’s compliance department seems to have sided with the registrars, for now.
Registrars will not be forced to suspend domain names when people complain about abusive or illegal behavior on the associated web sites, according to chief contract compliance office Allen Grogan.
The decision will please registrars but will come as a blow to the likes of music and movie studios and those who fight to shut down dodgy internet pharmacies.
Grogan yesterday published his interpretation of the 2013 Registrar Accreditation Agreement, specifically the section (3.18) that obliges registrars to “investigate and respond appropriately” abuse reports.
The IP crowd take this to mean that if they submit an abuse report claiming, for example, that a web site sells medicines across borders without an appropriate license, the registrar should check out the site then turn off the domain.
Registrars, on the other hand, claim they’re in no position to make a judgment call about the legality of a site unless presented with a proper court order.
Grogan appears to have taken this view also, though he indicated that his work is not yet done. He wrote:
Sometimes a complaining party takes the position that that there is only one appropriate response to a report of abuse or illegal activity, namely to suspend or terminate the domain name registration. In the same circumstances, a registrar may take the position that it is not qualified to make a determination regarding whether the activity in question is illegal and that the registrar is unwilling to suspend or terminate the domain name registration absent an order from a court of competent jurisdiction. I am continuing to work toward finding ways to bridge these gaps.
It’s a testament to how little agreement there is on this issue that, when we asked Grogan back in June how long it would take to provide clarity, he estimated it would take “a few weeks”. Yet it’s still not fully resolved.
His blog post last night contains a seven-point checklist that abuse reporters must conform to in order to give registrars enough detail to with with.
They must, for example, be specific about who they are, where the allegedly abusive content can be found, whose rights are being infringed, and which laws are being broken in which jurisdiction.
It also contains a six-point checklist for how registrars must respond.
Registrars are only obliged to investigate the URL in question (unless they fear exposure to malware or child abuse material), inform the registrant about the complaint, and inform the reporter what, if anything, they’ve done to remediate the situation.
There’s no obligation to suspend domains, and registrars seem to have great leeway in how they treat the report.
In short, Grogan has interpreted RAA 3.18 in a way that does not seem to place any substantial additional burden on registrars.
He’s convening a roundtable discussion for the forthcoming ICANN meeting in Dublin with a view to getting registrars to agree to some non-binding “voluntary self-regulatory” best practices.
In a landmark decision, a US court has ruled that GoDaddy’s practice of parking unused domains with Google advertising does not count as cybersquatting.
The Academy of Motion Picture Arts and Sciences, which runs the annual Oscars awards, sued the registrar five years ago after seeing that GoDaddy had parked hundreds of names containing its mark.
Under UDRP, registrar parking is controversially often taken as a sign of the registrants bad faith by panelists.
But the California court ruled that GoDaddy’s actions did not amount to trademark infringement due to the unique circumstances of the case.
GoDaddy did not select the advertisements — Google’s algorithms did — nor did it manually review which domains were being parked.
Domain Name Wire has a pretty good breakdown of the key points in the 129-page ruling.
What’s going to be interesting is whether UDRP panelists — which sometimes take their cues from US legal precedent — will start to adjust to view registrar parking in a more benign way when judging registrant bad faith.