Latest news of the domain name industry

Recent Posts

Research finds homograph attacks on big brands rife

Kevin Murphy, January 22, 2018, Domain Tech

Apparent domain name homograph attacks against major brands are a “significant” problem, according to research from Farsight Security.

The company said last week that it scanned for such attacks against 125 well-known brands over the three months to January 10 and found 116,113 domains — almost 1,000 per brand.

Homographs are domains that look like other domains, often indistinguishable from the original. They’re usually used to phish for passwords to bank accounts, retailers, cryptocurrency exchanges, and so on.

They most often use internationalized domain names, mixing together ASCII and non-ASCII characters when displayed in browsers.

To the naked eye, they can look very similar to the original ASCII-only domains, but under the hood they’re actually encoded with Punycode with the xn-- prefix.

Examples highlighted by Farsight include baŋkofamerica.com, amazoṇ.com and fàcebook.com

Displayed as ASCII, those domains are actually xn--bakofamerica-qfc.com, xn--amazo-7l1b.com and xn--fcebook-8va.com.

Farsight gave examples including and excluding the www. subdomain in a blog post last week, but I’m not sure if it double-counted to get to its 116,113-domain total.

As you might imagine, almost all of this abuse is concentrated in .com and other TLDs that were around before 2012, judging by Farsight’s examples. That’s because the big brands are not using new gTLDs for their primary sites yet.

Farsight gave a caveat that it had not generally investigated the ownership of the homograph domains it found. It’s possible some of them are defensive registrations by brands that are already fully aware of the security risk they could present.

Big changes at DomainTools as privacy law looms

Kevin Murphy, January 11, 2018, Domain Services

Regular users of DomainTools should expect significant changes to their service, possibly unwelcome, as the impact of incoming European Union privacy law begins to be felt.

Professional users such as domain investors are most likely to be impacted by the changes.

The company hopes to announce how its services will be rejiggered to comply with the General Data Protection Regulation in the next few weeks, probably in February, but CEO Tim Chen spoke to DI yesterday in general terms about the law’s possible impact.

“There will be changes to the levels of service we offer currently, especially to any users of DomainTools that are not enterprises,” Chen said.

GDPR governs how personal data on EU citizens is captured, shared and processed. It deals with issues such as customer consent, the length of time such data may be stored, and the purposes for which it may be processed.

Given that DomainTools’ entire business model is based on capturing domain registrants’ contact information without their explicit consent, then storing, processing and sharing that data indefinitely, it doesn’t take a genius to work out that the new law represents a possibly existential threat.

But while Chen says he’s “very concerned” about GDPR, he expects the use cases of his enterprise customers to be protected.

DomainTools no longer considers itself a Whois company, Chen said, it’s a security services company now. Only about 20% of its revenue now comes from the $99-a-month customers who pay to access services such as reverse Whois and historical Whois queries.

The rest comes from the 500-odd enterprise customers it has, which use the company’s data for purposes such as tracking down network abuse and intellectual property theft.

DomainTools is very much aligned here with the governments and IP lawyers that are pressing ICANN and European data protection authorities to come up with a way Whois data can still be made available for these “legitimate purposes”.

“We’re very focused on our most-important goal of making sure the cyber security and network security use cases for Whois data are represented in the final discussions on how this legislation is really going to land,” he said.

“There needs to be some level of access that is retained for uses that are very consistent with protecting the very constituents that this legislation is trying to protect from a privacy perspective,” he said.

The two big issues pressing on Chen’s mind from a GDPR perspective are the ability of the company to continue to aggregate Whois records from hundreds of TLDs and thousands of registrars, and its ability to continue to provide historical, archived Whois records — the company’s most-popular product after vanilla Whois..

These are both critical for customers responding to security issues or trying to hunt down serial cybersquatters and copyright infringers, Chen said.

“[Customers are] very concerned, because their ability to use this data as part of their incident response is critical, and the removal of the data from that process really does injure their ability to do their jobs,” he said.

How far these use cases will be protected under GDPR is still an open question, one largely to be determined by European DPAs, and DomainTools, like ICANN the rest of the domain industry, is still largely in discussion mode.

“Part of what we need to help DPAs understand is: how long is long enough?” Chen said. “Answering how long this data can be archived is very important.”

ICANN was recently advised by its lawyers to take its case for maintaining Whois in as recognizable form as possible to the DPAs and other European privacy bodies.

And governments, via the Governmental Advisory Committee, recently urged ICANN to continue to permit Whois access for “legitimate purposes”.

DomainTools is in a different position to most of the rest of the industry. In terms of its core service, it’s not a contracted party with ICANN, so perhaps will have to rely on hoping whatever the registries and registrars work out will also apply to its own offerings.

It’s also different in that it has no direct customer relationship with the registrants whose data it processes, nor does it have a contractual relationship with the companies that do have these customer relationships.

This could make the issue of consent — the right of registrant to have a say in how their data is processed and when it is deleted — tricky.

“We’re not in a position to get consent from domain owners to do what we do,” Chen said. “I think where we need to be more thoughtful is whether DomainTools needs to have a process where people can opt out of having their data processed.”

“When I think about consent, it’s not on the way in, because we just don’t have a way to do that, it’s allowing a way out… a mechanism where people can object to their data being processed,” he said.

How DomainTools’ non-enterprise customers and users will be affected should become clear when the company outlines its plans in the coming weeks.

But Chen suggested that most casual users should not see too much impact.

“The ability of anyone who has an interest in using Whois data, who needs it every now and then, for looking up a Whois record of a domain because they want to buy it as a domain investor for example, that should still be very possible after GDPR,” he said.

“I don’t think GDPR is aimed at individual, one-at-a-time use cases for data, I think it’s aimed at scalable abuse of the data for bad purposes,” he said.

“If you’re running a business in domain names and you need to get Whois at significant scale, and you need to evaluate that many domains for some reason, that’s where the impact may be,” he said.

Disclosure: I share a complimentary DomainTools account with several other domain industry bloggers.

XYZ relaunches .storage with $2,200 price tag

Kevin Murphy, November 8, 2017, Domain Registries

XYZ.com has reopened .storage to registrations with a new, much higher price tag.

A confusingly named “Trademark Holder Landrush” started yesterday and will run for three weeks.

It’s not a sunrise period — .storage already had its ICANN-mandated sunrise under its previous management — and it appears that it’s not actually restricted to trademark holders.

The .storage web site states that “neither registrars nor XYZ will validate trademarks during this period”. The registry says that all strings, including generic words, are available.

It basically appears to be just a way to squeeze a little extra cash out of larger companies and anyone else desperate for a good name.

There are not many registrars carrying the TLD right now, just five brand protection registrars and 101domain.

101domain prices the names at $699.99 with a $1,500 application fee during the trademark landrush.

XYZ says that the regular suggested retail price for .storage will be $79.99 per month which seems to be a roundabout way of saying $948 per year. There’s no option to register for less than a year.

.storage is designed for companies in the data storage and physical storage industries, so adopting a high-price, low-volume business model is probably a smart move by the registry.

It’s a similar model to that XYZ employs in its car-related gTLDs operated in partnership with Uniregistry.

XYZ does not appear to be relying entirely on defensive registrations to make its coin, however.

It’s offering a “complimentary” web site migration service, usually priced at $10,000, that it says can help early registrants switch to .storage in as little as 72 hours with no loss of search engine juice.

.storage was originally owned by Extra Storage Space, a physical storage company, but XYZ acquired the contract for an undisclosed sum in May.

The trademark landrush will be immediately followed by an Early Access Period, during which there will also be a sliding-scale fee (day one will be a whopping $55,000 at 101domain!), before general available starts a month from now.

Former MarkMonitor execs join new brand protection registrar

Kevin Murphy, August 30, 2017, Domain Registrars

Two former MarkMonitor executives have teamed up with a Fairwinds co-founder to launch a new “next generation” brand protection registrar.

The new company is Brandsight. It was set up by CEO Phil Lodico, who left brand consultancy Fairwinds about a year ago, and was accredited by ICANN earlier this month.

The first two hires are Matt Serlin, who until a couple months ago was VP of client services at MarkMonitor, and Elisa Cooper, who joins after being VP of marketing at the intellectual property management company Lecorpio.

Cooper, who also worked for MarkMonitor in the same position until a couple of years ago, will be Brandsight’s head of marketing and policy. Serlin will head up operations and client services.

The two told me yesterday that Brandsight will attempt to differentiate itself from its alma maters through a combination of better technology, expertise and use of data.

Both have many years experience in the domain industry and ICANN and, one imagines, thick contacts books of potential clients.

The Brandsight site, which went live today, will feature improved workflow via a streamlined user interface, they said.

The company also hopes “better leverage big data to help companies make better decisions and streamline processes around domain management”, Cooper said.

“Legacy registrars haven’t been focused on building new technology, some for almost 10 years,” she said.

It looks like it’s going to be a boutique operation at first — I believe Lodico, Serlin and Cooper are the only three employees right now — but Cooper said the plan is to staff up over the remainder of the year in areas such as sales.

The idea is to be a company that is purely focused on corporate domain services as its core competency, as opposed to what they called the “legacy” larger registrars that have domains as just one service among many, Cooper and Serlin said.

Brandsight is based in New York state and funded by private investors.

.storage to have pricey second sunrise

The .storage gTLD is to get a second sunrise period after being acquired and repurposed by XYZ.com.

The registry will operate a “Trademark Landrush Period” for three weeks from November 7 as the first stage of .storage’s reboot as an open-to-all gTLD.

It’s not technically a “sunrise” period under ICANN rules — that phase was already completed under previous owner Extra Space Storage — nor is it restricted to trademark owners.

Basically anyone with the money will be able to buy a .storage domain during the period, but at a price.

One registrar is reporting that registrants will have to pay a $1,500 application fee on top of the soon-to-be-standard higher $699-per-year registration fee.

That’s considerably more than most new gTLDs charge during their regular sunrise phases.

There’s no need to own a matching trademark, so neither the registry, registrars or Trademark Clearinghouse have any trademark verification costs to bear.

But that also means anyone can pick up any generic, dictionary .storage domain they want without the need for paperwork. XYZ has previously said that all domains will be available at the same price, regardless of their previous “premium” status.

I can see some intellectual property interests being uneasy with how this relaunch is handling trademarks.

Under its former management, .storage was set to be tightly restricted to the physical and data storage industries, reducing the chance of cybersquatting, so some brands may have avoided the sunrise period.

After the relaunch — general availability starts December 5 — there will be no such restrictions. However, the high price of standard registrations is likely to deter all but the richest or dumbest cybersquatters.

XYZ.com acquired .storage for an undisclosed sum in May. There are currently about 800 domains in the .storage zone file.