Harmless fun? Why liking that viral meme could be funding organised crime

Anyone who has spent any significant time on social media will have seen postings which appear to serve no purpose other than the collection of likes, comments and shares (Figure 1). Many of these postings utilise a range of techniques - including the use of a range of emotional hooks - to encourage users to engage with them. Whilst some of these can be taken at face value, and others appear nothing more than harmless fun, significant numbers of these postings may well comprise part of an initiative to build popularity for content which is intended for fraudulent use.

Figure 1: Examples of social media postings designed to elicit user interactions (likes (top two), comments (middle two), shares (bottom two))

When users interact with any such post, no "magic" happens other than the apparent popularity of the content being increased. It is unusual that users will remove a 'like' once it has been added - indeed, in many cases, they may additionally post a comment that the content "does not work" - and in doing so, are further fulfilling the objectives of the potential scammers.

As a posting attracts large numbers of user interactions - through the process which is known as 'like-farming'^[1] - it becomes a tradable commodity in its own right. It also provides the owner of the posting with lists of active users who can further be targeted with content. Numerous platforms exist where these popular postings (or the accounts behind them) are bought and sold for advertising purposes (Figure 2). This provides revenue for both the owners of the accounts and the operators of the platforms facilitating this trade - whomever they may be. It can then become a simple matter to edit the content of the posting to advertise whatever content the new owner is wishing to promote, whilst retaining the original user interactions^[2]. At this point, the actual content of any comments is largely irrelevant - the social media platform will, in many cases, simply see the posting as a popular piece of content, and will serve it up to users in feeds of suggested material of interest. A similar principle applies to new postings made from popular accounts. Content can often also have its exposure further boosted as 'promoted' postings through payments to the social-media platform.

Figure 2: Examples of websites offering the trade of social media accounts

At this point, the advertised content can fall into any of the categories of the most dangerous or unsavoury material on the Internet - the sale of counterfeit goods, financial trading scams, adult- or gambling content, malware distribution, amongst others. It is also well established that - apart from the most obvious risks associated with these types of material - much of the most egregious content online is associated with the funding of organised criminal groups^[3]. In many cases, trusted brands will be targeted within such content - perhaps through the sale of infringing versions of their goods, or through false claims of affiliation or endorsement. The process of monitoring text and imagery within social media postings for the inclusion of branded IP is a core element of any holistic brand-protection programme.

These schemes share a number of similarities with the older familiar types of 'clickbait'^[4], which aims to drive revenue through click-through payments and advertising, and are also closely related to the sinister spread of misinformation in the modern Internet world.

And from a user's point of view, perhaps the key take-away is to think again before clicking 'like' or 'share'.

References

[1] https://www.malwarebytes.com/blog/news/2019/04/explained-like-farming

[2] https://www.consumeraffairs.com/news/when-someone-asks-you-to-share-a-facebook-post-dont-its-probably-a-scam-121222.html

[3] https://www.europol.europa.eu/publication-events/main-reports/internet-organised-crime-assessment-iocta-2023

[4] https://davidbarnettbrandprotection.blogspot.com/2017/07/one-weird-trick-to-steal-your-money.html

This article was first published on 27 October 2023 at:

https://www.iamstobbs.com/opinion/harmless-fun-why-liking-that-viral-social-media-post-could-be-funding-organised-crime

The new new-gTLDs

by David Barnett and Richard Ferguson

Introduction

Following the announcement by ICANN (the Internet Corporation for Assigned Names and Numbers) of a proposed new round of new-gTLD (generic top-level domain) applications to launch in Q2 2026^[1], we consider what this second phase may look like, based on comparison with trends and observations from the previous first round^[2].

The original new-gTLD programme launched in 2012, to add a series of new TLDs (domain-name extensions) to the Internet's Root Zone. This is the highest level of DNS (Domain Name System), and the basis for domain infrastructure. The aim of doing so was to "enhance innovation, competition and consumer choice"^[3,4]. As part of this programme, entities were invited to submit applications to act as registries for new TLDs. This would involve being responsible for maintaining the infrastructure, processing applications, and dealing with disputes for new domains across the extension in question. Following the first round of applications in 2012 - during which around 2,000 TLDs were proposed - and a subsequent period of assessment, the first new-gTLDs were delegated (added to the Root Zone) in October 2013. The new registries were categorisable either as open (generally available for domain registrations), restricted (in which particular criteria had to be met for registrations to be permitted), or closed. The TLDs themselves are also grouped into types, with classes including generic, geographic, community, and brand, depending on their intended use. In some cases (in the case of brand TLDs), brand owners have chosen to register their brand name as a domain-name extension and maintain control of the TLD, so as to centralise ownership of their official websites and reduce customer confusion - so-called instances of 'dot-brands'^[5].

Broadly, the intention of the new-gTLD programme was to reduce infringements and build clarity for customers through the use of descriptive TLDs for websites. There were certain restricted extensions including .bank and .insurance^[6]. As part of this initiative, the TMCH (Trademark Clearing House) scheme was introduced. This meant brand owners can submit their trademarks for validation, granting them automatic rights to register the trademark as a new domain name upon the launch of a new TLD, and receive notice of any (exact-match) applications by third parties^[7]. In addition, some new-gTLD registry organisations also offer blocking programmes (such as the Domain Protected Marks List originally offered by Donuts^[8]) which can be employed by brand owners.

However, as with the legacy TLDs, many of the new registrations were associated with abuse, through a range of different types of infringement from cybersquatting and brand impersonation, to phishing and malware distribution. Indeed, many of the new-gTLDs were found to be disproportionately more affected by infringements, despite in many cases having improved enforcement processes in place^[9,10]. This was often a reflection of low-cost registrations with lax requirements.

Even putting nefarious uses to one side, another area of interest for brand owners was the issue of disputes over control of the TLDs. One such example was the case which saw e-tailer Amazon engage in a seven-year legal battle with eight Latin American governments to claim rights to the extension .amazon, which was eventually won by the Amazon corporation^[11]. It will be interesting to see how many such conflicts arise this time around, particularly given the market saturation and crossover of brands in the online world.

The history of phase one

Altogether, a little over 1,200 new-gTLDs^[12] have been delegated since the start of the programme. Just over half of those have passed through the start of their sunrise period^[13,14] (the initial launch phase, prior to General Availability, when brand owners are able to apply for new domains) (Figure 1).

Figure 1: Growth in the cumulative number of new-gTLDs since the start of the programme

For most of the new-gTLDs, the interval between delegation and sunrise was less than a year, although there is a long tail of cases in which this period was significantly greater. Overall, the vast majority of new-gTLDs were delegated within the first three years of the programme, with many of those TLDs to have sunrised most recently therefore having seen extensive periods of time elapse since their initial delegation (Figures 2 and 3). In some cases, these delays may represent prolonged negotiations or discussions over the management or use-cases of the TLDs in question.

Figure 2: Histogram showing the distribution of intervals between delegation and sunrise, for all sunrised new-gTLDs

Figure 3: Scatter plot of sunrise launch date against interval between delegation and sunrise, for all sunrised new-gTLDs

It is also informative to consider the registration pattern over time of currently-registered domains across a specific new-gTLD, from the time of its launch. An example for a typical representative TLD^[15] is shown in Figure 4.

Figure 4: Growth over time in the number of registered domains across the .blackfriday new-gTLD

This pattern is consistent with those noted in previous studies, where an initial spike of activity immediately following the launch of a new TLD is common^[16].

Conclusion

Based on observations from the first phase of the new-gTLD programme, we might expect to see some of the same trends in the second phase, leading up to the application period in 2026 and beyond. This includes the possibility of significant numbers of new applications, in some cases by multiple entities, potentially leading to disputes and negotiation.

Brand owners may consider applying to run their own dot-brand extension, depending on characteristics of their IP portfolio and the new-gTLD application requirements as they evolve. Whilst an expensive and technically-complex prospect - often requiring partnership with an enterprise-level domain registrar - it can bring extensive benefits regarding the ability to control all official websites and distribution channels. In any case, organisations are well-advised to take advantage of programmes such as the TMCH and other blocking schemes, to defend their IP and receive early warning of potential infringements.

The speed with which new registrations can take place after the launch of a new gTLD also highlights the importance for proactive real-time monitoring of new registrations, using an automated solution which is capable of covering new domain extensions as they become live. This monitoring should be accompanied by a comprehensive approach to enforcement against identified infringements, as part of a holistic brand-protection programme.

Web3 should also not be overlooked, with generic extensions and options for dot-brands already available within the blockchain domain ecosystem. Indeed, there is an argument that if a brand owner is intending to move from .com in order to future-proof its online identity, it might make more sense to invest in emerging technologies and media such as blockchain domains.

References

[1] https://www.icann.org/newgtlds-next-round-en

[2] Figures correct based on numbers of new-gTLDs and domains registered as of 02-Aug-2023

[3] https://newgtlds.icann.org/en/about/program

[4] https://icannwiki.org/New_gTLD_Program

[5] 'Brand Protection in the Online World: A Comprehensive Guide' by David N. Barnett - Box 2.4: 'Brand protection and the new-gTLD programme'

[6] https://support.tppwholesale.com.au/hc/en-gb/articles/360008969518-Restricted-New-gTLDs

[7] https://newgtlds.icann.org/en/about/trademark-clearinghouse

[8] https://www.trademark-clearinghouse.com/content/donuts-dpml

[9] https://circleid.com/posts/20230117-the-highest-threat-tlds-part-2

[10] https://op.europa.eu/en/publication-detail/-/publication/7d16c267-7f1f-11ec-8c40-01aa75ed71a1

[11] https://www.ft.com/content/c8f227e6-7b0c-11e9-81d2-f785092ab560

[12] https://newgtlds.icann.org/en/program-status/delegated-strings

[13] https://newgtlds.icann.org/en/program-status/sunrise-claims-periods

[14] https://newgtlds.icann.org/en/program-status/statistics

[15] In this analysis, we consider registrations across the .blackfriday TLD, taken to be a representative example of a typical new-gTLD for a number of reasons:

• It is a small- to medium-sized TLD, having seen around 1,000 registrations since its launch (compared with a median value, across all post-sunrise new-gTLDs, of around 7,700)
• 'blackfriday' is a general term relating to e-commerce, lending it both to legitimate use and abuse by infringers
• It is possible to extract domain registration dates in bulk via automated look-ups

[16] https://circleid.com/posts/20220218-domain-registrations-associated-with-new-tld-launches

This article was first published on 20 October 2023 at:

https://www.iamstobbs.com/opinion/the-new-new-gtlds

The IoTeX case: domain naming collisions and other emerging risks in the blockchain ecosystem

by David Barnett, Tom Ambridge and Richard Ferguson

IoTeX has recently announced the approval of a proposal to create a new domain-name system (IoTeX Domain Name Service, or 'IoTeX Name Service' (INS))^[1]. The company is a provider of technology linking 'Internet-of-Things' (IoT) devices and blockchain infrastructure - through the development of products such as UCam, a blockchain-powered home-security camera^[2]. The new system^[3] is an example of Web3 (blockchain) domains being introduced using a DAO ('decentralised autonomous organisation')^[4], an entity managed by a decentralised computer program handled through a blockchain^[5].

INS will offer blockchain domains with the extension .io. As discussed in a previous article^[6],  blockchain domains are similar to regular (Web2) domains, in that they can be registered by users across specific extensions, but are decentralised and unregulated by any governing body such as ICANN. In general, they can be used for a number of purposes, such as the construction of memorable wallet addresses for sending and receiving cryptocurrency. One additional development in the case of INS is the option to offer 'name wrappers', a type of smart contract^[7] granting the owner the ability to create subdomains of domains under their ownership (such as 'sub.domain.io') and trade them as NFTs in their own right.

Overall, in the blockchain domain arena, the lack of centralisation means that, in theory, the same domain name can exist on multiple different blockchains - an issue known as naming 'collisions'. There is also the risk - as in the INS case - that clashes can arise with regular (Web2) domain name extensions. .io is also a Web2 TLD - technically the country-code TLD for the British Indian Ocean Territory - but one which has been largely adopted for use with technology-related content^[8,9]. This issue is likely to cause confusion as and when the adoption of Web3 technologies grows - particularly if native support of blockchain domains by mainstream web browser develops further. This is likely to necessitate the development of appropriate agreements and technological work-arounds.

The industry has already seen a number of disputes over naming collisions. In October 2022, provider Unstoppable Domains ceased selling .coin blockchain domains. This was apparently to boost its argument - as used in a disagreement with competitor provider Handshake over the .wallet extension - that the first provider to achieve market penetration should receive exclusive rights^[10].

Other cases regarding control of TLDs in the Web2 world also have parallels with the IoTeX / .io case, by virtue of their relevance to business vs geopolitical issues. One example is the lengthy dispute between e-commerce giant Amazon and the South American member states of the Amazon Cooperation Treaty Organization (ACTO), for control of the .amazon extension^[11,12].

As Web3 offerings grow, the prospect of domain name collisions is likely to be a serious concern for brand owners. This is particularly true when considering their defensive domain registration strategies, and when monitoring for third-party infringements and instances of potential brand confusion. However, there is also the possibility that a brand owner may not be aware of a collision until it is too late. The associated technologies also raise a number of other issues around which brands may be wise to be mindful. Two specific examples include:

• Name wrapping - The emergence of tradable blockchain subdomains may transpire to be an area of high risk for companies with multiple brands or family marks. Sports teams may also be susceptible to third parties creating trading-card-style domain names as NFTs (e.g. [player].[football-club].[blockchain-TLD]), or with similar examples surrounding general sporting events, such as the Olympics, World Cup, Tour de France, etc.

• DAOs - This new form of governance may raise questions - such as those concerning the liability of voters - if (for example) they are used by brands for stakeholders to vote on certain company decisions. In one recent case, the US Commodity Futures Trading Commission (CFTC) won a lawsuit against Ooki DAO for offering unregistered commodities and neglecting to observe know-your-consumer laws^[13], contravening the prevailing perception that these types of decentralised operators are immune to legal scrutiny^[14].

Overall, blockchain domains present new opportunities in claiming fresh digital space. However, in addition to the need for active and defensive registrations to safeguard a brand in Web3, the emergence of a new extension competing with an existing popular TLD like .io is a reminder of the interplay between Web2 and Web3 domains. These types of clash show no signs of abating, and proactivity by key stakeholders in this area is likely to remain of key importance.

References

[1] https://iotex.io/blog/iip-22-proposes-to-simplify-iotex-domain-names/

[2] https://iotex.io/ucam

[3] https://snapshot.org/?ref=iotex.io#/iotex.eth/proposal/0xcecfbda1bdb69e70575b917639ae3854d62b9b53ad83456d5d42def0dc13f115

[4] https://cryptodaily.co.uk/2023/07/iotex-blockchain-dao-votes-94-in-favor-of-simplifying-iotex-domain-names

[5] https://en.wikipedia.org/wiki/Decentralized_autonomous_organization

[6] https://www.iamstobbs.com/opinion/trends-in-web3-part-1-a-look-at-blockchain-domains

[7] Smart contracts are self-executing programs stored on a blockchain, which can be configured to run when certain pre-defined conditions are met (e.g. when an agreement between parties is made); see e.g. https://www.ibm.com/topics/smart-contracts

[8] https://www.lightercapital.com/blog/what-does-io-mean-what-is-the-io-domain

[9] https://circleid.com/posts/20230117-the-highest-threat-tlds-part-2

[10] https://domainnamewire.com/2022/10/18/unstoppable-domains-kills-coin-in-the-name-of-wallet/

[11] https://www.licenseglobal.com/retail/amazon-wins-domain-dispute-sa-nations

[12] https://www.lexology.com/library/detail.aspx?g=85594134-7b40-436c-b5ac-a807d98d1b56

[13] https://www.cftc.gov/PressRoom/PressReleases/8715-23

[14] https://www.coindesk.com/policy/2023/06/09/cftc-wins-lawsuit-against-ooki-dao/

This article was first published on 16 October 2023 at:

https://www.iamstobbs.com/opinion/the-iotex-case-domain-naming-collisions-and-other-emerging-risks-in-the-blockchain-ecosystem

Strategies for constructing a domain-name registration and management policy

Introduction

One of the core components of a brand-protection and IP-management initiative for a corporation is an effective domain-name management policy. In general, brand owners will maintain a portfolio of official domains, including 'core' domains used in the day-to-day execution of their business (e.g. for official websites and e-mail infrastructure) and 'tactical' domains, which may include examples intended for potential future use (such as those relating to planned brand or product launches) and other defensive registrations, held so as to avoid them being used (or abused) by third parties^[1]. The maintenance of this group of company-owned domains should, in general, accompany a proactive programme of monitoring for third-party infringing activity across the Internet generally ('outside the firewall') as part of an overall brand-protection initiative.

The construction of an official portfolio of core and tactical domains can be a complex process, involving consideration of a number of factors, including levels of IP protection, geographical extent of business operations, brand-protection budget, pre-existing infringement patterns, and overall level of risk aversion by the brand owner.

Policy and portfolio construction

i. Identification of desired domains

The first stage in the construction of a policy is the determination of the set of domains which the brand owner would ideally like to have under their control. In many cases, this can be represented through the construction of a 'matrix' of proposed domain names, in which the rows and columns represent the relevant keyword strings (comprising the second-level domain names (SLDs) - the parts of the names to the left of the dot - of the domains in question) and the TLDs (top-level domains, or domain extensions or suffixes), respectively.

In so doing, there are a number of factors to consider, including:

• Whether the focus should be on high-relevance domains only (e.g. those which are likely to be directly utilisable for business purposes), or whether to build a broader defensive portfolio.

• The balance between just domains where the SLD is the brand name in isolation, and (the broader set of) domains containing product- or industry-related or geographical keywords.

• The TLDs to be covered.

• The extent to which 'fuzzy' or typo- variations should be included.

In general, the recommendations might typically include points such as:

• It would be advisable to include domain registrations across TLDs which:

• Are generally popular.

• Relate to those geographical regions in which the brand has current or planned business operations, and/or where IP protection (such as trademark registrations) are in place.

• Are commonly associated with infringing or fraudulent activity^[2].

• (For new-gTLDs particularly,) are industry-specific and relate to the business areas of the brand.

• It might be appropriate to include broader levels of coverage (TLDs  / brand variants or relevance keywords / typo variations) for brands or products of key importance (i.e. those which generate highest levels of revenue or which may be more susceptible to fraud).

• A general recommendation would be not to attempt to cover too broad a range of typos or misspellings, due to the potential for infinite variations of these types, and the corresponding possibility of rapidly escalating costs for domains which have little commercial value. Instead, a more efficient approach is to augment the domain management programme with a brand-protection service which is able to identify these types of examples as they arise, and deal with them appropriately through an enforcement and domain-acquisition programme.

• Finally, it may be appropriate to ensure that coverage encompasses keyword strings or patterns associated with known or repeated infringements.

 A schematic example of how this domain matrix may look in practice is shown in Figure 1.

Figure 1: Schematic example of a domain portfolio matrix for the fictitious (UK-based) luxury brand Luxurybrand, with tagline 'We Are Luxurybrand', and their products: handbags (major product), shoes (intermediate) and perfume (minor)

ii. Portfolio analysis and consolidation

Having constructed the domain matrix, the next stage is to generate a full list of all required domains (essentially, by combining the keywords in the rows with the TLDs or groups of TLDs in the columns, and then deduplicating where necessary). The set of domains can subsequently be analysed to determine which ones:

• Are already under the ownership of the brand owner.

• Appear to be official but are perhaps not under centralised control (e.g. domains set up by franchise holders, local offices or marketing partners).

• Are currently held by third parties.

• Are currently available for registration.

There then follows a process to consolidate the portfolio as far as possible or appropriate. This might include some or all of the following steps:

• Aiming to bring any officially-owned domains under centralised control.

• Purchasing available domains.

• Where possible / appropriate, acquiring relevant third-party domains.

This last step is generally the most complex. In some cases, it may involve domain purchases or (depending on the nature of the content currently present on the site) dispute procedures. In other cases (for example, where the domain is under the control of a third party making legitimate use of the same brand name), acquisition may not be possible. In certain instances, it may be advisable for the brand owner to monitor the sites for changes to the content (so as to identify any appearance of infringing material).

Other general recommendations are also often applicable. One example might be to ensure that any official portfolio domains which are not under active use are configured to re-direct to the brand owner's official transactional site, so as to maximise web traffic.

Conclusion

The specifics of a domain-name portfolio reflect a balance between risk and budget but, when operating together with an effective brand-protection solution, an appropriate domain-name registration and management policy can form a key component of an organisation's IP management, helping to ensure that key domains are in place for business use, and defensive registrations are held to prevent infringing use. Part of the domain-management piece is also the implementation of an effective domain security programme, utilising an appropriate enterprise domain-name registrar, to ensure that official domains are protected from security threats such as site compromise and hacking.

References

[1] https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022/article/creating-cost-effective-domain-name-watching-programme

[2] https://circleid.com/posts/20230117-the-highest-threat-tlds-part-2

This article was first published on 11 October 2023 at:

https://www.iamstobbs.com/opinion/strategies-for-constructing-a-domain-name-registration-and-management-policy

"Web dot-coms but once a year" - Holiday shopping activity, Part 1: Black Friday domains

Introduction

The final quarter of each year marks greater levels of shopping activity, with increasingly significant proportions of the worldwide spend taking place through online sales channels. Aside from the run-up to the period of Christmas and other end-of-year holidays, a number of other events are becoming more extensively adopted for sales promotions. These include the (predominantly Chinese) Singles Day on November 11 ('11-11'), and the weekend following the US's Thanksgiving holiday (generally referenced as 'Black Friday' and 'Cyber Monday').

It has been noted previously^[1,2] that one manifestation of this activity on the Internet is the registration of large numbers of domains geared towards e-commerce, which can be of particular concern to brand owners when these domains are making use of trusted brand names to drive traffic to the sites, or are selling counterfeit or otherwise infringing products.

In this article, we look at the set of registered gTLD (generic extensions, such as .com, etc.) domains with names containing either 'black(-)friday' or 'cyber(-)monday' (with optional hyphens in both cases), as of the start of the lead-up to the holiday period (at the end of September 2023)^[3].

Analysis

At the end of Q3 2023, there were a total of 6,596 registered gTLD domains with names containing 'black(-)friday' or 'cyber(-)monday' (hereafter referred to as 'Black Friday domains'). Considering those domains for which creation dates were available via automated whois look-ups, there is a striking annual cycle apparent in the registration activity (Figure 1). Whilst the general visible upward trend year-on-year is not necessarily indicative in itself of an overall increase in registration activity over time (since many of the domains registered in previous years will have expired prior to the date of analysis), it is very clear that there are spikes in activity in the fourth quarter of each year, representing domains registered to be utilised over the Black Friday period.

Figure 1: Numbers of Black Friday domains in the dataset by month of registration (Jan 2000 - Sep 2023)

Within the set of domains, a number of other trends are immediately apparent. Perhaps unsurprisingly, significant numbers of the domains contain additional keywords (within the second-level domain name (SLD), or portion of the domain name to the left of the dot) indicating that their primary function is e-commerce (Table 1).

Keyword	No. domains
auction	6
buy	38
code	15
coupon	30
deal	905
discount	54
flash	17
market	14
offer	81
promo	21
sale	448
saving	21
shop	102
store	54
voucher	1

Table 1: Numbers of Black Friday domains featuring e-commerce keywords in their SLD

Additionally, several are dedicated to specific product types (Table 2).

Keyword	No. domains
accessor*	1
air(-)fryer	2
appliance	6
camera	8
cellphone	17
electronic	25
gaming	17
laptop	47
smartphone	9
vacuum	10

* for 'accessory' or 'accessories'

Table 2: Numbers of Black Friday domains featuring product-specific keywords in their SLD

Perhaps even more directly concerning, from a brand-protection point of view, are any domains with names containing brand names. Table 3 shows the number of domains with SLDs containing the names of each of the top ten most valuable global brands in 2023^[4].

Keyword	No. domains
apple	5
google	0
microsoft	0
amazon	12
mcdonalds	0
visa	0
tencent	0
vuitton	3
mastercard	0
coca(-)cola	0

Table 3: Numbers of Black Friday domains featuring the names of any of the top ten most valuable brands in their SLD (excluding obviously official domains)

Interestingly, of the brands on this list, only Apple, Amazon and Vuitton (makers of technology or luxury brands, or customer-facing brands directly related to e-commerce) are represented in the dataset. However, there were a number of additional brands for which significant numbers of domains were identified (Table 4).

Keyword	No. domains
walmart	14
a(-)prime*	14
moncler	3
lv(-)bag**	3
ugg(-)boot	3
beats***	2
gucci	2

* presumably in reference to Amazon Prime
** presumably in reference to Louis Vuitton
*** of which 1 references 'bydre' explicitly

Table 4: Numbers of Black Friday domains featuring other brand terms in their SLD (excluding obviously official domains)

As of the time of analysis, none of these branded domains currently resolved to any active e-commerce site, although (given the timeframe) it is possible that they have simply been registered well in advance of the holiday season, with the intention of subsequently having their intended content uploaded. In these types of instance, brand owners would be advised to monitor the sites to track for content changes, with the option of launching a takedown action when infringing content appears. In some cases, the domains were found to resolve to gambling-related and/or adult content, potentially as a means of monetising the domain name in advance of its future use (Figure 2).

Figure 2: Examples of gambling sites hosted on brand-specific Black Friday domain names (SLDs: 'louisvuitton-blackfriday' and 'beatsbydrecybermonday', respectively)

Amongst the remainder, several others were found to comprise instances of misdirection (e.g. domains resolving to sites pertaining to affiliate schemes), sites monetised using pay-per-click links, pages offering the sites for sale, and other instances displaying messages that the sites have already been suspended.

A number of other themes were also apparent within the wider dataset, including several domains featuring Web3-related keywords - 'coin' (27, of which 23 reference 'bitcoin' explicitly), 'crypto' (5 domains), 'token' (2) and 'nft' (2). It is also noteworthy that domain names of the form blackfridayXXXX.com and cybermondayYYYY.com have been registered for every value of XXXX between 2009 and 2040 and between 2051 and 2070, and for every value of YYYY between 2009 and 2052.

Considering other aspects of the full dataset (in this case, excluding 517 domains which appear likely to be under the legitimate control of brand owners, on the basis of their registration via enterprise-class registrars of the type often used by these entities - i.e. looking at the remaining 'potentially unofficial' domains), the top TLDs represented are shown in Table 5.

TLD	No. domains
com	4,324
site	331
net	256
live	132
org	130
online	87
info	75
shop	69
space	43
xyz	39

Table 5: Top TLDs represented in the dataset of (potentially unofficial) Black Friday domains

Perhaps more informative is to consider these numbers as compared with the total number of domains registered across the TLDs in question, to see if certain TLDs are disproportionately more utilised by the domain registrants. This analysis is shown in Figure 3, where the solid line shows the expected numbers of Black Friday registrations, as a function of the total number of domains on each TLD, if all TLDs were utilised equally, and using the numbers for .com as a benchmark. Any TLDs which appear above this line (such as .site and .live) therefore appear disproportionately more frequently in the dataset than might be expected.

Figure 3: Total numbers of (potentially unofficial) Black Friday domains by TLD, as a function of the total number of registered domains on that TLD

The data can equivalently be presented by consering the frequency of Black Friday domains per million domains on the TLD in question. The most popular TLDs in the dataset are shown in Table 6 (excluding any TLDs for which fewer than 5 Black Friday domains were present).

TLD (and N, no. of Black Friday domains)	Frequency of Black Friday domains (per million domains on TLD)
deals (26)	2762.70
sale (38)	2633.59
bargains (5)	2507.52
codes (16)	895.26
fyi (35)	556.07
zone (24)	540.48
shopping (5)	431.63
site (331)	236.43
live (132)	209.56
space (43)	109.86

Table 6: Top TLDs by frequency of (potentially unofficial) Black Friday domains (where N ≥ 5)

It is striking (though perhaps not surprising) that five of the top ten TLDs are explicitly related to e-commerce. More generally, new-gTLDs (such as .xyz and .top) - which have been noted previously as being disproportionately utilised for fraudulent registrations^[5,6,7] - are extensively represented within the dataset.

The mix of registrars represented in the dataset (Table 7) is also noteworthy. The list is dominated by retail-grade providers, many of which are popular with infringers due to typically low compliance to enforcement requests.

Registrar	No. domains
GoDaddy.com, LLC	1,935
NameCheap Inc.	483
Gname.com Pte. Ltd.	211
Key-Systems GmbH	201
PDR Ltd. d/b/a PublicDomainRegistry.com	197
Squarespace Domains II LLC	177
NameSilo, LLC	148
Dynadot Inc	107
Tucows, Inc.	95

Table 7: Top registrars represented in the dataset of (potentially unofficial) Black Friday domains

Indeed, within the full dataset, over 2,000 of the domains were found to resolve to some sort of live website content and, of these, a number of examples were identified of sites featuring explicitly infringing or otherwise illegal content (e.g. the sale of counterfeits) (Figure 3).

Figure 3: Examples of Black Friday domains resolving to live, apparently infringing or illegal content (SLDs: 'raybansblackfriday', 'reebokblackfridayoffers', 'salomonblackfridaysales', 'montecwearblackfriday', 'tevasaleblackfriday', 'blackfridayssaving')

Conclusions

As with other high-profile events, the start of the 2023 holiday shopping season shows signs of a increasing number of domain registrations relating to Black Friday and Cyber Monday and - assuming trends are similar to those seen in previous years - we can only expect the numbers to grow over the coming weeks.

It is clear that many of these domains are intended for infringing use - not least because of the significant numbers of sites already found to be resolving to egregious content - highlighting the importance of brand owners conducting a rigorous programme of monitoring and enforcement, especially over key periods when levels of activity are typically high. The statistics also show that significant numbers of domains are typically registered well in advance of the season itself, itself showing the advisability of tracking new registrations for subsequent changes in content.

Of course, domains are always only part of the picture. In today's increasingly connected Internet, e-commerce can take place across a wide range of online channels, including marketplaces, social media, mobile apps, and the wide range of other general Internet content (including standalone websites hosted on non-brand-specific domain names). Accordingly, a holistic approach to brand protection, addressing the full range of relevant areas, is of key relevance.

References

[1] https://www.cscdigitalbrand.services/blog/how-will-black-friday-ecommerce-domains-trend/

[2] https://www.cscdigitalbrand.services/blog/holiday-shopping-events-part-2/

[3] The analysis is carried out using data from the zone files available from ICANN's Centralized Zone Data Service (https://czds.icann.org/home), covering gTLDs and new-gTLDs. All information is as per the zone files downloaded on 28-Sep-2023, which were available for 1,082 TLDs (extensions).

[4] https://www.kantar.com/inspiration/brands/revealed-the-worlds-most-valuable-brands-of-2023

[5] https://circleid.com/posts/20230117-the-highest-threat-tlds-part-2

[6] https://www.iamstobbs.com/opinion/the-randomest-domain-names-entropy-as-an-indicator-of-tld-threat-level

[7] 'The new new-gTLDs', Stobbs blog (link TBC)

This article was first published on 6 October 2023 at:

https://www.iamstobbs.com/opinion/web-dot-coms-but-once-a-year-holiday-shopping-activity-part-1-black-friday-domains