High steaks game: Hawksmoor's IPO and its domains

by David Barnett and Richard Ferguson

Background

Following initial exploration of a potential IPO on the London Stock Exchange in 2021^[1], steakhouse chain Hawksmoor has hired investment bank Stephens to identify a buyer, in a deal valuing the business at around £100 million^[2,3].

At any time when a business is considering purchase, it is crucial to ensure that its IP portfolio (including domain names) is in good shape. In this study, we consider the landscape of potential third-party domain infringements targeting Hawksmoor, and consider the implications for the brand owner.

Sample infringements

Figure 1 shows four identified examples of websites hosted on third-party domain names referencing the Hawksmoor name, each of which illustrates different considerations regarding recommended requirements for the brand owner's official domain portfolio:

• (a) webhawksmoor.com - This domain, featuring just the brand name together with a generic keyword ('web') on a key domain name extension (TLD) - i.e. .com, resolves to what appears to be an imitation / lookalike site (noting that the screenshot has been translated from the original Spanish). This type of infringement highlights the need for an ongoing proactive brand protection programme of monitoring and enforcement.

• (b) thehawksmoor.co.uk - This site has been parked with pay-per-click (PPC) ads, providing a means of monetising the site for its owner and also presenting the potential to misdirect visitors to competitor sites. This example also highlights the importance of considering generic keywords such as 'the' in any domain registration policy, particularly if this is how the brand is typically referenced (noting that Hawksmoor's main official site is thehawksmoor.com).

• (c) hawksmoore.co.uk - This example highlights how typos, or brand variants, can be targeted by third parties if not included in a brand owner's own defensive portfolio. This illustrates the importance of consolidating a robust set of domains under official ownership.

• (d) hawksmoor.net - This domain is significant because the name consists of just the brand name, on a popular key TLD. The presence of this third-party registration provides a lesson in the significance of securing primary brand-name-only domains across major extensions. In this case, the domain was actually originally registered in January 2003 (potentially prior to Hawksmoor's registered rights), and may require some sort of purchase or acquisition process if the brand owner wished to bring it into their portfolio.

Figure 1: Examples of websites hosted on third-party domain names referencing the Hawksmoor name

Key take-homes

Domain portfolio consolidation is a primary business consideration for brand owners. A robust portfolio should encompass both any core domains used for the day-to-day operations of the business, together with a tactical set of defensive and strategic domains. 

When constructing a defensive portfolio, the registration policy must include consideration of brand name variants, significant keywords, and relevant domain extensions (TLDs).

TLD coverage should include consideration of the primary countries of business operation (i.e. country-specific ccTLDs) and relevant new-gTLDs. New-gTLDs can include geographic examples (e.g. .london, .nyc) and industry-specific extensions (e.g. for Hawkmoor, potentially .restaurant, .kitchen, .food, .store, etc.).

References

[1] https://www.cityam.com/hawksmoor-restaurant-chain-reportedly-looking-for-buyer/

[2] https://www.theguardian.com/business/article/2024/jul/03/hawksmoor-for-sale-in-deal-that-could-value-restaurant-chain-at-100m

[3] https://www.ft.com/content/467b9a9f-77ab-4801-94d0-083f141d1f78

This article was first published as a carousel posting on 26 July 2024 at:

https://www.linkedin.com/posts/stobbs_hawksmoor-activity-7222584366466560000-HT2f

Also published on 30 July 2024 at:

https://www.iamstobbs.com/opinion/high-steaks-game-hawksmoors-ipo-and-its-domains

An alternative approach to domain-name management: domain leasing

by David Barnett and Daniel Smith-Juggins

Summary 

For many organisations and events, their domain name is the key element behind their public-facing website. However, domains can be managed in a range of ways, despite most frequently being purchased specifically for the use-case in mind. In this article, we explore the model of domain leasing, which can be a practical alternative for usage with short-lived events, competitions or marketing initiatives, and provides the potential for one party to retain ownership of a domain whilst allowing another to make use of it. 

Overview  

Leasing of domains is a practice whereby the owner (registrant) of a domain name enters into a contractual paid agreement^[1] with a third party to utilise that domain for a period of time. In such an agreement, the listed registered owner of the domain remains unchanged, but the arrangement typically involves the reconfiguration of the domain's DNS settings to point at the lessee's desired content (potentially including use of e-mail functionality and creation of subdomains)^[2,3]. The practice may also be referred to as domain 'renting', a term which is normally utilised for shorter-term agreements^[4]. 

From a lessor's point of view, this type of agreement allows them to retain ultimate control and ownership of the domain name whilst generating revenue from their asset, while the lessee is able to make use of a (potentially high-value) domain (perhaps just for a limited period of time) without needing to provide a sizeable upfront payment - say, for a newly-launched business or short-term campaign. In some cases, a leasing agreement might also include an option for subsequent purchase. A leasing agreement also potentially involves a lower level of legal liability for the lessee against infringement claims. The model might typically also be appropriate for a brand owner working with franchisees or local representatives, and can lend itself to application for dot-brand domains. 

Domain leasing is most usually carried out via dedicated platforms (such as venture.com) or domain marketplaces, or through legal service providers, domain brokers or direct negotiation. Leasing costs are highly variable but might typically range up to thousands of dollars per month (plus associated costs) for a premium domain - such as a short, memorable dictionary word on a popular TLD. For example, as of the time of writing (03-Jul-2024), domains featured on Venture's website^[5] include chatroom[.]org ($2.5k/mon), wishes[.]com ($3k/mon), eyelashes[.]com ($5k/mon) and driver[.]com ($15k/mon). For comparison, purchase of premium domains can involve multi-million-dollar prices; Wikipedia^[6] lists over 40 domains which have sold for over $3M over the last twenty-plus years, including shop[.]com ($3.55M), clothes[.]com ($4.9M), casino[.]com ($5.5M), hotels[.]com ($11M), sex[.]com ($13M) and voice[.]com ($30M). More recently (reported in March 2023), OpenAI bought AI[.]com for $11M^[7].

As an indicator of the types of domains typically associated with leasing agreements, we consider a sample set of (alphabetically, the first-listed) 1,000 domains under the management of leasing service provider Venture (as determined by nameserver analysis). The domains are overwhelmingly dominated by .com examples (984 instances), with the remainder comprised of .org (14) and .net (2). The domains range in length from 3 to 25 characters^[8], with four-character domain names by far the most popular (Figure 1).

Figure 1: Distribution of SLD lengths of a sample of 1,000 domains under management by Venture

The longest domains in the dataset comprise entirely of examples where the SLDs are phrases consisting of dictionary words, with the three longest examples found to be americanconservativeunion.com (25 characters), adjustablemortgagerates.com (23) and automobiletransmissions.com (23). The vast majority of the mid-length examples also have SLDs consisting of phrasal word-pairs, with examples such as 'activefamily', 'airlinemeals', 'ancientworld', 'atlanticcity', 'baseballcaps', 'bathcabinets', 'bigdiscounts' and 'budgetprices' (all 12-character names). 

Practical considerations 

For brand owners, there are some key overall points to bear in mind when considering domain leasing. Some useful questions to consider prior to any contractual arrangement include: 

• Aim - is the domain being used as a revenue generator (e.g. from a premium domain) or a short-term campaign / project run by a corporate entity? 

• History - how has the domain been used previously? 

• Ownership - who should retain ultimate control?  

• Payment - how much is the lessee paying the lessor and when are the payments expected? 

• Term - how long will the lease last? If a term is specified, is there a clear end date in any agreement? Should there be a provision for an outright purchase at the end?  

• Indemnity - is there a clause indemnifying the lessor for any liability by the lessee in using the domain? 

• Licence - what type of licence is needed (e.g. non-exhaustive, exhaustive, or a sole licence)?

• Termination - are there provisions in place for early termination?  

Conclusion 

Domain leasing can be a useful alternative to purchasing, offering a brand owner a model whereby they can retain ownership of the (potentially high-value) asset, whilst giving a partner entity the opportunity to make use of its functionality. This operational framework, which generally requires a pre-defined contractual agreement, can be of particular applicability in situations where a franchising model is in place, or for short-lived events and campaigns.  

References

[1] https://www.domainsherpa.com/domain-leasing-sample/

[2] https://domainwheel.com/domain-name-leasing/

[3] https://www.domains.co.uk/lease-domains

[4] https://thewebsiteflip.com/domains/renting/

[5] https://venture.com/

[6] https://en.wikipedia.org/wiki/List_of_most_expensive_domain_names

[7] https://techstartups.com/2023/03/01/openai-buys-ai-com-for-11-million-making-it-one-of-the-top-10-most-expensive-domains-ever-sold/

[8] Domain length is defined as the length of the second-level name, or SLD - i.e. the part to the left of the dot

This article was first published on 26 July 2024 at:

https://www.iamstobbs.com/opinion/an-alternative-approach-to-domain-name-management-domain-leasing

An unnatural .bond: a study of a ‘megacluster’ of malware domains

A recent news story^[1], following research from security provider Infoblox, highlighted the case of the 'Revolver Rabbit' cybercriminal gang, who have registered more than half-a-million domains to be used for the distribution of information-stealing malware. The gang make use of automated algorithms to register their domains, but unlike the long, pseudo-random ('high entropy'^[2,3]) domain names frequently associated with such tools, the Revolver Rabbit domains instead tend to consist of hyphen-separated dictionary words (presumably so as to obfuscate their true purpose), with a string of digits at the end. The majority of their domains (approximately 500,000, i.e. 500k) were hosted on the .bond TLD (top-level domain, or domain extension), but with around 200k more reported across other TLDs.

As an investigation into the scale and execution of the campaign, I first consider domains with names of the relevant format with the .bond extension. As of the date of analysis (22-Jul-2024), the .bond zone-file (providing a comprehensive list of all domains currently registered across the extension) was unavailable for analysis; however, data from a third-party source^[4] contained a similar number (actually slightly more) of .bond domains (385k) as DomainTools'^[5], estimate of the total number registered across the extension (377k), and was therefore used instead for this study.

The study considers all .bond domains containing (at least) two hyphens, with the second hyphen immediately followed by a numerical digit^[6]. This yields a dataset of just over 280k domains (actually over 70% of all domains registered on the TLD), and perhaps (in view of the previously reported estimate of 500k domains) suggests that a significant number of additional domains registered for use in the campaign may subsequently have lapsed. In order to provide an overview of the key features of the domains, I next consider a sample of 1,000 of these domains (actually the first 1,000 alphabetically). They show a number of features in common, including repeated use of the same registrars (with Key-Systems accounting for 985, and NameCheap for 15) and registrants (with registrant e-mail addresses @domain-contact.org given in 864 cases, @key-systems.net in 121, and @uptakeleads.com, @namecheap.com, and @withheldforprivacy.com in the remainder), and registration (domain creation) dates all within a relatively narrow time window (with 897 (89.7%) of the domains registered in the period since 29-May-2024, also noting that the most recent registration date was 20-Jul-2024, indicating that the campaign was likely still ongoing as of the date of analysis). These types of insights are key to the ability to 'cluster' together findings and establish likely connections between them^[7].

Figure 1: Numbers of potential ('candidate') .bond malware domains by date of creation, from the sample of 1,000

At the time of the study, none of these domains resolved to any significant content other than pages of pay-per-click (PPC) advertisements, presumably emplaced as a means of monetising the domains - whose purchase has potentially involved an investment of over $1 million - between periods of alternative use. The lack of any more meaningful site content suggests either that the malware distribution takes place from 'deeper' pages of the sites, or that the domains may be utilised only for short periods of activity and are now either dormant or pending activation. There is also a suggestion from previous research that the majority of the domains may have been registered as 'decoys' to mask the small number of active examples.

Returning to the full set of 280k .bond candidate malware domains, the data actually shows a range of domain-name structure patterns, featuring examples with between 2 and 8 distinct strings (keywords) separated by hyphens (Figure 2). The longest identified domain containing 8 keywords - which may not necessarily be part of the Revolver Rabbit cluster - is es-sicily-and-south-of-italy-tour-packages-27j.bond.

Figure 2: Numbers of domains in the dataset by number of distinct keywords contained within the domain name

The dataset also features a number of 'sub-clusters', in which the same keyword pairs are used multiple times. The top ten most frequently occurring pairs are shown in Table 1.

String	No. instances
dental-implants	8,130
car-deals	4,401
development-training	3,958
influencer-marketing	3,854
design-courses	3,333
warehouse-inventory	3,040
systems-panels	2,837
air-condition	2,752
warehouse-services	2,735
electric-cars	2,545

Table 1: Top ten most frequently occurring keyword pairs (i.e. the string appearing immediately prior to the hyphen which is followed by a digit) within the dataset of 280k candidate domains

In these cases, the sub-clusters tend to feature domains where (only) the numerical string differs between the various examples; the first five 'dental-implants' domains (for example) are alphabetically: dental-implants-001.bond, dental-implants-01.bond, dental-implants-02.bond, dental-implants-024.bond, and dental-implants-0243.bond.

Next, it is informative to widen out the search across other gTLDs for which zone-file information is available, to determine how many domains with names of the same format appear across these other extensions. This search actually reveals over 354k more domains, for which the top twenty most frequently occurring domain extensions are shown in Table 2.

TLD	No. domains
com	72,054
today	51,504
med	39,498
xyz	30,193
fyi	17,769
info	16,919
live	15,097
world	13,968
zone	12,304
online	10,902
click	9,925
shop	9,153
space	9,094
net	7,838
site	7,437
top	5,015
org	2,970
buzz	2,922
fun	1,505
store	1,468

Table 2: Top twenty most frequently occurring TLDs in the dataset of additional candidate Revolver Rabbit malware domains (outside .bond)

Outside the group of TLDs within the table which are popular generally, it is striking that this list contains many new-gTLD extensions which have previously been noted as being associated with high rates of infringement and abuse, due to factors such as the ease and cost of registrations, and provider security policies^[8]. For example, seven of the top-ten gTLDs found by Spamhaus to have the greatest rates of association with malware^[9] appear also in the list in Table 2.

Overall, this analysis suggests that over 600k domains potentially associated with the Revolver Rabbit malware distribution campaign are still actively registered, together with others which may have been used previously and subsequently allowed to lapse. Given the costs of domain registrations, this suggests a substantial financial investment on the part of the cybercriminals, and provides an indication of the amount of revenue these malware campaigns may be able to generate, through the utilisation and sale of stolen credentials - in addition to any further profits which may be available through domain monetisation processes, such as the inclusion of PPC links on the sites.

The findings also provide an indication of the importance of brand-protection programmes encompassing both monitoring and enforcement - specifically in cases where particular brands or company customer bases are targeted. This particular case study highlights the difficulty in proactively monitoring for criminal activity (or other abuse) in cases where there are (for example) no specific strings (such as brand names) to monitor for in the infringing domain names. In these instances, it is necessary to make use of other domain-name characteristics, which are often less diagnostic or more 'fuzzy' in nature - such as shared registration details or similar domain-name structures or keyword patterns - which, when considered together, can identify links between otherwise apparently unrelated findings and establish the existence of 'clusters' of associated results.

References

[1] https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/

[2] https://circleid.com/posts/20230703-an-overview-of-the-concept-and-use-of-domain-name-entropy

[3] https://www.iamstobbs.com/opinion/the-randomest-domain-names-entropy-as-an-indicator-of-tld-threat-level

[4] https://zonefiles.io/all-registered-domains/

[5] https://research.domaintools.com/statistics/tld-counts/

[6] The analysis used a regex (regular expression) matching string of: "-.*-[0-9]"

[7] 'Patterns in Brand Monitoring' by D.N. Barnett, Chapter 6: 'Result 'clustering'' [awaiting publication]

[8] 'Patterns in Brand Monitoring' by D.N. Barnett, Chapter 5: 'Prioritisation criteria for specific types of content' [awaiting publication]

[9] https://www.spamhaus.org/reputation-statistics/gtlds/malware/

This article was first published on 23 July 2024 at:

https://circleid.com/posts/20240723-an-unnatural-dot-bond-a-study-of-a-megacluster-of-malware-domains

Three('s a Crowd)Strikes and You’re Out: Infringing domain registrations after a bug in CrowdStrike's antivirus software

Overview 

The recent bug in CrowdStrike's 'Falcon Sensor' antivirus software, which triggered errors in around 8.5 million Microsoft Windows systems worldwide, has been compared to the 2017 WannaCry ransomware attack. However, it is at least an order of magnitude more significant in terms of impact. In this article, we consider the spike in potentially infringing CrowdStrike-related domain registrations which immediately followed the emergence of the issue. 

Introduction 

The corruption of a CrowdStrike software update led to massive IT outages across the world, affecting a range of industries, including aviation, healthcare and banking - and causing a large drop in CrowdStrike's share price^[1]. A fix was deployed relatively quickly, but - as is unsurprising, following similar patterns which have arisen in response to a huge variety of prior events - the issue was exploited by a range of bad actors capitalising on increased public interest in the CrowdStrike brand and users seeking information and assistance. One manifestation of this activity was a spike in the numbers of related domain registrations, as initially reported by security service provider Secureworks^[2,3], with warnings also being given about the likelihood of a continuation of scam activity^[4].  

Domain registration analysis 

In order to assess the scale of the infringing domain registrations issue, we consider the set of gTLD^[5] domains with names containing the CrowdStrike brand name, through analysis of domain zone-file data. As of the date of analysis (22-Jul-2024), 692 such domains were identified, of which 475 were likely official (i.e. under the ownership of CrowdStrike). Of the remainder, domain creation dates were available (via automated look-up) for 133 of the domains, of which 69 (52%) were registered in the three-day period between 19 and 21 July (Figure 1).  

Figure 1: Numbers of registered CrowdStrike-related domains, by date of creation (for the last year) 

The statistics provide some indication that the peak in activity has now passed (with 42, 19 and 8 domains registered on each of the last three days, respectively). However, this may in part be due to the fact that new registrations can take up to a few days to appear in the zone files.  

For the 69 domains registered since the emergence of the news story, there is a familiar mix of content types. 26 (37%) do not currently resolve to any live content (14 with no site response, and 12 displaying placeholder pages), which is typical of sites kept in a 'dormant' state before subsequently being 'weaponised'. A further 24 (35%) resolve to pages displaying pay-per-click ads, as a way of monetising the incoming web traffic, in addition to those displaying significant website content (19 instances). The keyword patterns are also informative, with eight of the domains containing 'fix', three containing 'help' and one containing 'support'.  

The active sites are dominated by sites purporting to offer assistance with a fix - either self-implemented (which could present a potential attack route in cases where the information given is not genuine), or offering their own IT support services (Figure 2). Other content types within the dataset include one site encouraging affected users to take legal action, and others featuring general information or parody content.  

Figure 2: Examples of sites hosted on CrowdStrike-related domains and offering assistance with fixes for the issue

Conclusion 

The flurry of infringement activity following the CrowdStrike software bug IT outage provides the most recent illustration of how high-profile events and news stories frequently trigger subsequent spikes in attack numbers and brand abuse. In this case, the infringements pose security risks to customers which can additionally affect company reputation and highlight the need for customer education and awareness campaigns. 

More generally, the study shows the importance of proactive brand protection programmes - particularly during periods of vulnerability following significant stories. These initiatives should incorporate monitoring approaches which are both proactive and reactive - i.e. able to respond to identified patterns and trends in observed infringement activity - in combination with enforcement actions able to rapidly take down threatening content as soon as it appears. 

References

[1] https://www.linkedin.com/posts/the-cyber-security-hub_crowdstrike-share-price-following-global-activity-7220473800339918849-c_ky/

[2] https://www.bbc.co.uk/news/articles/cpe3zgznwjno

[3] https://www.linkedin.com/pulse/crowdstrike-outage-could-biggest-cyber-incident-g1zie/ 

[4] https://www.newser.com/story/353230/global-experts-warn-about-post-outage-scams.html 

[5] Generic top-level domains (i.e. domain extensions)

This article was first published on 23 July 2024 at:

https://www.iamstobbs.com/opinion/threes-a-crowd-strikes-and-youre-out-infringing-domain-registrations-after-a-bug-in-crowdstrikes-antivirus-software

Fail to prepare, and prepare to fail: Olympics domain infringements

The issue

With the 2024 Summer Olympics set to begin in Paris on the 26th July, we have conducted a review of the current landscape of related domain names. Previous studies have noted that high-profile events of this nature tend to be associated with spikes in related infringements, where bad actors take advantage of increased levels of public interest to create scams and misdirect users to their own content.

Methodology

We have considered the set of registered domains (as of 26-Jun-2024) with names containing 'olympic', 'olympique', or 'paris(-)(2)(0)24', which generated over 16,000 results.  After filtering out official registrations and unrelated matches (e.g. those relating to previous competitions or generic use), we are left with  a dataset of just under 1,000 third-party domain names of high potential relevance.

Findings

The domains feature a range of content types, with 550 of the domains (i.e. 57%) not returning any live website response, and several more resolving just to placeholder pages. It is not uncommon for newly registered domains to be left in a 'dormant' state by their registrants, prior to being subsequently 'weaponised' for scam or infringing use, highlighting the importance of monitoring inactive domains of concern for changes in content. Many more of the domains in the dataset resolve to pages explicitly offering the domain name for sale (Figure 1), highlighting also the popularity of domains being registered for monetisation and profit generation.

Figure 1: An example of a page offering the sale of the host domain name (second-level name 'paris2024') and other names relating to the subsequent games

The domains resolving to live content are associated with differing levels of risk. Several are relatively benign (including instances of news or informational sites, claims of affiliation, sites offering related products or services such as accommodation, and references to other events taking place in Paris in 2024). However, a significant number resolve to content which appears to be potentially infringing and are of concern (Figure 2).

Figure 2: Examples of potentially infringing websites hosted on domain names relating to Paris 2024 - top to bottom: potential phishing (in conjunction with references to travel visas); site offering ticket sales; e-commerce site (potential counterfeits); potential piracy (unauthorised streaming) website; site promoting a cryptocurrency scheme; boycott site

Another striking observation is the extent to which the levels of infringing activity ramp up as the event in question approaches, as shown by the registration profile of the high-relevance third-party domains (Figure 3).

Figure 3: Numbers of high-relevance, third-party Paris 2024 domains actively registered, by original month of registration (where available via automated look-up)

New-gTLD domain extensions - many of which have been previously noted as being popular with infringers - feature heavily amongst the dataset, with the top ten extensions in the overall dataset including .store (5th place; 28 instances), .shop (6th; 25), .online (8th; 24) and .site (10th; 16). An interesting observation is the inclusion of the city-specific new-gTLD .paris in the list (4th place; 30 instances). We also see that the most popular registrars in the dataset are retail-grade providers (Table 1) - again traditionally popular with infringers - and the extensive use of privacy protection in the domain whois records (Table 2).

Registrar	No. domains
GoDaddy.com, LLC	169
OVH, SAS	85
GANDI SAS	63
IONOS SE	55
NameCheap, Inc.	33

Table 1: Top five registrars in the dataset

Registrant	No. domains
Domains By Proxy, LLC	79
REDACTED FOR PRIVACY	58
Privacy service provided by Withheld for Privacy ehf	28
Super Privacy Service LTD c/o Dynadot	19
Private by Design, LLC	19

Table 2: Top five cited registrants in the dataset

Take-aways

The range of observed infringements highlights the importance of brand owners conducting proactive programmes of monitoring and enforcement, particularly at times when the brand profile is elevated. This simple study has considered just domain-related findings, but in the modern connected Internet, infringements tend to be manifested across a wide range of channels, and a holistic view is key to addressing the issues.

As with previous studies, new-gTLD extensions comprise a significant proportion of the results of interest. It is also noteworthy that, of the new-gTLDs appearing in the top ten extensions in this study's dataset, only one (.shop) is included in the GlobalBlock scheme^[1] (subject to a 'premium domain pricing threshold'^[2]). Furthermore, any domains featuring additional keywords would also not be covered (noting that the sites shown Figure 2 include examples featuring terms such as 'tickets', 'visa' and 'schedule'), showing the importance of augmenting these types of blocking schemes with more comprehensive online brand protection programmes.

Finally, the prominence of the .paris domain extension within the dataset shows that city-specific TLDs - which are often overlooked - can be of key importance in relation to particular events.

References

[1] https://www.iamstobbs.com/opinion/key-facts-about-the-globalblock-scheme-a-consideration-for-domain-management-and-online-brand-protection-clients

[2] https://globalblock.co/included-extensions/

This article was first published on 3 July 2024 at:

https://www.iamstobbs.com/opinion/fail-to-prepare-and-prepare-to-fail-olympics-domain-infringements