David Barnett's Brand Protection Articles: A review of the 2024 threat landscape and implications for domain security

by David Barnett (Stobbs) and Stuart Fuller (Com Laude)

Introduction

The cybersecurity landscape in 2024 has been characterised by unprecedented complexity and rapidly evolving threats, presenting significant challenges for organisations across all sectors. As the digital attack surface expands and threat actors employ increasingly sophisticated techniques, domain security has emerged as a critical component of a robust cybersecurity strategy.

'Classic' brand infringements

Despite the ongoing evolution of the Internet landscape, in terms of relevant platforms and infringement types, many of the areas of 'classic' brand infringements continue to be of relevance and concern to brand owners. Three of these key areas continue to be:

Counterfeiting - the sale of unauthorised, non-official goods featuring a trusted brand name and attempting to pass off as legitimate items produced by that brand, and which is of concern to any manufacturers of (traditionally) physical goods.

Online fraud - including sophisticated phishing attacks, which is of most relevance to financial service providers and any organisation holding the personal details of customers.

Digital piracy - the unauthorised sharing of any content which can be distributed in digital form, such as music, movies, TV, software, and books.

In addition, several areas which may be broadly described as 'other brand infringements' also remain significant focuses of brand protection initiatives and include areas such as traffic misdirection (i.e. the unauthorised use of brand names on webpages so as to manipulate search engine results), grey market brand infringement, and false claims of affiliation^[1].

Emerging areas

However, a number of new issues or areas of concern have begun to emerge over recent years, which require addressing in terms of both monitoring and enforcement, by modern sophisticated brand protection programmes and/or which feed into intellectual property management considerations for brand owners. Some of the main areas are outlined below.

Generative Artificial Intelligence (AI) - The relevance of AI to Internet- and IP-related applications encompasses a range of areas. However, one category of specific interest is considerations relating to generative AI or large language models (LLMs), systems able to generate high-quality outputs such as natural-language text (e.g. ChatGPT), computer code (e.g. Copilot), or images (e.g. Midjourney), based on training data. Open questions in this realm include considerations regarding the difficulty in monitoring the outputs—which are generally dynamically generated—from such systems, the ownership of rights to the material produced, and the routes of recourse if the models produce content which is infringing, inaccurate or defamatory. Other unresolved points relate to whether the utilisation of training data is classified as fair use or whether it may be infringing; whether sensitive information shared with such systems may be incorporated into their models and may therefore pose a security risk; and concerns over the proliferation of AI-generated content which may be inaccurate and may in turn feed into subsequent AI models and search-engine results^[2].

Web2 / Web3 'crossover' - Web3 is a general term referring to decentralised content on the Internet and is most generally taken to pertain to applications built on blockchain technologies (such as cryptocurrencies, non-fungible tokens (NFTs)^[3] and blockchain domains)^[4,5]. Within this sphere, some of the more relevant emerging areas which warrant careful attention by brand owners include: (i) the development of 'dual-function' domain names (where users typically receive a classic (Web2) domain name and an associated matching blockchain domain), as offered on extensions such as .box^[6], .locker^[7] and .shib; (ii) instances where Web2 URLs 'map' to Web3 content, and/or the promotion of Web3 services and offerings within the Web2 landscape (such as the promotion of cryptocurrency-related scams)^[8]. However, whilst some of the providers of these solutions market their services as being 'interoperable' across Web2 and Web3, without a real compelling usage for brand holders, demand remains limited.

Blockchain domains and name collisions - Like 'classic' (Web2) domains, blockchain domains (as mentioned above) consist of a second-level domain name and an extension but are recorded on a blockchain and not governed or regulated by ICANN (the Internet Corporation for Assigned Names and Numbers). They are most usually used for the creation of decentralised websites, as cryptocurrency wallet addresses, or to provide hosting infrastructure for programs to be run as decentralised apps ('dApps')^[9]. One specific issue (and a particular consideration where brand owners may be securing blockchain domains for official use) is the possibility of name collisions; that is, the appearance of identical domain names on distinct blockchains. Related issues may arise where blockchain domain name extensions coincide with Web2 TLDs (top-level domains, or domain extensions), particularly with a new round of new-gTLD applications scheduled to launch in 2026^[10]. Due in part to the obvious potential for brand confusion, this issue is likely to require resolution through appropriate developments, possibly including elements of name regulation, and agreement on how web-browsers prioritise conflicting names - especially as native support for blockchain domains by mainstream browsers becomes more common.

Domain name availability and TLD usage - A lack of availability of unregistered domains across popular TLDs (particularly comprising short, memorable names or dictionary terms) is increasingly becoming an issue for organisations looking to launch new brands or other initiatives^[11,12,13]. This issue may drive a push towards the use of novel or invented brand names and/or alternative TLDs. This adoption could potentially cover the areas of new-gTLDs (including 'dotBrands' (see below), where a brand owner applies to act as a registry to administer a TLD comprising their brand name in its own right^[14]), blockchain domains, and 're-requisitioned' country-code TLDs (ccTLDs), such as is already becoming popular for extensions such as .tv, .co, .io and .ai, and potentially for others such as .ad^[15] and .my.

Use of wider ranges of brand variations by infringers - The use of brand variations by infringers - particularly those which appear visibly similar to the name of the brand being targeted or impersonated - has been long observed as a means of evading detection, particularly where brand protection service providers may be monitoring for exact matches only. Such practices are seen across a range of channels, particularly on e-commerce marketplaces and in domain names - where they can create a means of generating a highly convincing scam and form the basis of a wide range of damaging content^[16]. The traditional types of variant, such as replacement of one standard ASCII character is replaced by another visually similar one (e.g. '0' for 'o', '1' for 'i', 'l' for 'i', etc.) and simple typos (missing / transposed characters, adjacent-key replacements, etc.) are increasingly being superseded by more sophisticated approaches. Categories which have already been observed include: (i) subdomain-based abuse (where the brand name is featured in the section of the URL prior to the domain name); (ii) use of internationalized domain names (IDN)^[17] giving the potential for the use of non-Latin characters appearing almost completely indistinguishable from their non-Latin counterparts (e.g. the Cyrillic 'а', 'е' or 'о') (iii) bitsquatted domains (where the binary representation of the infringing domain differs from that of the real domain by one bit, thereby comprising a variant to which users could be directed due to a corruption in transit of the HTTP request)^[18]. A new emerging trend may also see the use of graphical domain names to create confusion or new types of infringement; this is already being observed in the phenomenon of blockchain domain names (which allow a wide range of non-ASCII characters such as emojis to be present in the names) comprising strings of coloured symbols which, when displayed in a suitable grid configuration, appear as pixellated images^[19,20].

New channels / channel 'crossovers' - As previously disparate channels of Internet content become increasingly interconnected, infringers are likely to make greater use of crossovers between content types. One such example is the practice of using 'hidden links'; that is, offering the sale of counterfeits through 'dummy' listings on e-commerce marketplaces, which are promoted - together with purchase instructions - through other platforms such as social media^[21]. As new channels continue to emerge, the options are likely to become more numerous, and monitoring more complex, providing greater challenges for brand-owner awareness.

Discussion: the relevance of domain name security

In intellectual property and brand protection considerations, domain names occupy a central role of key importance, due to the ease with which they can be utilised by bad actors in the creation of highly deceptive infringements. Furthermore, domain name abuse generally constitutes a more explicit form of IP infringement, provides greater search-engine visibility, and typically offers a greater range of enforcement options, than abuse across other Internet channels.

More generally, there is a highly significant relationship between domain name management (i.e. the administration of a portfolio of officially owned domain names, comprising 'core' domains for day-to-day business operations, and a set of 'tactical' (strategic and defensive) names), and online brand protection (which addresses activity by third parties, working on the principle that it is never possible to secure all possible domain-name permutations which could be utilised by an infringer)^[22]. Both of these areas (the application of security measures to official domains, and the identification of and enforcement against infringing third-party domains) thereby comprise different aspects of the wider initiative of domain security.

Considering firstly the management of an official domain portfolio, a central consideration is the construction and management of a domain name registration policy^[23] - essentially, specifying the keyword strings and TLDs the brand owner would ideally like to secure into their official portfolio. Subsequent construction and/or consolidation of this portfolio then typically involves a programme of purchases, enforcement, and acquisition, alongside a programme of monitoring in-scope domains which are currently under third-party control.

The specification of such a policy involves an assessment of the balance between cost and risk (and includes consideration of return-on-investment^[24]). Furthermore, brand owners may wish to augment these initiatives through the use of alerting or blocking schemes (such as the Trademark Clearinghouse (TMCH) or GlobalBlock^[25]) to prevent or meditate third-party infringements. The GlobalBlock initiative was introduced to brand owners in 2024 by the Brand Safety Alliance (BSA), and provides the ability for organisations to block trademarks and keywords, including variants (as discussed above), across over 600 (and growing) TLDs. The GlobalBlock builds on the popularity of earlier solutions such as DPML (the Domains Protected Marks List) and AdultBlock.

Once an official domain portfolio is in place, the application of a holistic programme of domain security measures is essential. These might typically include the use of an enterprise-class registrar and the use of applications such as registry lock and DNSSEC (to prevent unauthorised changes), DMARC (to secure e-mail communications), and so on. Typically, domains will be ranked according to their criticality, with the most significant domains being the most heavily secured.

As part of the brand-protection side of domain analysis, one key objective is typically the prioritisation of findings. Domain monitoring services may typically detect large numbers of findings, and it is important to be able to quantify their level of potential current or future threat, even in the absence of a current live website, so as to identify priority candidates for further analysis or enforcement^[26]. A number of domain characteristics can be used for this purpose (and can also aid in the identification of 'clusters' of related domains, a process which can help identify serial infringers, build stronger cases of bad-faith activity, and offer the basis for efficient bulk takedowns)^[27]. Relevant domain features might typically include:

TLD - Some TLDs are associated with higher rates of infringement, often a consequence of lower registration costs and/or lax registration requirements^[28].

MX record - The presence of a mail exchange (MX) record indicates that the domain has been configured to be able to send and receive e-mails and could potentially be associated with phishing activity.

SSL provider - The use of an SSL (Secure Sockets Layer) certificate from a budget or free provider may be a red flag that the certificate has been used to add legitimacy to what may be an infringing site.

Web traffic - Other factors being equal, a domain receiving higher levels of traffic may warrant higher-priority action than another receiving fewer visitors.

Registrant / registrar / hosting provider characteristics - Certain features, such as the use of webmail e-mail addresses or privacy protection services, hosting in a high-risk or low-compliance jurisdiction, or the use of low-compliance and/or retail-grade registrars or 'bulletproof' hosting providers, can be indicators of concern.

Domain name entropy or phonotactic score - In many cases, domains intended for fraudulent use may be registered using automated scripts, which may generate names appearing visually random. The degree of randomness of a name can be quantified by measures such as Shannon entropy^[29,30,31] or phonotactic score (the degree of resemblance to regular words in a language)^[32,33], with high-randomness names generally less likely to be associated with legitimate usage.

The dotBrand opportunity: the ultimate domain security mechanism

The ultimate digital goal for most brand holders is to provide a trusted online, zero-abuse name-space for their clients and prospects, whilst taking advantage of the opportunity the online landscape continues to present. Multiple stakeholders in every organisation will have their own objectives related to customer reach and engagement, revenues, reputation, security, and compliance, using different approaches and metrics to measure the success of their individual strategies, as well as the overall contribution to the businesses goals.

A holistic domain name strategy which balances the digital risks and rewards, whilst providing return on investment and resource, is the key aim for any organisation. It is simply not practical, or affordable, to register every combination of keyword and top-level domain. The use of brand protection solutions can provide defensive intelligence combined with proactive enforcement actions, but again that approach comes at a cost.

In 2012, ICANN launched the first major expansion of the domain name space, with over 1,200 new TLD applications being accepted^[34], featuring 494 organisations applying in line with specification 13 of the ICANN agreement to operate their TLD as a dotBrand^[35]. Many of those TLDs are now being actively used by major brands such as Sharp^[36], Google^[37], Sky^[38] and Amazon^[39] and provides those organisations who applied with the ultimate brand protection space.

It has been 12 years since organisations have been able to apply for a dotBrand TLD, but the opportunity will soon present itself again. The forthcoming ICANN new-gTLD programme^[40] will again offer brand holders the opportunity to apply to own and operate a dotBrand TLD which will allow them to have full control over their own slice of Internet infrastructure. This would allow an organisation to create their own naming conventions, register domain names at will, and create a zero-abuse name space.

The next application round will be time limited and is currently scheduled to open in April 2026 for up to 15 weeks^[41]. Whilst many organisations will already be committed to making an application (or two!), others are yet to decide whether owning and operating their own TLD will deliver the required return on investment. There are a number of use-case scenarios which could be deployed by organisations, but even just focusing on a dotBrand as a domain security measure, there are a number of compelling reasons to make an application, including the potential for:

Complete control over the namespace - DotBrand owners have full authority over every domain ending with their brand suffix, preventing unauthorised registrations and cybersquatting^[42].

Zero-abuse environment - The ability to monitor and immediately act against potential threats creates a secure online space for customers and the brand itself^[43].

Enhanced trust and authentication - Users can confidently interact with genuine brand websites, knowing that any domain ending with the dotBrand is authentic and secure^[44].

Reduced phishing and fraud risks - It becomes extremely difficult for fraudsters to imitate official brand URLs, protecting customers from phishing attempts and other malicious activities^[45].

Streamlined security implementation - DotBrand owners can easily implement uniform security standards, such as DNSSEC and HSTS pre-load, across their entire domain portfolio^[46].

Improved internal security - Employees can trust communications and resources ending with the dotBrand, safeguarding critical online infrastructure^[47].

Reduced legal disputes - Studies have shown a decrease in UDRP (Uniform Domain-Name Dispute-Resolution Policy) cases for companies after implementing their dotBrand^[48].

Whilst the application window is still over 12 months away, it is imperative that any organisation wishing to reap the benefits of owning their own TLD, especially as a domain security mechanism, commences the planning work as soon as possible. This would generally involve working with an enterprise-class registrar and consultancy provider with experience and expertise of creating the use-case scenarios for global brands.

* * * * *

This article is an overview of the content from the discussion sessions moderated by David Barnett and Stuart Fuller at the Com Laude x Stobbs 'Domain Name and Brand Protection Forum', The Oval, London, 20-Nov-2024.

References

[1] 'Patterns in Brand Monitoring' (D.N. Barnett, Business Expert Press, 2025), Chapter 1: 'Overview of online brand protection'

[2] 'Patterns in Brand Monitoring' (D.N. Barnett, Business Expert Press, 2025), Chapter 14: 'New developments'

[3] https://www.linkedin.com/pulse/rise-nft-david-barnett

[4] 'Patterns in Brand Monitoring' (D.N. Barnett, Business Expert Press, 2025), Chapter 13: 'Analysing trends in Web3'

[5] https://www.iamstobbs.com/opinion/trends-in-web3-part-1-a-look-at-blockchain-domains

[6] https://www.iamstobbs.com/opinion/the-crossover-two-recent-developments-in-web2/web3-interaction

[7] https://www.iamstobbs.com/opinion/some-more-new-domains-in-the-.locker

[8] https://www.iamstobbs.com/opinion/web2/web3-crossover-brand-related-crypto-infringements

[9] https://en.wikipedia.org/wiki/Decentralized_application

[10] https://www.iamstobbs.com/opinion/the-new-new-gtlds

[11] 'Patterns in Brand Monitoring' (D.N. Barnett, Business Expert Press, 2025), Chapter 9: 'Domain landscape analysis'