Introduction
A recent study by consumer watchdog Which?[1] highlighted the issue of fake websites targeting customers of trusted delivery services, noting that the top five UK brands affected by scams are Amazon, DHL, Evri, Royal Mail and UPS[2]. Brand impersonation scams are, of course, nothing new, but the numbers of these types of infringements tend to exhibit spikes in the run-up to the holiday season in response to the growth in online purchases. Delivery and logistics service providers can be a particularly attractive target, in light of the possibility for the infringing sites to collect customers' personal details and payments, purportedly so as to ensure the safe delivery of items.
In this study, we consider the landscape of domain names relating to these five most highly targeted brands, in order to gain an overview of the possible scale of the infringement landscape.
Methodology
The analysis considers the set of gTLD (generic top-level domain) domains with names beginning[3] 'amazon', 'dhl', 'evri', 'royal(-)mail' or 'ups', using domain zone file data (as of 18-Dec-2024). The focus on gTLD domains is partly so as to ensure that coverage is as comprehensive as possible (given the availability of gTLD zone files), but also because gTLDs tend to be popular with infringers. This is due to the generally lower cost and levels of requirements for registrations, and the ready availability of associated information (such as registration dates) via automated whois look-ups.
As of the date of analysis, there are over 84,000 such domains, so we focus specifically on those names which also feature keywords of potential relevance / interest[4], explicitly exclude any where the brand name is mentioned as a sub-string in an obviously non-relevant context (e.g. for 'ups': 'upscale', 'upside', 'upstate', etc.), and all domains which appear to be registered by the brand owner in question, leaving a dataset of 1,746 domains.
Analysis
For the domains currently registered (as of the date of analysis), Figure 1 shows the growth over time in their numbers, based on their registration dates[5]. The graph shows that the majority of the domains have been registered in the last year, though this is perhaps unsurprising in view of the likelihood that many domains registered for potential fraudulent use in the past may have subsequently been allowed to lapse after the initial period of ownership, and are no longer present.
Figure 1: Growth over time (2020 - 2024) in the numbers of domains in the current dataset
733 of the sites generate some sort of live website response[6], and within this set, a range of content types are present. 21 of the sites re-direct to URLs on the official website of the brand in question, and are likely legitimate, although re-direction to an official site can be a technique used by fraudsters to lend credibility to fake sites which are being utilised for other purposes (e.g. for their e-mail functionality).
Many of the other live sites resolve to placeholder pages or other low-threat content, and may include instances which formerly resolved to fraudulent sites (particularly in cases where browser warnings of dangerous content are present), or may be registrations which have not yet been activated for fraudulent use (i.e. are being held in a 'dormant' state in an attempt to evade enforcement).
Some of the live sites resolve to unrelated content (such as gambling or cryptocurrency related content) or other instances where the brand name is being used (potentially on an unauthorised infringing basis) in conjunction with other products and services. However, as of the date of analysis, at least 18 examples were identified of live websites which appear to be fraudulent and/or infringing and are impersonating the brand in question (or are otherwise making use of the brand name in conjunction with content relating to delivery or logistics services) (Figure 2).
Figure 2: Examples of potentially fraudulent and/or infringing sites pertaining to one of the five most highly targeted delivery / logistics brands (SLD[7] names: amazonlogisticservice, amazonservicejapan, dhlcourierservices, dhldeliverycompany, evriincardelivery, evriglobalservice, royalmailexpressservice, upsdeliveryintl, ups-packages)
Discussion
The observations highlight the importance of a proactive programme of brand protection, consisting of elements of both monitoring and enforcement, particularly at times of heightened concern, when products and services are in particular demand and opportunities for infringers may be greater.
The large numbers of 'dormant' sites (or others where the domain is currently configured to resolve or re-direct to unrelated content), but have domain names which are clearly of concern and appear intended explicitly for fraudulent use, also show how proactive tracking of detected sites of interest for changes to content is also a key requirement.
Also of particular relevance in this case is the use of dot-brand TLD extensions. Three of the brands under consideration own and operate their own dot-brand extensions (.amazon, .dhl and .ups), but this clearly does not prevent them being targeted by infringers. A dot-brand means that a company can maintain control over all websites operated on the extension in question, which can provide a source of security for customers, but this can only be effective if the customer base is educated sufficiently that the system is in place (i.e. if they know that only the dot-brand website is the official one). It is also noteworthy that, although some use is made by the brands in question of their dot-brand TLDs, all three of the brands mentioned above still utilise their legacy dot-com as their primary website presence, and this (or a regional equivalent) is the top-ranked result in Google in each case.
References:
[2] https://www.nwemail.co.uk/news/24759294.amazon-evri-royal-mail-customers-issued-christmas-warning/
[3] We require the brand name to appear at the start so as to minimise the number of false positives generated by the more generic terms (e.g. 'ups'), which can commonly appear as sub-strings of other terms
[4] The keywords are: login, verify, deliv*, track, parcel, package, pay, status, service, updat*
[5] For the subset of domains for which the creation date was available via an automated whois look-up (1,436 in total)
[6] i.e. return an HTTP status code of 200
[7] SLD is the second-level domain, i.e. the part of the domain name to the left of the dot
This article was first published on 3 January 2025 at:
No comments:
Post a Comment