Developing a methodology for benchmarking marketplace brand infringements

Introduction

One of the primary aims of a brand-protection programme is typically the ability to determine the extent of brand infringements on e-commerce marketplaces - and ideally, to be able to benchmark this metric against comparable competitor brands. In this article, I discuss a simple initial possible methodology for quantifying this characteristic, based on the price point of the items in the listings returned in response to a brand-specific search (with a low price point typically indicating that a listing may be of interest). 

The methodology considers the first page of results returned on any given marketplace, in response to a relevant search, and attempts to quantify the proportion of infringing listings within this dataset - a concept which is familiar from other areas in which metrics for measuring infringements or brand-protection effectiveness are required (e.g. where one aim of a brand-protection programme might be to 'clean up' the first page of results, so that only legitimate products or sellers are returned, and no infringing products are present). 

On marketplaces, listings of potential interest can typically fall into a range of categories, including counterfeit goods, trademark infringements, compatible items, 'grey-market' trade (i.e. legitimate goods sold outside approved channels), legitimate second-hand goods, and so on. Attempting to quantify the overall level of infringements based purely on price point will always therefore have shortcomings, and it may also be necessary to apply some degree of 'filtering' in order to obtain meaningful results and compare like with like. Of course, in practice, any definitive determination of infringement type will always require more detailed manual analysis for each listing (potentially also combined with other factors such as test purchases). However, in this article, I consider a high-level approach which may be at least partially automatable.

Since a simple search for just a brand name will be likely to return a mix of product types (with an associated range of prices, even for the legitimate items), I take the approach of considering one or more specific products for each brand, each of which will have a single, well-defined price for the legitimate item.

Exploring a test case

In this investigation, I consider the iPhone 14 Pro - an example of a relatively new, high-desirability product of a type which is typically prone to counterfeits and other infringement issues. I consider the listings returned on the first page of results of a specific marketplace on 01-Mar-2023, approximately six months after the initial official release of the product^[1]. 

Since one of the aims of the analysis is to be able to benchmark against other brands and products, it will be beneficial to compare the marketplace listing prices against the actual price of the genuine product, rather than just considering the absolute numbers. This can be achieved by expressing the price per item in the marketplace listing as a proportion of the genuine item list price ($999 in the case of the iPhone 14 Pro^[2]) - a measure I refer to as 'relative price'.

Where appropriate, it may also be necessary to apply a product-type filter to the results provided by the marketplace - for example, a simple search for 'iPhone 14 Pro' may return a mix of product types (including phones, accessories, and so on); however, setting the product type filter to 'mobile phones' specifically will (in theory) only return listings for phones themselves, so the spread of prices across the listings will be more reflective of the types of infringements present across the dataset of mobile-phone results. 

Even then, a low price point (say) is, in itself, not necessarily indicative that a listing represents a counterfeit product. Other types of listings (such as legitimate second hand-products and trademark infringements - e.g. where a brand name is used in the listing title so as to attract search traffic to the listing, but the listing itself is for a third-party branded product) may also be associated with low prices. The first possibility can be mediated to some degree by considering only specific marketplaces where the extent of second-hand trade is limited (e.g. B2B marketplaces)^[3]; conversely, separating out (say) counterfeits from other infringement types is much more difficult using only a largely-automated, price-based approach. However, the argument can be made that all such listings (with low price points) are likely to be infringing in some way - all we are therefore looking to do is quantify the overall size of this general infringement landscape.

As an illustration of the results, shown below (Table 1) is an overview of the top ten results returned in response to a listing for 'iPhone 14 Pro' on the marketplace in question, with the product filter set to 'mobile phones'.

Title	Price per item (min. listed) ($)	Min. order quantity	Quantity (max. listed)	Brand name	Relative price
Wholesale mobile phone Original Smart   5G Mobile Cell Phones for iphone 11   128GB	50.00	2	300	for Apple	0.050
New Arrival Original Brand Phone 11pro   max 12 mini Waterproof Face   Recognition 256gb 512gb 1TB Game   Mobile Phone for iPhone 13	399.00	2	50	original	0.399
Smartphone mobile iphone 11ProMax   256gb 5g usa spec original no scratches   body low price for wholesale 6.5inch   screen game phone	497.00	1	1	Other	0.497
Hot Selling PHONE 14 PRO MAX 12GB+   512GB 6.7 Inch full Display Android   10.0 Mobile Phone I13 PRO MAX Cell   Phone Smartphone	27.72	1	99,999	Android   Smartphone	0.028
Low price wholesale smartphone 14   Pro Max 8GB+256GB 7.3in 8core 4G   LET global Edition smartphone	72.00	1	1,000	W&O	0.072
New Global I 14 Pro Max Cell Phone 7.3   Inch Big Screen 5G Smartphone 16GB +   1TB Global Unlock Dual SIM Android   Mobile Phone	95.00	1	10,000	Other	0.095
Free shipping phone I13 pro max 8GB+   256GB 6.7 Inch full Display Android 10.0   Mobile Phone PHONE13 PRO MAX Cell   Phone Smartphone	66.00	1	99,999	Smartphone   S22	0.066
i13 Pro cash on delivery mobile phone 8+   16MP New Original Unlocked Smartphone   6.8" Display OEM	66.00	1	99,999	Android   Smartphone	0.066
High Quality i 14 Pro Max 5G 6.8 Inch   Original Mobile Phone 16GB+1TB Large   Memory Smart Phone Beauty Camera   Gaming Cellphone	32.00	1	20,000	Other	0.032
High Quality i 14 Pro Max 5G 6.8 Inch   Original Mobile Phone 16GB+1TB Large   Memory Smart Phone Beauty Camera   Gaming Cellphone	55.10	1	20,000	Other	0.055

Table 1: Details of top ten listings returned in response to a search for 'iPhone 14 Pro', with the product filter set to 'mobile phones'

Notes:

• The 'price per item' is given as the lowest price referenced in the listing, in cases where the unit price may vary dependent on the quantity offered.

• The 'quantity (max. listed)' value is given as either the maximum quantity stated as being available, or the maximum quantity for which a unit price is specified in the listing (whichever is greater).

From the total set of (48) listings returned on the first page of results, a number of other observations are particularly noteworthy:

1. None of the listings contains what would normally be described as a counterfeit product; none shows Apple branding in the product image, and none cites the product brand name as Apple (with the exception of the first listing, in which the product is stated as 'for Apple'; this is a technique commonly used by sellers to describe compatible products - although this would be largely non-sensical for a smartphone listing - or as a means of circumventing enforcement efforts), though some listings do give the brand as 'original' or 'OEM'. However, many of the listings in the dataset would constitute trademark infringements, with brand names given in several cases as 'other', 'Android smartphone', or a brand name referring specifically to the seller in question.


2. Several of the returned listings appear not to be infringing the iPhone 14 Pro product in any way, as the marketplace seems to also return a number of listings referring only to one or more of the individual keywords in the search phrase. Only a subset of the results (those referring explicitly to '14pro' or 'phone14' (both with or without spaces) - shown in bold text in Table 1) are likely to be directly infringing. Accordingly, when carrying out the price-point analysis, it will be beneficial to apply some filtering in order to exclude all except these listings. 


3. It is also informative that a number of the relevant listings do make reference to 'i 14 pro' or 'I14 pro' - presumably as a way of avoiding directly infringing the iPhone brand name, and potentially also aiming to circumvent detection. Use of brand variations of this type is popular with infringers.


4. Amongst the listings, a range of maximum quantities (per listing) was observed, from 1 to 10,000,000.


5. All except one of the listings are for sellers based in China, with a significant number operating out of the manufacturing centres of Shenzhen, a trend which has frequently been observed for sellers of infringing products.

For the 48 listings, the distribution of relative price per item is as shown in Figure 1.

Figure 1: Distribution of relative price per item, for the full set of 48 listings returned on the first page of results in response to a search for 'iPhone 14 Pro', with the product filter set to 'mobile phones'

The results show strikingly that the listings are dominated by products at a very low price point, with the vast majority of items at 10% of list price or lower (i.e. ≤ 0.10 relative price). 

It is instructive to consider some examples of the listings with the lowest price point (excluding the non-'14pro' and non-'phone14' results, as discussed in point (2) above), to analyse the types of infringement present. Of the five listings with the lowest relative prices, for example, all are offering high quantities of items (up to between 10,000 and 99,999), and all appear to represent trademark infringements (or potentially to be involved in the supply chain for counterfeit products) (Figure 2).

Figure 2: Examples of listings with very low price points, both offering 'customized logo' and 'customized packaging' for bulk orders

For developing this methodology further, it is advantageous to express the number of listings in each relative price 'bin' as a proportion of the total, rather than as an absolute number. This has a couple of advantages, specifically:

• It allows for easier comparison across different marketplaces, where the number of results returned by page may differ.

• It allows filtering of results to remove any 'false positives' (as discussed in point (2) above).

It also simplifies the calculations if the bins are a consistent width throughout (in this case, 0.02).

This therefore gives the results for the iPhone 14 Pro search for the marketplace in question in the format shown in Figure 3 below (in which the 20 non-relevant listings have been excluded).

Figure 3: Distribution of relative price per item, for the set of listings returned on the first page of results in response to a search for 'iPhone 14 Pro', with the product filter set to 'mobile phones', and with non-relevant / non-infringing listings excluded

In order to carry out the benchmarking across different brands or marketplaces, it is also useful to construct a single metric (or value) which provides a measure of the distribution of relative price points across the set of listings. Essentially, we would like this number to represent the proportion of the 'area under the graph' at the low-price-point end of the relative price distribution chart. 

This can be achieved by summing up the heights of the individual columns, but weighting more heavily (i.e. applying a larger multiplying factor(s) to the heights of) the columns at the low-price end. The weightings can be selected in a number of different ways; one possible methodology is to calculate a weighting which is inversely proportional to the relative price value at the mid-point of the bin in question (such that, for example, the height of the column for the bin associated with a price-point range of 0.00 to 0.02 - i.e. with a mid-point of 0.01 - is weighted by a factor of (1/0.01), or 100).

This methodology allows us to calculate a single price-point metric (P)^[4], whose value increases according to the proportion of the listings in the sample associated with lower price points (and therefore provides a measure of the potential scale of the infringement landscape). In the case where all listings have a relative price of 1.00 (i.e. potentially just a set of legitimate product listings), the value of P will be 1^[5]. In this case, for the distribution of iPhone 14 Pro listing price-points shown in Figure 3, the value of P is 19.180.

The approach thereby allows us to benchmark the product against other products, brands, or marketplaces. For example, considering the same marketplace, but looking instead at the comparable Galaxy S23 Ultra product (RRP = $1199.99)^[6], and similarly applying filtering to remove non-relevant listings, we obtain the price distribution as shown in Figure 4.

Figure 4: Distribution of relative price per item, for the set of listings returned on the first page of results in response to a search for 'Galaxy S23 Ultra', with the product filter set to 'smart phones', and with non-relevant / non-infringing listings excluded

In this case, the price-point metric value (P) is 21.643, indicating a greater proportion of listings at the lowest price points than for the iPhone product on the same marketplace, and potentially therefore a larger infringement landscape. This is consistent with what we can subjectively see in Figure 4, with a greater peak in the lowest occupied relative-price bin (between values of 0.02 and 0.04).

Conclusion

Whilst taking a very simple-minded approach, the methodology discussed above does provide a basic measure of the proportion of listings in a set of marketplace results which show low price points and, by extension, a measure of the potential scale of the infringement landscape. Obviously this assertion is only valid if we accept low price point as a proxy for a listing to be of interest, but previous analysis has certainly shown that it is at least one such valid indicator (and as also borne out by the examples presented in this article).

In practice, calculation of the price-point metric could be automatable, based on collection of marketplace data using monitoring tools, combined with (a) scraping technology to automatically extract the price information and (b) filtering technology to remove false positives in the results.

By applying and expanding these ideas, it would be possible to carry out cross-brand and cross-marketplace benchmarking, and potentially to track trends in the infringement landscape over time (e.g. in conjunction with an active brand-protection programme of monitoring and enforcement).

Acknowledgements

Thanks must go to Angharad Baber, Irene Oh, Agnes Czolnowska and David Franklin for their feedback and input into this article.

References

[1] https://www.apple.com/newsroom/2022/09/apple-introduces-iphone-14-and-iphone-14-plus/

[2] https://www.apple.com/iphone/

[3] Similarly, data will be less likely to be meaningful on (for example) auction-based marketplaces, particularly in the early stages of auctions when the price point is likely to be low by definition.

[4] Formally, P = S_i [ (1/m_i) × ℓ_i ], where m_i is the relative price at the mid-point of the i^th bin, and ℓ_i is the proportion of listings in that bin.

[5] Approximately(!), depending on where the price-bin boundaries are selected to be.

[6] https://www.samsung.com/us/smartphones/galaxy-s23-ultra/buy/galaxy-s23-ultra-256gb-t-mobile-sm-s918uzgaxau/

This article was first published on 3 March 2023 at:

https://www.linkedin.com/pulse/developing-methodology-benchmarking-marketplace-brand-david-barnett/

Assessing and mediating the digital risk landscape for a brand

Introduction

For modern businesses, an Internet presence is a key part of day-to-day operations, both in terms of their own corporate infrastructure and their interaction with customers. However, the ease and low cost of access to online content, combined with the ubiquity of Internet use, means that online channels present a very attractive environment for bad actors to abuse trusted brands for their own gain. Traditional areas of infringement - including counterfeiting, online fraud (such as phishing) and piracy - continue to remain popular, in addition to other types of content which can be damaging to company revenue, reputation, or customer experience^[1]. These might typically include categories such as traffic misdirection, false affiliation, potential brand confusion, or negative comment and activism^[2]. Additionally, new types of content (such as 'Web3' areas including NFTs and blockchain domains^[3]), and new online channels, are continually emerging. 

Other kinds of digital risk, such as the growth in the prevalence of malware and ransomware, instances of DNS attacks and distributed denial-of-service (DDoS) attacks, and other direct attacks against company or employee infrastructure (such as social engineering and BEC (business e-mail compromise) attacks, are also of concern. Frequently, these areas are also linked, with (for example) phishing increasingly recognised as the most common attack vector for malware distribution^[4].

This threat landscape produces an environment in which the protection of company brands is ever more important. A robust cybersecurity posture needs to encompass protection of official corporate portfolio domains (i.e. domain-name management and security) and tackling third-party activity on the open Internet ('outside the firewall') (i.e. 'classic' brand protection - which itself needs to consist of monitoring for threatening content and enforcement against infringements). Only by having both elements working successfully together can an organisation be confident that they are adequately protected from cybersecurity risks^[5]. 

Before an effective ongoing programme can be put in place, it is essential to conduct an assessment of the pre-existing landscape, to determine the main issues and areas of risk, and work out where remediating action will be required going forward. Additionally, it is often necessary to attempt to numerically quantify the scale of the issue, so that determination can be made of the likely return on investment of a cybersecurity programme, and thereby justify the spend to management.

Assessing the landscape

i. The corporate domain name portfolio

The set of domain names owned by a company will typically include the 'core' or 'critical' domains used in the day-to-day execution of business (such as those providing infrastructure for their websites and e-mail) and a broader set of 'tactical' domains, held to prevent them from being acquired by third parties, or intended for future use relating to new brand or product launches, or geographical expansion. 

When considering the protection of corporate domains, there are a number of security products available, particularly where the domain-name management is overseen by an enterprise-class registrar. These products are designed to address a range of security issues, such as the risks of DDoS attacks (addressed by DNS hosting redundancy), hacking and site re-direction (by DNSSEC^[6]), spam, e-mail spoofing, and phishing (by SPF^[7], DMARC^[8] and DKIM^[9]), unauthorised DNS changes and domain hijacking (by MultiLock), and use of unauthorised certificates (mediated by the use of CAA^[10] records). Implementing all of these measures for all corporate domains would generally be prohibitively costly, and therefore it is important to be able to identify the most business-critical domains, where the greatest levels of protection are required. An effective enterprise-class registrar will typically have technology to assist brand owners with making these determinations.

It is also generally advisable for brand owners to review their portfolio of tactical domains and determine where additional registrations may be required. Again, registrars geared towards the provision of services for large corporations will generally be able to assist with this determination. Typically, this assessment will include a domain availability analysis, where domain names consisting of key brand terms (particularly the brand name itself) as the second-level domain name (SLD)^[11], across the full set of possible domain-name extensions (top-level domains, or TLDs), are investigated to see whether they are currently owned by the brand owner, are owned by third parties, or are available for registration. Where domain names are owned by third parties, it may be appropriate to launch enforcement or acquisition actions, depending on a number of factors (such as whether the domain name constitutes an infringement of intellectual property, or whether the brand owner would like to take ownership of the domain), or to monitor the domain name for future changes to site content or configuration features. These might include the presence of (for example) MX^[12] records, which can indicate that the domain is being 'weaponised' for use of its e-mail functionality.

When considering which available domains may be desirable to register, there are several points to bear in mind. The most relevant domain names are likely to be those where the SLD consists just of the brand name itself. In general, it will be advisable to register these domains across all common TLDs and those corresponding to countries where the company has current or planned business operations. However, previous studies have established that there are also specific ('high-threat') TLDs which tend to be generally popular with fraudsters and infringers^[13] (for example, those where the domain-name providers offer low- or no-cost domain registrations or have lax registration security policies^[14]), so it may also be advantageous to secure key domain names across these extensions to prevent them being utilised elsewhere. Outside of these areas, domain names including high-relevance keywords, or typo / character-substitution variants commonly used by bad actors, may also be worth securing. For example, accented or non-Latin characters which appear visually similar to ordinary Latin characters, or replaced characters which are adjacent on standard keyboard layouts, are commonly used by infringers to create typo domain names which are deceptive or designed to collect misdirected web traffic^[15,16]. However, a defensive policy can only take a brand owner so far; in practice, there are infinite variations of official corporate domain names which can be registered by bad actors, so management of a comprehensive corporate domain portfolio should always be accompanied by a robust brand-protection solution to monitor potentially harmful third-party activity.

ii. The Internet landscape

The first step in an online brand protection programme is often a one-off landscape audit, to determine the scope and scale of the issues, and determine which Internet channels present the greatest problems. Some of this assessment can be carried out using simple manual searches - for example, it may be beneficial (for brand owners associated with the manufacture of physical goods which may be subject to counterfeiting and other types of e-commerce infringements) to carry out a 'marketplace sweep'. In its simplest form, this involves carrying out searches for the brand name across a range of popular e-commerce marketplaces, to determine how many results are returned. Using assumptions about the proportions of listings which are typically infringing on each site (potentially combined with additional filtering if, for example, the brand name is a relatively generic term in its own right), it is possible to make a high-level estimation of the total number and value of infringing listings on each site, which can be used as an input for a potential return-on-investment calculation^[17]. 

However, in practice, a full assessment of the infringement landscape can be carried out only by a comprehensive brand-monitoring scan. Brand-protection service providers will typically use monitoring technology to carry out searches, which may incorporate keyword-based and image-search or matching components, often with elements of artificial intelligence or machine learning, to automatically categorise and prioritise results. In many cases, this is then accompanied by manual analysis, to exclude false positives and extract the most significant findings. 

When carrying out any kind of online brand monitoring project, there are a number of factors to consider:

• It is generally advisable to approach the problem holistically and cover as many channels as possible, typically incorporating (where appropriate) general Internet content (including branded domain names), social media, e-commerce platforms, mobile apps, and so on. This is important both because these areas are essentially just different environments where the same types of infringement can occur, and also because these channels are becoming increasingly interlinked, and the distinctions between them increasingly blurred.

• Monitoring should make use of multiple data sources, in order to ensure that coverage is as comprehensive as possible. Typically these might include:

• Internet metasearching and web crawling - This involves the submission of brand- and industry-related terms to search engines, analysing the pages returned, and crawling hyperlinks. Whilst it is not possible to identify all potentially threatening content via this route, it does address the areas of the Internet which have highest 'visibility' and are most likely to be encountered by general web users.

• Domain-name zone-file analysis - Many brand-protection service providers will have access to zone files, which are datafiles published by the operators of registry organisations (the entities overseeing the infrastructure of specific domain-name extensions, or TLDs), and contain lists of all registered domain names across the TLD in question. By downloading and analysing these zone-files on a regular (typically daily) basis, and comparing current with previous versions, it is possible to identify the registration of new domains with names containing strings of interest (such as a brand name). This technique can yield comprehensive and timely detection of relevant branded domain names across TLDs where zone files are available; however, for some domain extensions (particularly country-specific TLDs), registries are not obliged to publish the zone files, so the information may be incomplete or unavailable. Some of these gaps can be filled in using other techniques, such as parallel look-ups (checking for the existence of 'cousin' versions of detected domains (i.e. those with the same SLD) across other domain extensions), or searches across the full set of TLDs for the existence of domains with specific name-strings (SLDs) of interest. The most sophisticated domain-monitoring solutions are also able to intelligently search for domains containing brand variants (such as fuzzy matches - including missing, additional, replaced, or transposed characters - or soundalike versions)^[18]. 

• Direct site querying - For sites known to be of interest in advance of the monitoring (such as specific social-media platforms, e-commerce marketplaces, mobile app stores, etc.), it may be possible to search the sites directly using their own in-built search functionality or (if available) via an API, which provides relevant data in a structured, database-like format.

• Phishing detection techniques - Some of the most egregious infringements (such as fake sites soliciting for the input of customer credentials) may not be accessible through any of the above monitoring techniques (for example, if the infringing site does not feature the brand name in the domain name, and is not linked-to from other sites which are indexed by search engines), and may be designed to receive traffic only (for example) via links in specifically-constructed e-mails. In these cases, it may be appropriate to augment 'classic' brand-monitoring methodologies with other techniques, such as the use of spam traps and honeypots, and other data feeds like customer abuse mailbox data and webserver logs^[19].

Determining where ongoing action is required

An initial audit of the pre-existing infringement landscape will help to identify the immediate areas of priority for ongoing monitoring, though it is generally advisable to maintain an element of holistic monitoring for the appearance of new threats across all relevant channels, combined with partnership with one or more consultancy providers who can advise on the emergence of new areas of potential concern.

In order to deal with identified infringements, the central idea is the use of enforcement techniques to ensure the deactivation of threatening content. The most effective enforcement programmes will offer a 'toolkit' of possible approaches, from low-cost, low-complexity, primary actions such as cease-and-desist (C&D) notices, through secondary approaches like host-level content removals or registrar- or registry-level suspensions, up to longer-term, complex tertiary approaches like domain-dispute processes and legal actions. This allows the brand owner to select the most cost-effective and efficient approach in any given case, whilst reserving other options for when escalation is required^[20]. Enforcement not only protects the brand and its customers, but can provide a deterrent effect to infringers and can be a pre-requisite for retaining IP protection.

A key element of this aspect of the programme is the ability to prioritise the identified findings. Typically, a brand-monitoring solution will identify large numbers of findings of potential interest, and it is therefore essential to be able to determine which present the greatest level of actual (or potential future) threat, so as to be able to focus the initial enforcement efforts (or the targets for ongoing monitoring) in the most impactful places. 

This prioritisation process can incorporate a range of different ideas:

• To a high level, infringements can be categorised into a number of types (comprising categories such as phishing, traffic diversion, negative brand association, potential brand confusion, false affiliation, etc.), which can themselves be assigned severity classifications. The exact specifications may vary from one brand owner to another (based on industry area, individual views on level of threat, risk tolerance, and so on), but might broadly be categorised as lower-threat 'brand abuse' (covering unenforceable content or simple breaches of corporate guidelines), through 'brand infringement' (constituting contravention of intellectual property protection), up to 'brand fraud' (where the brand usage is actively criminal, such as phishing or the sale of counterfeits).

• Individual infringements can also be analysed using algorithms to quantify the level of threat they pose (or are likely to present in the future). This methodology can use a variety of the website’s characteristics as its inputs, many of which can be applied even when there is not yet any active site content. These characteristics might include features such as:

• (If present,) the nature of any active content on the website.
• The similarity of the domain name to that of the brand owner's official website (or the presence of brand-name variations, typos, etc.).
• The domain name extension (TLD) – of particular concern will be the use of a 'high-threat' TLD.
• The amount of web traffic received by the site.
• Characteristics of the registrant, registrar or ISP (hosting provider) (specifically taking account of features such as the use of privacy-protection services, webmail e-mail addresses, high-threat or non-compliant service providers, locations in countries where enforcement is difficult, etc.).
• The presence of an MX record - this indicates that the domain has been configured to be able to send and receive e-mails and could therefore be associated with phishing activity.

• Clustering technology can be used to group together related infringements on the basis of shared characteristics. This can be advantageous as it can help identify instances of serial infringers which may be targets for prioritised enforcement action, can reveal evidence of bad-faith activity (e.g. multiple distinct brands being targeted) which can help build a stronger case for enforcement, and raises the possibility of efficient bulk takedowns in a single action.

Conclusion

A thorough brand risk assessment is essential to ensure that the resources associated with a cybersecurity and brand-protection programme are focused in the correct places. Typically, this process involves:

• An initial assessment of the key areas of concern, using:

• (For the official domain portfolio,) a review of all domains in the portfolio, to determine: (a) which are the critical 'core' domains; (b) which security measures are currently in place for each domain; and (c) what are the 'gaps' in the domain portfolio.

• (For general Internet content,) a broad sweep across a wide range of channels and using a comprehensive set of data-collection techniques.

• Filtering and prioritisation of the findings to identify the targets for follow-up action (i.e. additional domains security measures to be deployed, requirements for additional defensive domain registrations, and the key third-party infringements requiring enforcement action or future monitoring).

• Implementation of the above actions and ongoing monitoring.

It is also generally appropriate to include a subsequent periodic review process, to assess the impact of the programme and realign strategies where necessary. Impact is often measured through some sort of return-on-investment calculation, which can typically be much more robust once specific measurable mediating actions (such as enforcement takedowns) have been carried out^[21].

The choice of a suitable service provider with which to partner is frequently a crucial component of this process. An enterprise-class provider will typically be able to offer a more holistic range of security products and solutions, will avoid practices (such as the operation of domain marketplaces, and monetisation of trademarked domain names using pay-per-click links) which can contribute to fraud and brand abuse, and will typically operate under strict internal security policies to reduce the risk of hacks and data breaches^{[22,23,24,25]}. Use of an enterprise-class provider also generally improves the security posture of a brand owner, increasing the ease of access to - and lowering the cost of - cyberinsurance^[26,27]. Brand owners should also be mindful of their selection of suppliers and vendors more generally, as bad actors frequently target corporations via the weakest point in their supply chain, particularly at times of heightened vulnerability arising from external real-world events^[28,29]. 

References

[1] https://www.cscdbs.com/blog/brand-abuse-and-ip-infringements/

[2] https://www.linkedin.com/pulse/holistic-brand-fraud-cyber-protection-using-domain-threat-barnett/

[3] https://www.linkedin.com/pulse/rise-nft-david-barnett

[4] https://www.cisa.gov/stopransomware/general-information

[5] https://securityboulevard.com/2022/07/online-brand-abuse-is-a-cybersecurity-issue/

[6] DNSSEC = Domain Name System Security Extensions

[7] SPF = Sender Policy Framework

[8] DMARC = Domain-based Message Authentication, Reporting and Conformance

[9] DKIM = Domain Keys Identified Mail

[10] CAA = Certification Authority Authorisation

[11] The second-level domain name (SLD) is the part of the domain name to the left of the dot

[12] MX = Mail exchange

[13] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-2/

[14] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-1/

[15] https://www.cscdbs.com/en/resources-news/threatening-domains-targeting-top-brands/

[16] https://www.cscdbs.com/assets/pdfs/Domain_Security_Report_2021.pdf

[17] https://www.worldtrademarkreview.com/anti-counterfeiting/return-investment-proving-protection-pays

[18] https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022/article/creating-cost-effective-domain-name-watching-programme

[19] https://www.cscdbs.com/blog/the-continued-rise-of-phishing-and-the-case-of-the-customizable-site/

[20] https://www.cscdbs.com/blog/four-steps-to-an-effective-brand-protection-program/

[21] https://www.linkedin.com/pulse/calculation-return-investment-brand-protection-thoughts-david-barnett/

[22] https://www.cscdbs.com/en/resources-news/impact-of-covid-on-internet-security/

[23] https://vmblog.com/archive/2023/01/11/csc-2023-predictions-staying-secure-in-2023-and-making-it-the-year-of-action.aspx

[24] https://techbeacon.com/enterprise-it/enterprise-it-predictions-2023

[25] https://www.cscdbs.com/en/resources-news/domain-security-report/ (2022)

[26] https://securityscorecard.com/resources/the-impact-of-enterprise-class-domain-registrar-utilization-on-overall-security-ratings

[27] https://www.wsj.com/articles/buying-cyber-insurance-gets-trickier-as-attacks-proliferate-costs-rise-11659951000

[28] https://www.cscdbs.com/en/resources-news/supply-chain-report-form/

[29] https://www.csoonline.com/article/3672155/global-companies-say-supply-chain-partners-expose-them-to-ransomware.html

This article was first published on 10 February 2023 at:

https://www.linkedin.com/pulse/assessing-mediating-digital-risk-landscape-brand-david-barnett/

Calculation of return on investment for brand-protection programmes: Thoughts towards a new paradigm

Pre-existing ideas

Numerous previous studies have considered methodologies for calculating the return on investment (ROI) of brand-protection programmes which incorporate components of monitoring and enforcement. These ideas can be important both to justify the spend on a programme in the first place, and to assess its impact once established. Correspondingly, 'classic' ROI calculations can be categorised into two main types: the first (known as 'a priori' calculations) consider the probable infringement landscape in advance of the implementation of a brand-protection programme; the second aims to quantify the actions taken as part of an active enforcement initiative^[1]. It is the latter category with which we are primarily concerned in this article.

To a very high level, many ROI calculation methodologies use a formulation along the lines of:

R = C × E

where R, the ROI (within a given timeframe) (i.e. the benefit of the brand-protection programme, to be offset against the associated spend) is equal to the product of C, the 'cost' of a pre-existing infringement being active, and E, the number of infringements removed through enforcement as part of the brand-protection programme (in the same timeframe).

Very many assumptions are typically required in order to estimate these figures. In some methodologies, the assumed 'cost' associated with a live infringement may be reflective of an estimate of its direct financial impact (e.g. the typical loss from a phishing incident); in others it may be calculated as the proportion of lost revenue which is reclaimable following deactivation of the infringement (i.e. the 'cost' in the above formulation essentially reflecting the pre-enforcement impact of not yet having taken the infringement down). In these types of approaches, it is very rare that these figures can be measured directly and therefore a number of assumptions (or 'proxies' for the data) are required. In cases of domain acquisition, for example, it may be appropriate to make use of figures such as web traffic when quantifying impact; for marketplace listings, it is typically necessary to consider factors such as price and quantity of items in the listings removed. In both cases, the methodology needs to consider assumed conversion rates (i.e. the proportion of customers who can be 'monetised' by the brand owner - e.g. those who will make a legitimate purchase once the source of infringements is removed)^[2,3]. Even this part of the process is far from simple; complications include factors such as: 

1. The conversion rate will be (strongly) dependent on the nature and price of the item (e.g. it will be much lower for (say) an obvious counterfeit, such as an item passing off as a high-end luxury brand but with a very low price point)^[4].


2. The conversion rate for customers knowingly navigating to an official brand website will potentially be different to that for those Internet users intending to visit a third-party standalone e-commerce site (if we are considering the case where this domain may subsequently have been acquired by the brand owner and its traffic re-directed to their official site) - this consideration involves taking account of a principle sometimes referred to as the 'substitution effect'^[5]. 

Alternative proxies for the above figures may also need to be utilised, depending on the web channel under consideration (e.g. where absolute estimates of web traffic are not available or appropriate). For example, on social media, the 'exposure' or 'reach' of content can be estimated using numbers of 'likes' or followers; for mobile apps, the number of downloads may be relevant; for file sharing, it may be appropriate to consider the number of individuals accessing the content (e.g. 'seeds' and 'leechers' for BitTorrent). 

Numerous other approaches can also be taken. The ultimate objective when estimating the 'value' of a website is the identification a direct measure of the revenue it generates (e.g. via direct sales of products, for an e-commerce site). In practice, this information is almost never publicly available, though it is sometimes possible to make estimations via shipping or logistics information available through third-party databases. Some methodologies will utilise web-analytics tools to estimate value based on factors such as advertising spend by the site owner, or will analyse outgoing site traffic (e.g. to payment service provider platforms) to estimate customer volume and/or conversion rates^[6]. 

It has also previously been noted that sometimes determination of ROI can reflect more qualitative goals (i.e. the statements of 'what success looks like' for a brand-protection programme). For example, a brand owner may consider a programme 'successful' once there are no infringing results returned on the first page of search-engine results, or in pages of search results on a range of key marketplace sites, in response to brand-specific queries. Similarly, the 'ownership of the buy button' (i.e. being the first vendor listed for a particular product on an e-commerce marketplace site) might be a key aim.

The success of a brand-protection initiative can also be judged based on other (again, more quantitative) metrics which may be only available to the brand owner themselves (as opposed to, say, a brand-protection service provider partner). These might include factors such as increases in the numbers of visitors to physical stores, or in volumes of traffic to official websites (as might be directly measurable using the brand owner's webserver log information).

Beyond this, wholly different methodologies can also be applied. Some will take account of 'intangible' factors such as brand value^[7], considering the spend on brand protection to be a business cost necessary to lower the risk of damage to the brand. This type of approach is also not straightforward - higher levels of abuse can be considered an indicator that the brand is a desirable one, which can actually be reflective of greater brand value. Other factors, such as new product launches, can also affect the visibility of the brand and its likelihood of being targeted, all of which can serve to further complicate the landscape. 

However, in this article, we will primarily consider the simpler approaches discussed in previous work, and look at how they can potentially be modified to better account for the overall impact of a brand-protection programme.

Variations over time in the infringement landscape

Part 1: Single-brand analysis

In this section, we consider an extremely simplified model looking at changes in the infringement landscape over time for a brand, considering in the first instance the example of a newly-launched brand. In this case, the growth in the number of infringements over time might look something like that shown in Figure 1.

Figure 1: Mock-up of the changing infringement landscape over time for a newly-launched brand

The above framework is formulated using a timeframe expressed as numbers of months for convenience, though the timescales observed in practice may vary hugely. There is also a deliberate choice to avoid stating any quantitative numbers for the volumes of infringements, as these will also be dependent on any number of different factors - one brand may see tens or hundreds of infringements; other may see many thousands or more. Beyond these points, the construction of the above trend lines is based on the following scenario:

• Following the launch of the brand (in month 1), there is a ramp-up in the number of monthly numbers of new infringements ('N') appearing online, up to a constant level.

• There is also a (slower) ramp-up in the rate of infringements disappearing naturally from the Internet ('natural removal', 'R') even in the absence of any enforcement activity. This will arise through a combination of factors, including: content which is deactivated by the infringer following a period of use; domains expiring after their registration period; older content gradually dropping down search-engine rankings (and potentially therefore eventually ceasing to have any damaging impact), and so on.

• There is a resulting growth in the cumulative number of active online infringements ('I'), caused by the difference between the monthly values of 'N' and 'R'. 

• Finally, it seems reasonable to assume in most cases that 'I' will eventually reach a steady state, rather than continuing to grow indefinitely. This implies that 'R' will eventually 'catch up' with 'N' (possibly in part due to the fact that 'N' may also drop off slightly over time, after an initial peak in infringement activity). 

Of course, in practice the exact balance between the above numbers will be dependent on an enormous range of factors, including considerations such as the type of Internet channel. For example, marketplace listings will typically have a shorter 'lifetime' than domain registrations (affecting, for example, the rate at which 'R' catches up with 'N').

Let us now consider the case where a brand-protection programme, incorporating the introduction of enforcement actions for the removal of infringing content, is added into the picture (say, after the landscape has reached steady state in month 12) (Figure 2).

Figure 2: Mock-up of the changing infringement landscape over time, with an enforcement programme introduced in month 12

In this case, we use the following formulation:

• In month 12, the enforcement programme is introduced, which incorporates a particular level of resource sufficient to action a certain maximum number of takedowns each month. This number will of course need to be greater than the rate at which new infringements appear, if the programme is to be successful. 

• Following the introduction of the enforcement programme, the rate of natural removal ('R') of infringements will quickly drop off to zero (essentially, the infringements are being removed via enforcement quicker than the rate at which they would otherwise naturally disappear).

• As enforcement progresses, the cumulative number of infringements drops off from its pre-existing level, until we reach a steady state (the 'whackamole' phase^[8]) where the monthly number of enforcements ('E') simply needs to 'keep up' with the rate at which new infringements appear ('N'). In other words, each month a certain number of new infringements appear and these are all removed through the actions of the enforcement programme. (N.B. Equivalently, at this point we could express the 'cumulative number of infringements' ('I') as zero, depending on the point in the month at which we carry out the calculation (i.e. whether pre- or post-enforcement).)

In reality, the situation is likely to be far less straightforward, with a number of additional factors complicating the picture, including (but not limited to) the facts that:

• The types of infringements actioned over time may change (potentially starting with higher-impact or easier takedowns).

• Monitoring will inevitably start to uncover lower visibility and/or lower severity infringements once the initial high-visibility, high-impact infringements have been taken down.

• The rate of appearance of online infringements may change in response to the enforcement programme (e.g. infringers turning their attention to easier targets).

• The infringers may change their tactics in response to the enforcement programme (e.g. describing goods in different ways) - accordingly, both the monitoring approach and the enforcement methodologies may need to evolve in order to account for this.

Nevertheless, the above very simplistic picture does reflect some of the top-level trends typically seen in a brand-protection programme, with an initial period of 'cleaning up' the pre-existing backlog of infringements followed by a steady-state period of lower required activity, just keeping pace with new infringements as they appear. 

This being the case, we can look to this model to draw insights into how our classic ROI calculation methods could be augmented to provide a fuller picture. In many of the traditional approaches, monthly ROI calculation methodologies make use just of the total monthly numbers of enforcements carried out ('E'). Although the drop-off in the numbers of pre-existing infringements is reflected in the ROI calculations associated with the enforcements carried out during the 'ramp-down' phase itself, it is usually not reflected in the ongoing calculations during the subsequent 'whackamole' phase. Really, it may be preferable to make use of the difference between the ongoing number of infringements ('X') and that observed at the start of the programme ('Y'), if we are to fully assess the impact of the brand-protection programme. In other words, rather than using the number 'X' as the basis of our monthly ROI calculation, it might instead be better to use 'Y – X'. This number instead provides a measure of the value of the ongoing brand-protection programme - essentially, reflecting the difference in the ongoing number of infringements (with the associated 'cost' of them being live) compared with that which would have been observed if the programme were not in place. In practice, determination of these numbers will require the brand-protection initiative to incorporate a comprehensive programme of monitoring (as well as enforcement) throughout, incorporating a full landscape 'audit' at the outset.

Part 2: Benchmarking and the use of controls

To further complicate the situation, what the above approach fails to consider is any changes to the infringement landscape which would have occurred if the brand-protection programme were not being carried out. This is known as the 'attribution' issue in the physical sciences. Of course, once enforcement starts being carried out, we lose the ability to see what would have happened to the numbers of infringements if they were not being actively taken down. It is well established that external factors can significantly change the infringement landscape. For example, numerous previous studies show that real-world events can drive spikes in resulting infringement activity^[9]. 

One way in which this problem can be addressed is via comparison with another 'control' brand of a similar type, operating in a similar industry area, but for which brand-protection activity is not being carried out. In practice, a brand owner can never be completely sure what any given competitor is doing, so a more realistic scenario is the use of analysis a group of industry peers, across which the infringement trends over time can be averaged to create a 'benchmark'. Of course, this requires active monitoring across all these brands, and so may be far from straightforward.

In this case, we may end up with a scenario such as that shown in Figure 3, where the control or benchmark brand (actually ideally an average of the data collected across multiple third-party brands) - which we have to assume reflects external drivers in infringement trends in the absence of enforcement initiatives - shows a change in the infringement landscape since the start of the programme for the brand being protected.

Figure 3: Mock-up of the changing infringement landscape over time, with an enforcement programme introduced for the customer brand in month 12, and compared against a (pre-existing, established) benchmark brand(s)

In the above example, the control brand shows a ramp-up in infringements during the period of the brand-protection programme, perhaps driven by an external event of some sort. Additionally, by using a benchmark comprising data from across numerous brands, we reduce the likelihood that the change is driven by some characteristic specific to one brand (such as a new product launch) and increase the likelihood that the change is representative of the industry landscape in general. 

In this case we can assume that, in the absence of a brand-protection programme, the infringement landscape for the customer brand would have increased by the same proportion as that seen for the benchmark brand(s). Therefore, instead of our ROI calculation being a function (' f ') of 'Y – X' (written as 'ROI = f [Y – X]'), we can say that:

ROI = f [ ( (B/A) × Y ) – X ]

Essentially, we are saying that, had the brand-protection programme not been in place, we might have expected the 'background' level of infringements for the customer brand also to have increased by a factor of ('B/A') by the end of the monitoring period, and so the benefit of the programme is in reducing it from this value to the value observed ('X').

Of course, the same approach can also be used if the benchmark shows a decrease in infringements across the monitoring period.

Discussion

The calculation of ROI for brand protection is fiendishly complicated, and no single approach will be applicable in all cases. In any selected methodology, it is necessary to make use of a wide range of assumptions and proxies for the data to which we would ideally like to have access. Nevertheless, there are some general industry-accepted standards for these calculations, many of which utilise metrics around ongoing levels of enforcement activity. In this article, we have considered some approaches which could be taken to modify these methodologies towards a new framework of ideas, involving the following two fundamental changes:

• Considering the difference between the ongoing levels of enforcement (as a measure of the ongoing level of infringement activity), and those seen at the outset of the programme, as a measure of the overall impact of the brand-protection programme (rather than just considering the ongoing levels of enforcement in their own right).

• Considering the use of one or (ideally) more benchmark brands, to separate out the observed change in infringement levels (for the customer brand) arising from the enforcement activity, from other background or landscape changes applicable to the industry vertical in general. 

Even then, there are still other factors to consider - the customer brand may also have experienced (company-specific) issues (such as product launches, changes in sales channels or target markets, etc. etc.) which themselves could have driven changes in the number of infringements, even in the absence of an enforcement programme or industry issues. All of this can further complicate the calculations to be carried out.

Additionally, I anticipate that the general philosophy behind ROI calculations may need to evolve further to reflect other issues more directly tied to cybersecurity, as the importance of this area becomes more widely appreciated. A former colleague of mine recently asked in a LinkedIn posting^[10]:

""So what's the cost?" is a frequent question I hear. Rather than thinking about the budget required, brands need to consider the financial and reputational costs of repairing the damage when they are impacted."

The key point here is thinking about proactive rather than reactive measures. This issue is particularly relevant when it comes to domain security, where a range of products are available to allow corporations to secure their domains from external attack vectors which can be highly damaging (from both financial and reputational points of view)^[11]. The matter is of even greater urgency in a landscape where we still see significant proportions of the world's top companies failing to adequately protect themselves^[12]. 

The expected financial loss ('L') per year due to (say) cybersecurity issues (an 'attack') is given^[13] by:

L = p_att × C_att

where p_att is the probability of an attack occurring during the year, and C_att is the financial cost (the 'damage') resulting from the attack. From this, we can say that, if the probability of an attack can be reduced (from p_att^{without_security} to p_att^{with_security}) through the implementation of domain security measures, the saving ('S') to the organisation can be written as:

S = ( p_att^{without_security} – p_att^{with_security} ) × C_att

Whilst easy to formulate, this can be much harder to quantify. However, a recent study showed that 88% of organisations were subject to some form of DNS attack in 2021, with each attack costing the enterprise an average of almost $1 million^[14]. If, then, the risk of an attack can be (conservatively) reduced from (say) 10% to 1% though the introduction of security measures, this equates to an equivalent annual saving to the company of the order of $90k. If the cost of implementing the security measures is less than this value, the return on investment will be positive. If we factor in also the implications for access to - and cost of - cyberinsurance cover, the importance of domain security products and services becomes ever clearer.

Acknowledgements

Thanks must go to Angharad Baber, Mark Barrett and David Riley for their feedback and input into this article.

References

[1] https://www.worldtrademarkreview.com/anti-counterfeiting/return-investment-proving-protection-pays

[2] https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022/article/creating-cost-effective-domain-name-watching-programme

[3] https://www.cscdbs.com/blog/four-steps-to-an-effective-brand-protection-program/

[4] https://circleid.com/posts/20220726-calculating-the-return-on-investment-of-online-brand-protection-projects

[5] 'Digital Brand Protection: Investigating Brand Piracy and Intellectual Property Abuse' by Steven Ustel (2019). Chapter 17: 'Accounting and Accountability'

[6] 'Digital Brand Protection: Investigating Brand Piracy and Intellectual Property Abuse' by Steven Ustel (2019). Chapter 9: 'Pivots'

[7] https://www.cscdbs.com/blog/brand-abuse-and-ip-infringements/

[8] By 'whackamole' in this context, I am referring to a consistent state in which infringements are reactively taken down as quickly as they appear (rather than implying a random or disordered approach).

[9] https://www.linkedin.com/pulse/four-new-case-studies-domain-registration-activity-spikes-barnett/

[10] https://www.linkedin.com/posts/stuart-fuller-17a7411_what-cisos-can-do-about-brand-impersonation-activity-7027979839747846144-E6ak

[11] https://www.linkedin.com/pulse/holistic-brand-fraud-cyber-protection-using-domain-threat-barnett/

[12] https://www.cscdbs.com/en/resources-news/domain-security-report/ (2022)

[13] This follows from the fact that, mathematically, the expected value ('E_x') of a variable ('X') is given by:

E_x = S_i ( p(X_i) × X_i ), where p(X_i) is the probability of X taking the i^th value

[14] https://www.efficientip.com/wp-content/uploads/2022/05/IDC-EUR149048522-EfficientIP-infobrief_FINAL.pdf

This article was first published on 9 February 2023 at:

https://www.linkedin.com/pulse/calculation-return-investment-brand-protection-thoughts-david-barnett/

Hyphenated-domain infringements

Introduction

In this latest study, I consider domain-name infringements consisting of close matches to official brand websites, but differing only in the addition of a hyphen within the domain name. This follows on from previous studies looking at highly-convincing deceptive URLs, such as those utilising exact matches, homoglyphs or fuzzy matches^[1], or hostname-based infringements^[2]. An example of this type of infringement being used for fraudulent purposes was identified in November 2022, for a financial-services brand. The scam comprised a phishing attack utilising a SMS message as the attack vector; a mock-up of the SMS message (represented using the fictitious brand financebrand.com) is shown in Figure 1.

Figure 1: Mock-up of an SMS phishing message utilising a hyphenated-domain infringement

The scam - which utilises the infringing domain name financebran-d.com - has been cleverly designed to take advantage of the tendency of mobile SMS clients to split URLs after the '-' symbol, thereby creating the appearance of the official domain name (financebrand.com) split across a line-break with a breaking-hyphen (as is seen in the other text at the start of the message).

Methodology

To investigate the popularity of this type of infringement, I considered domain registration activity in which the domain name is an exact match to the name of any of the top ten most valuable brands in 2022 according to Interbrand^[3], but including a hyphen between any pair of adjacent characters (e.g. for Google, I searched for 'googl-e', 'goog-le', 'goo-gle', 'go-ogle' and 'g-oogle')^[4]. The analysis encompasses new registrations ('N'), re-registrations ('R') and drops (domain lapses) ('D') (collectively referred to as 'events').

In practice, the types of variation considered in this study would be covered by the 'fuzzy' match category included within sophisticated domain monitoring technologies, when simply searching for the brand string itself.

Findings

The dataset included 252 distinct domain registration activity events for the brand variations under consideration, representing 140 distinct domain names (of which 83 were still registered as of the time of analysis^[5] - i.e. those for which the most recent event was not a 'D'). The breakdown of these domains by targeted brand and TLD is shown in Figures 2 and 3.

Figure 2: Breakdown of the 140 distinct hyphenated domain variants by targeted brand

Figure 3: Breakdown of the 140 distinct hyphenated domain variants by TLD

Of the 140 domain names, only 14 (10%) are explicitly registered to the associated brand owner (where the domains are registered and whois information is available), with the remainder registered to third parties and/or utilising privacy-protection services or having redacted information. 11 of the 14 officially owned domains have been configured to re-direct to the main brand website (with the other three not resolving to any live site).

The following is a summary of the characteristics of the 126 remaining sites:

• 27 (21%) are configured with active MX records, indicating that they have been configured to be able to send and receive e-mails, and could potentially be used for phishing attacks.

• One (no longer live) displays a browser warning indicating that dangerous content was formerly present.

• Two are configured to re-direct to the corresponding official brand website.

• The remainder display a range of content types, as shown in Figure 4.

Figure 4: Overview of content types on the 126 non-official domains in the dataset

Of the 73 possible permutations of .com domains (i.e. those with the greatest potential for confusion with the primary official .com site for the respective brand in question), 30 are present in the dataset, of which only 9 are registered to the brand owner, and 9 are configured with active MX records (of which only one is officially owned). 

Figure 5 shows examples of some of the unofficial sites within the overall dataset found to resolve to live content of potential concern.

Figure 5: Examples of live sites hosted on hyphenated domain-name variants targeting the Nike (top), Amazon (middle), and Microsoft (bottom) brands

Summary and recommendations

The analysis shows that the registration of hyphenated domain-name variants targeting the most valuable brand names, by entities other than the brand owners, is a significant issue and may be growing (as 24 of the 71 third-party domains for which creation dates are available were registered in 2022, compared with 17 in 2021, 6 in 2020, and 24 across all earlier years). 

Around one in five of the domains are configured with active MX records, and of the domains resolving to live content, a range of types of site content were identified. These include examples where web traffic is misdirected to third-party content, and others where the sites are being monetised through the inclusion of pay-per-click links or offers to sell the domain name. This indicates that not only do these domains present the potential for convincing attack vectors in phishing activity, but they may also be taking advantage of misdirected traffic arising from mis-typed search queries or browser requests. It is also noteworthy that the list of top TLDs within the dataset includes a number of new-gTLDs, many of which have previously been noted as being popular with infringers^[6,7,8,9].

These findings highlight the importance for brand owners carrying out proactive and comprehensive programmes of brand monitoring and enforcement, to identify and takedown infringing third-party content. Additionally, brand owners may wish proactively to consider defensively registering hyphenated variants of their core domain names, to prevent them being registered by third parties for fraudulent or infringing use.

References

[1] https://www.cscdbs.com/en/resources-news/threatening-domains-targeting-top-brands/

[2] https://www.linkedin.com/pulse/exploring-domain-hostname-based-infringements-david-barnett/

[3] https://interbrand.com/best-global-brands-2022-download-form/; the brands are: Apple, Microsoft, Amazon, Google, Samsung, Toyota, Coca-Cola, Mercedes-Benz, Disney, Nike

[4] N.B. I exclude from this study any variants where the hyphen appears in the same location as a hyphen or space in the brand name itself (i.e. 'coca-cola' and 'mercedes-benz'), since these are considered exact matches to the brand name, rather than hyphenated variants. I do, however, consider the existence of variants such as 'coca-col-a' and 'cocacol-a'.

[5] All observations correct as of 22-Nov-2022

[6] https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/ 

[7] https://circleid.com/posts/20210908-credential-hinting-domain-names-a-phishing-lure

[8] https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/ 

[9] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-2/

This article was first published on 8 February 2023 at:

https://www.linkedin.com/pulse/hyphenated-domain-infringements-david-barnett/