As proposed by ICANN staff, the EOI model would have required that all entities wishing to apply for a new gTLD during the first round to submit basic information including the requested string and a fee of $55,000.

However, much to the collective surprise of the ICANN community, the ICANN Board voted against the proposal, citing many of the reasons noted in the comments submitted by MarkMonitor. 

Members of the ICANN Board stated that confusion regarding the purpose of the model existed, and that moving forward with such a model would have added another two to three months to the process. Furthermore, that resources were being taken away from solving the “underlying problems” was also cited as a reason to vote against the model.

While the EOI was expected to provide exact information about the number of applicants expected in the first round, one of the Board Members stated that having this “extraordinary precision” was not necessary due to the fact that the “Internet is a — as a system, exhibits enormous dynamic ranges in load in every aspect.”

Interestingly enough, another Board Members stated that at the beginning of the week that he had planned to vote in favor of the EOI, but by the end of the week it had become apparent that a mandatory EOI did not have the consensus of the community.

With this result, brand rights owners and others will be able to keep their plans confidential until they are ready to apply and prepare for the application or objection process, without additional worries or early investment in the gTLD process.

So, it is without any sorrow or regret, I say RIP EOI.  

At the beginning of last year, MarkMonitor participated in VeriSign’s beta program to test server-level protections which were designed to mitigate the potential for unintended domain name changes, deletions and transfers. When VeriSign finally released their Registry Locking Program to all registrars, I expected to see the owners of highly trafficked sites flocking to this new offering. 

However, after a review of the top 300 most highly trafficked sites, I was shocked to uncover that less than 10% of these valuable domains were protected using these newly available security measures. 

So why aren’t more companies protecting themselves? 

Given the value of these highly trafficked domains, I cannot imagine that the additional fees associated with employing this level of service are the deterrent. 

I can only imagine that either the offering hasn’t been made widely available, or that confusion as to whether a domain is locked it to blame.

When it comes to domain locking, there is often quite a bit of confusion as to how to determine whether a domain is 1) “locked” within a portal, or 2) “locked” at the Registrar, or 3) “locked” at the Registry. 

Only domains that have the following statuses are considered to be “locked” at the Registry, and cannot be modified using standard protocols. 

• client delete prohibited
• client transfer prohibited
• client update prohibited
• server delete prohibited
• server transfer prohibited
• server update prohibited 

For the owners of highly trafficked domains, I would strongly recommend adding this level of security to protect valuable domains. It is there for a reason, so why not use it?

Here’s how it works. Emails which offer a free one-year warranty extension for a popular smartphone, link to a company-branded web page. That web page asks for an email address and then smartphone serial number, IMEI number, type of phone, and capacity of phone. See below for examples of the phishing web page.

Cybercriminals use the information requested on the web page to clone the smartphone for various uses, including stealing long-distance service from the subscriber or simply using a deniable, disposable smartphone for other criminal activities. In effect, the cybercriminals used phishing techniques to clone smartphones.

This recent attack also stands out because it utilizes some advanced technologies and suggests possible directions of future cybercriminal activity. First, the attack uses server-side logic that hides the phishing site unless it is accessed through the browser produced by the smartphone company. Second, the attack uses additional protective technology in the form of a fast-flux network, which hides the phishing site behind a dynamic network of ever-changing proxies. These two smart technologies demonstrate how cybercriminals continue to focus their efforts on making their attacks targeted, stealthy, and resilient.

One particular fast-flux botnet called Avalanche has received much attention in recent months as a major platform for hosting phishing sites. What has not been discussed as much is how the distinction between phishing and malware has ceased to exist.

Avalanche offers a prime example of how blended attacks are launched from a fast-flux botnet platform. Arbor Networks reported earlier this month that the cybercriminal gangs behind the Avalanche botnet and the Zeus/Zbot malware have entered a partnership whereby the Zeus malware gang is using the Avalanche fast-flux botnet to launch its attacks. “We appear to be seeing one of the groups, Avalanche, promoting Zeus malware,” observed botnet security researcher Jose Nazario. “They don’t compete, and they both have good market positions, so they can grow each other.”

Recent blended attacks hosted on Avalanche reported this month targeted a major credit card company and a large Spanish bank operating in Latin America. Cybercriminals have teamed up their best-of-breed fast-flux and malware capabilities. MarkMonitor AntiFraud anticipated these developments with its unique preventive capabilities for preemptively detecting and shutting down fast-flux-based phishing and malware attacks.

More details about recent blended attacks hosted on the Avalanche platform:

December 11: http://news.zdnet.co.uk/security/0,1000000189,39933618,00.htm
December 12: http://garwarner.blogspot.com/2009/12/ongoing-visa-scam-drop-zeus-zbot.html
December 22: http://garwarner.blogspot.com/2009/12/donde-se-va-avalanche-bbva-y-united.html

 The model is a direct result of community recommendations and is available for public comments until January 27^th, 2010. Public comments can be submitted at http://www.icann.org/en/public-comment/public-comment-201001.htm#draft-eoi.

Based on public comments, the ICANN Board will convene to review feedback and determine possible next steps in the first quarter of 2010.

Highlights of the proposed plan include:

• Participation in the EOI is mandatory for eligibility to submit a gTLD application in the first round. Subsequent application rounds will be open to any eligible applicants.
• A deposit of US$55,000 is required for the EOI, and will be used as a credit against the US$185,000 evaluation fee.
• The deposit is refundable if the New gTLD Program does not launch within a specific time period. Details will be outlined in the final EOI model.
• Participants are notified that there may be subsequent amendments to the Draft Applicant Guidebook. It is the intention to conclude many current open issues prior to initiation of the EOI process.
• A fully executed communications campaign, intended to ensure global awareness about the EOI, will precede the opening of the process.
• Participants will be required to provide specific information concerning the participating entity and the requested string.
• The participant and string information will be made public.
• The EOI launch is conditional on the conclusion of many of the outstanding issues, for example, issues concerning vertical separation and the IDN three-character string requirements. Solutions for these and other issues are expected to be included in the Draft Applicant Guidebook, version 4.

The plan as outlined by ICANN raises a number of concerns. MarkMonitor intends to submit its own comments and encourages its clients to do the same.

So, what did we find? Roughly 17% of the paid search ads for popular consumer products – such as designer handbags and shoes, music, movies, and hi-tech gadgets – led to sites likely offering counterfeit or pirated goods. This number gets even higher for certain categories, such as “designer handbags,” where an eye-opening 32% of the paid search ads led to sites appearing to sell fake handbags.

Another way to stir up more ads for counterfeit or pirated goods is by adding terms like “cheap,” “discount” or “wholesale” to a product name or category. Across all 20 product searches, for example, the share of paid search ads linking to sites selling counterfeits increased from 17% to 19% when these terms were added. In the designer handbag example, the share of paid search ads linking to suspect counterfeit sites jumped from 32% to 49%.

From these results, it is evident that counterfeiters have mastered the art of targeting buyers looking for unbelievable deals. As such, consumers need to be that much more vigilant if they’re seeking authentic products at good prices. Brand owners also need to be cognizant of the strategies employed by fraudsters and monitor not only for the use of their trademarks or product categories as keywords, but also in conjunction with terms signaling counterfeit or pirated products.

Here at MarkMonitor, we are currently seeing an uptick in cybercriminal activity targeting online retailers’ brands. Linked here is an example of a phish attack involving a well-known national retailer.

Clearly, brand-based phish and malware attacks such as this one, possess great potential to harm consumers. They also pose a great risk to customer trust and loyalty in your brand. As a result, the range of advice which you can give to your customers to promote safe online holiday shopping is extensive. Customers should:

• confirm emails from retailers which request their action through links and attachments
• confirm retailers who are highly ranked in search engine results, but are obscure or little known
• be wary of website download files
• ensure an https connection when entering financial credentials into a website
• use temporary credit card numbers
• use up-to-date anti-virus/malware software
• check their financial statements regularly

These are all useful recommendations. Unfortunately, the consumer attitude toward security, and the preventive actions they are willing to take, depends on the convenience of those actions. Consumers choose to shop online, after all, because they value convenience over other considerations, including concern about using their credit cards online.

When brand-based attacks harm consumers, they damage retailers’ brands, customer relationships, and the trust which customers have in Internet channels. As a result, these attacks present a very real business problem.

We recommend that online retailers adopt a proactive security stance toward phish and malware. This approach should include adopting preventive measures against brand hijackings and attacks in the planning stages, quickly detecting attacks which are underway, immediately responding with layered security, and analyzing attack data to refine security strategy and tactics. By educating customers and putting in place a proactive security strategy against phish and malware attacks, retailers can ensure a more enjoyable holiday season for customers and retailers alike.

Just last month we’ve seen suspicious sites targeting employees of some of the largest corporations.  In one particular example, a cybersquatter registered a domain name that closely mimicked the open enrollment benefits page of a Fortune 500 company. To illustrate using a generic company name, the squatted domain was ‘enrollcorporation.com,’ whereas the real company benefits page resided on the subdomain ‘enroll.corporation.com.’  The cybersquatter obviously was anticipating that employees would forget to type the period in the subdomain and land on its fake site. 

The squatted site contained numerous links to benefits-related pay-per-click sites (see screenshot). While it may have been the intention of the scammer to generate incremental revenue from employees who clicked through on the links, it is also very possible that the scammer was planning on changing the content to something more malicious – such as a phishing site.  We often see scammers employ this tactic to avoid any immediate takedown action and to maximize their ploys.

Fortunately, the Fortune 500 company in this case was actively monitoring for potential attacks on its brand and caught and remedied the situation quickly.  (The squatted domain was recovered and now redirects to the company’s real benefits page.)  If the site had gone undetected, you can just imagine the havoc this would have created if the site morphed into a phishing site and even a minute percentage of the company’s tens of thousands of employees had unknowingly landed on the site and disclosed their personal credentials.  

So, what’s the takeaway from this?  While most brand owners know to monitor for online scams associated with new product launches or announcements, they also need to be extra vigilant around recurring company events – such as open enrollment periods, sales events, community events, etc.  If an event is predictable, it’s very easy for scammers to devise a socially engineered scam that that preys on customers and employees’ anticipation of the event.

• 10 – Toys.com is sold for a staggering $5.1 million dollars.  read more 
• 9 – With 115 million current gTLDs, registration growth slows from 11% in 2008 down to 6%   in 2009.
• 8 – Oversee.net and SnapNames.com admit that a company executive acted as a shill bidder in the auctions of thousands of domains over a four-year period.
• 7 – UDRP marks its 10-year anniversary with more than 16,000 disputes and more than 10,000 domain name transfers.  read more
• 6 - Germany (.DE) and .BIZ announce the release of one- and two-character domain name registrations.
• 5 – Mexico (.MX), Tunisia (.TN) and Cameroon (.CM) announce the release of second-level domain registrations and the European Union (.EU), Bulgaria (.BG) Singapore (.SG) and .NAME announce the release of Internationalized Domain Names (IDNs).
• 4 – Corporate registration trends move away from the practice of registering large numbers of defensive domains as more companies adopt aggressive monitoring and policing policies.  read more
• 3 – Both registries and registrars are exploited by hackers as SQL vulnerabilities are uncovered.  read more 
• 2 – ICANN’s IDN Fast Track process is approved and applications for Top-Level Internationalized Country Codes are accepted.  read more 
• 1 – The launch of ICANN’s new gTLD program is delayed as commitments to addressing and resolving overarching issues related to trademark protection, stability and security, malicious conduct and economic demand are made.  read more 

So what can we expect in 2010?
 
While I don’t have a crystal ball, I expect to see the launch of a number of the Top-Level Internationalized Country Code extensions in the first half of next year. Corporations should begin planning now by identifying non-Latin trademark portfolios so that they are prepared as Sunrise periods begin.
 
I also anticipate that we will see a final version of the new gTLD Guidebook by the end of next year. I would encourage companies to actively participate with ICANN in relation to the new gTLD process and in particular with the development of rights protection mechanisms. Again, although there is a delay in the process, companies should continue to move down a path of due diligence to determine the right approach – whether it’s to focus solely on defensive measures or to apply for a custom TLD.

We’ll continue to see liberalizations of ccTLDs. However, we may also start seeing the introduction of new, more stringent requirements on ccTLDs which were once unrestricted or minimally restricted in an effort to reduce criminal activity.
 
Although I am hopeful that we’ve seen the last of these registry and registrar security breaches, I am sure that we’ll continue to see the efforts of hackers rearing their ugly heads.
 
While 2009 was certainly a year to remember, I think that 2010 will bring even bigger changes and bigger challenges.

According to Rod Beckstrom, ICANN’s CEO, new gTLDs will be made available when, “we’ve adequately addressed the important issues that are on the table.” These important issues include efforts to address malicious conduct, root scaling, economic analysis, trademark protections, and vertical separation as related to the new gTLDs.

Consequently, no timelines for the launch of new gTLDs have been released. ICANN had most recently stated that the application period would begin in the second half of 2010.

While companies who have been building business plans around the launch of new gTLDs are up in arms, brand owners should take comfort in knowing that additional work will be completed to ensure that adequate rights protection mechanisms are implemented prior to the launch of new gTLDs.

However, while it looks like the gTLD Express is slowing down a bit so that adequate protections can be incorporated into the process, the IDN ccTLD Train (Internationalized Country Code Top Level Domain Names) is full steam ahead and nearing its destination. After years of research, development and market demand, starting on November 16th, ccTLD registry managers will be allowed to submit applications to operate TLDs in native character sets representing their respective country or territory names. To date, 25 countries including China, Japan and the Russian Federation have expressed interest in participating.

Although brand owners may not have to worry about the launch of new gTLDs next year, understanding how, where, and what to register in these new ccTLD IDNs will present a host of new issues – many of which have been overshadowed until now by the anticipated launch of the new gTLDs.

As with similar types of launches in the past, many of these ccTLD registries may allow for special “Sunrise” and “Grandfather” periods so that owners of trademarks and existing IDNs are given priority over others to register exact matches in the new offerings. While registration periods for these new IDN ccTLDs will likely not occur before the second half of next year, brand owners should consider preparing now by reviewing international trademark portfolio holdings and identifying important brands that should be promoted and protected.