By Steve Levy
I just decided a case that involved the combination of a typosquatted domain name and a separate email hacking incident. While this may be the first of its kind to hit the UDRP, this sort of scam has been around since at least 2021 and perhaps longer.
Here’s the setup. The Complainant, a law firm, owns the trademark BAY LAW and uses the domain name baylawinjury.com for its website and, more importantly, its emails. A cybersquatter registered the domain name baylavvinjury.com which substitutes two of the letter “v” for the letter “w” making it look very similar to the Complainant’s address. The day after the disputed domain name was registered, one of Complainant’s employees discovered that his/her work email account had been hacked and a new filtering rule had been created directing all incoming emails that contain the disputed domain name to automatically and immediately be put into a separate folder, one that the employee likely never looks at.
This strategy is mentioned in an article from 2021. Typically, a hacker will send emails to customers, suppliers, or other business partners of the compromised company explaining that its banking details have changed and that future payments should be made using new account information provided by the hacker. Email filtering rules are then created by the hacker to hide emails from the company by pushing them into obscure folders if they contain certain keywords such as “payment”, “invoice”, “account”, etc. This allows the hacker to operate in a stealthy manner for much longer as the affected company, and its business partners, may not discover the misdirected payments for weeks or even months.
In the baylavvinjury.com case, the Complainant didn’t explain how its email system had been hacked (likely the employee clicked on an infected link) but it submitted into evidence a screenshot of the new filtering rule that was created in its compromised account. This says “If the sender’s address contains these words: ‘@baylavvinjury.com’, mark the message as Read, move the message to folder ‘Conversation History’ and stop processing more rules on this message.” So, although there was no direct evidence that the Respondent was responsible for the hacking, it was quite clear that it’s baylavvinjury.com domain name was involved in the scam. Based on this connection and the typosquatting nature of the domain name, all three of the UDRP elements were satisfied and a transfer was ordered.
I’m not a cybersecurity expert (hopefully your company has highly skilled ones) but I see the takeaways from this story as twofold. Email systems should be scanned for newly-created rules or suspicious domain names that may indicate an infiltration. Further, in the event that a hacking incident is detected, checking for new email rules and suspicious domain names should be part of the remediation process.