'Brandjacking' on the Web

A new study by MarkMonitor finds that cybersquatting and other abuses against big companies with well-known brands are on the rise

If ever there were two companies with more different lines of business, they would have to be InterContinental Hotel Group and World Wrestling Entertainment.

Both are the corporate parent of household names. WWE (WWE) is the $400 million (fiscal 2006 sales) producer of professional wrestling exhibitions and TV shows like Smackdown whose stable of stars includes Undertaker, Chris Benoit, and Rey Mysterio. InterContinental (IHG) is the Britain-based $1.9 billion (2006 sales) hotelier, which owns such storied brands as Holiday Inn and Crowne Plaza.

What these two markedly different companies have in common is a problem protecting their brands from abuse on the Web. From domain names that use trademarked words and phrases to direct users to sites with no connection to the company, to selling counterfeit goods on auction sites like eBay (EBAY), the cases of WWE and InterContinental illustrate how widely well-known brands are being exploited online, and how combating the problem is turning out to be a huge challenge.

A new study released Apr. 30 from MarkMonitor, a privately held firm that alerts companies if their brand is being abused online, has put some hard numbers on the scale of the problem. Using the top 25 companies on the Interbrand 100 list of most valuable brands, which includes names like Coca-Cola (KO), Microsoft (MSFT), Disney (DIS), Citibank (C), Google (GOOG), and Dell (DELL) (see BusinessWeek.com, "The 100 Top Brands 2006"), the San Francisco outfit found that brand abuse on the Web is greater than previously thought.

Microsoft on the Warpath

The biggest problem for the companies, at least given the overall number of incidents, is cybersquatting. It's the unauthorized use of a trademarked name or phrase in a Web domain pointing to a Web site that isn't owned by the trademark holder. MarkMonitor found more than 286,000 instances of cybersquatting for the 25 brands it studied—an average of 11,400 instances each. The data was collected during a four-week period starting Mar. 9 and ending Apr. 6 and was averaged over that period. If MarkMonitor's numbers, collected in what it has dubbed "The Brandjacking Index," are on the money, the scale of the problem alone is astonishing.

If a figure equal to more than 11,000 incidents per company on average seems high, then consider the case of Microsoft, one of the companies in MarkMonitor's sample group. It has been particularly active in suing people it says have been using domain squatting to infringe on its trademarks. It currently has four federal lawsuits pending and recently settled two others in the U.S. against companies it says have registered domain names that are close to Microsoft trademarks, such as 1microsoft67.info or freehotmail.net. In recent months it has reclaimed more than 1,000 different domain names. In Britain, it has five similar legal actions pending and recently settled another with a company that had registered as many as 6,000 different domain names that contained variations on Microsoft trademarks.

Clearly, cybersquatting is on the rise, and so are the number of domain-name registration disputes. The World Intellectual Property Organization, the global body that arbitrates such disputes, says its caseload jumped by 25% in 2006. Even so, it received only 1,823 complaints last year, the highest since 2000. That number suggests that WIPO in an entire year is likely to receive complaints on less than 1% of the domains hijacked in a single four-week span tracked by MarkMonitor.

Certainly many disputes can be resolved without going to WIPO. Lawyers can often shut down a site using a hijacked name by sending a cease-and-desist letter, while other parties may not even know their trademarks are being used.

The Fans Weigh In

MarkMonitor gathered the data for the study in the course of monitoring Internet brand abuse as a service. Among other things, it checks 134 million domain-name records every day using its own software and search algorithms, and closely watches filings with the U.S. Patent & Trademark Office for evidence of trademark abuse. (The company declined to disclose how much it charges for that service.)

Cybersquatting is just one of the problems that faced Stacy Papachristos, a lawyer at WWE's headquarters in Stamford, Conn. "We first heard about it from our fans," Papachristos says. "They'd write us pointing out Web sites that weren't affiliated with us, but which were using our names to make money on their own products."

In one recent decision from WIPO issued on Mar. 5, WWE was able to shut down several Web sites using its trademarks with domain names like smackdownmagazine.com, wwemagazine.com, and wwebackstage.com. They pointed not to Web sites produced by the company but to sites operated by a company called DIR Enterprises, which was giving tips about how to get backstage at pro wrestling events and plans for building a wrestling ring.

Other Headaches for Companies

DIR had registered the domain names days or weeks before WWE had formally changed its name from World Wrestling Federation to World Wrestling Entertainment and registered all the required trademarks (see BusinessWeek.com, 2/2/04, "Is the WWE Rousing Itself from the Mat?"). "They were using our trademarks to draw wrestling fans to their sites," Papachristos says. In a case argued before WIPO, the domain names were reassigned to WWE. DIR Enterprises did not respond to an e-mail seeking comment.

Cybersquatting is only the biggest in a huge array of trademark abuses that MarkMonitor says is growing into big business. The study found more than 300,000 separate instances of brand abuse online (including cybersquatting and other offenses) against the 25 companies in the sample group.

Next on the list after cybersquatting is domain "kiting." This practice exploits a loophole in rules set down by the Internet Corporation for Assigned Names & Numbers (ICANN), which oversees domain-name registrations. Computer software can automate the process of registering a domain for the five-day trial period allowed under ICANN policies. The registration can then be renewed for another five days over and over again, usually under some cover of anonymity, making resolution of the problem difficult. This has created an environment that gives corporations with lots of trademarks to protect a huge headache. In a statement on the problem issued in March, WIPO's deputy director general, Francis Gurry, warned that the current environment of easy domain registrations has "fostered practices which threaten the interests of trademark owners and cause consumer confusion."

No Real Overhead Cost

Shifts in the news and in the time of year can have a big effect on what domains are hijacked. When a lot of media attention was being given to the possibility of an avian flu epidemic, there was a huge upsurge in domain registrations using Tamiflu, the trademarked name of an anti-flu treatment owned by Roche Laboratories. WIPO heard 34 cases involving 64 different domain names related to some variation of the Tamiflu name.

MarkMonitor's study found more than 11,000 cases of domain kiting carried out against the 25 companies in the sample group. One big target of kiting efforts is financial institutions, which accounted for 980 incidents of kiting attacks carried out among the sample group.

Why is kiting suddenly popular? MarkMonitor Chief Marketing Officer Fred Felman says it makes money for those engaging in the abuse.

Since the five-day trial period for a Web site registration is free, there's no real overhead cost. At least 1 million hijacked sites are reregistered every day, used to create "pay-per-click" sites that can yield as little as $25 per year. But take that million sites and pretty soon you're looking at a business model that could potentially generate $125 million per year. "We think kiting and domain 'tasting' represent more than 90% of the new Internet domain registrations on a daily basis," he says. "We're talking about people who exist out on the fringe of the legitimate business world," Felman says. "But they're people making real money off of exploiting these brands, probably enough to pay the rent and get a nice car."

Not Just a Problem for Consumers

And then there's e-mail phishing. This is the practice of using e-mail to entice unsuspecting consumers to click through a link to a Web site that may look as if it's operated by their bank or another financial institution. Typically, a phishing e-mail informs the consumer that his bank needs him to "change your password right away." Thinking the message is legitimate, consumers click through, type in their account information and password, and soon learn the hard way that the message they received didn't really come from their bank at all.

While it's a big problem for consumers, it can also be a major problem for the banks or brokerage firms whose brands are used to carry out the crime. Phishing e-mails accounted for 16 million e-mails sent per day during MarkMonitor's sample period, up 104% in the first quarter of 2007, vs. the same period in 2006. Felman says 229 companies were the targets of phishing, and more than half of those were targeted for the first time. Banks, credit unions, PayPal (eBay's payment service), and even the Internal Revenue Service have seen their names used in phishing campaigns.

Capitalizing on Consumer Confusion

Phishing is clearly on the rise. A study by the Anti-Phishing Working Group found that the number of unique Web sites devoted to phishing jumped to just more than 16,000 by February, 2007, from 10,091 in August, 2006. "The problem is definitely not getting better," says Dan Hubbard, vice-president of security research at Websense (WBSN), which shares its phishing data with the anti-phishing group.

Another reason for the surge in phishing comes from simple consumer confusion. "We believe a lot of it is due to the confusion people have over the introduction of new security methods that banks introduce," he says. "Plus, there's been a lot of mergers and acquisitions of different banks. The customer is dealing with a new entity and that creates some confusion that phishers can use to their advantage."

Keeping a close watch on your brand is something every company with online operations has to do, says Del Ross, head of brand distribution and marketing for InterContinental, the hotel chain. "It's cheaper to spend the money to protect your brands than not to protect them," says Ross. "Just about everyone with a brand to protect has or will have this problem, and it's going to get worse."

    Before it's here, it's on the Bloomberg Terminal.