Cyber Monday 2018: Analyzing the DNS to Uncover Threats to Businesses and Consumers

In its annual Cyber Monday report, FairWinds reviews the impact of typosquatting on 50 top internet retail brands and their audiences. The most notable insights that FairWinds uncovered in its 2018 analysis are that:

  • Domain parking platforms that host malicious content and seek to distribute malware are much more prevalent
  • Squatters are adding mail servers and wildcard email harvesting mechanisms to confusingly similar domain names in order to harvest information
  • Brands are turning to retail registrars as a cost-effective way of housing recovered infringements
  • 8% of typo domains that brands own remain security threats because the DNS are, or could easily be, controlled by unrelated parties

As the internet continues to evolve and expand, brands engaging in commerce online must adapt to account for changing trends in order to remain ahead of malicious squatters and protect their customers.

Key Findings:

In order to track and identify trends over time, FairWinds has used the same underlying data set of 4,667 misspelled permutations of brand domains in .COM.


The registration status of most of the domain names did not change since last year; there were just 50 status changes:

  • 25 domains that had been previously taken by a 3rd party became available; and
  • 25 domains that had also been previously taken are now owned by the brand.

Of the 25 domains that are now in brand-owners’ hands, Wayfair, Nordstrom, AutoZone, Game Stop, and Target have been the most active in correcting their problem with cybersquatting over the past 12 months.


Looking at the universe of 2,426 brand-owner controlled domains in the dataset, the most popular corporate registrar is CSC with 19% (including NetNames/Ascio) followed by MarkMonitor with 10%. However, a somewhat surprising finding was that over 69% of brand-owned typos in .COM are held at a low-cost registrar. This is in large part due to the practice of a domain-recovery provider that frequently parks the domains it secures for clients at GoDaddy. Just over half of brand-owned .COM typos are with GoDaddy registrar on behalf of Bed, Bath & Beyond, Finish Line, and The Home Depot among others.

Owners of typosquatted domains are more likely to move their domains between/among registrars than are legitimate domain owners, who tend to be loyal to a particular registrar. In the past 12 months 855 domains, 19.4% of all typosquatted domains, changed registrar. Registrars with the highest number of changes include Media Elite Holdings Limited (+336%), Internet Domain Services BS Corp (-47.8%), and Pty Ltd. (-16.8%).

The goal of registrar cycling may be to prolong the cybersquatting activities by obstructing enforcement, evading detection, and/or seeking lower registration fees and higher domain-parking payouts.

Name Servers

Across 2,426 typo domains we reviewed that are owned by the expected brands, 91% are hosted by a trusted entity. The majority are either hosted in-house (19%) or by a trusted third party (72%), which includes their primary registrar and enterprise DNS partners such as Verisign, AT&T, and AWS.

Slightly more than 8% of typo domains that brands own are hosted by what would appear to be unrelated entities. In one case, 166 typos of a particular brand are delegated to a host identified by an available domain name. In these instances, the domains reflect the brand owner in WHOIS, but are currently serving malicious content, or could easily be switched-on for malicious purposes including sending and receiving email and displaying harmful web content.

In the case of the unregistered DNS host domain, once a bad actor notices and takes advantage of the situation, they would control 166 clones of the company’s main corporate domain and the violation would be relatively undetectable since nothing “new” would have showed up in WHOIS.

Resolution & Use

Malicious use of a domain name is increasingly to send email meant to look official, or to receive email intended for another for the purpose of capturing intelligence.

Across a representative sample of the 1,963 “taken” domains in the 2018 dataset, 57.7% had MX records listed in their zone file. This is troubling as the presence of MX records signal a mail server is set up to send and receive email for a domain. A cybersquatter can set up a catch-all record and receive any email message sent to and it would appear that over half of the typo domains controlled by third parties in this study may have this capability.

In Spring of 2018 Steve Levy, domain enforcement counsel for several FairWinds clients, described Automated Rapid Redirection to Malware (ARRM) to attendees of a FairWinds Beyond the Dot conference in Cambridge, MA. ARRM hosting presents a dynamic set of possible results for a single domain. Results include redirection to the website of the infringed brand or a competing brand site (both with affiliate IDs to capture commissions on purchases), presentation of a recommended “Adobe Flash update” that is likely-to-be malware, and a range of phishing ploys.

At other times, and almost always when a visitor has accessed the same domain more than once in a 24-hour period, ARRM-hosted domains present pay-per-click (PPC) ads that generally don’t raise alarms among brand-protection professionals. The fact that ARRM-hosted domains present different results based on the visitor’s IP address makes clear the platform operator wishes to avoid attention from brand protection and law enforcement professionals.

Comparing the 2017 and 2018 FairWinds Cyber Monday domain name analyses, the number of domains hosted on DNS usually or frequently serving ARRM results increased from 80% to 87% of taken domains.

Advance Auto Parts, Crate & Barrell, Dick’s Sporting Goods, Kate Spade, LL Bean, Northern Tool, Urban Outfitters, and Victoria’s Secret are among the brands with the highest percent of ARRM across their total number of .COM typo infringements. In all of these cases, greater than 90% of infringing .COM typos are hosted on the ARRM platform.


In terms of opportunity, the brand and customer protection elements are clear, but with 87% hosting ARRM content across 1,963 “taken” .COM typos, it’s not practical for a brand owner to address them all.

Traffic is the best objective indicator of value when looking across similarly-resolving infringements, and as we have seen before most infringements do not receive detectable levels of traffic. The top 20 domains, the most visited 1.02% of all 1,963 taken typos, garner 37.5% of total detectable traffic across the dataset. A full 70% of the traffic to the top-20 most frequently visited typo variations are associated with Amazon, Best Buy, Costco, and Walmart typo domains. Adidas, Bass Pro Shops, Carter’s, Dillard’s and Nasty Gal round out the group of top-20 typo infringements of the 50 leading internet retailers we analyzed.

Given the scope and scale of this study, there is a clear case for brands to take targeted action to address typo domains that threaten their information security, reduce their profits, and erode their customers’ trust in them.

Beyond the Dot: Featured Speaker Scott Bradner discusses GDPR

Mr. Scott Bradner, Harvard Extension School professor and former ARIN, IETF, and Internet Society Trustee is widely recognized as one of the few first-person historians on the creation and development of the Internet.


FairWinds Partners is pleased and honored to have Mr. Bradner as our guest speaker at our next Beyond the Dot luncheon and networking event at the Harvard Faculty Club in Cambridge, MA later this month.


2018 is off to a fast start with ICANN’s efforts to comply with the European Union’s new regulations on the use of personal data, the General Data Protection Regulation (GDPR). There are many views of the GDPR’s impact on the domain industry and they vary widely from registries, registrars, and global corporations.


We took the opportunity to ask Mr. Bradner some questions about the impact of the GDPR on the broader area of Internet governance.


What are your thoughts on how the ICANN community is preparing for GDPR enforcement?

ICANN has had its head in the sand until very recently. Now we are seeing them run around in chicken-with-its-head-cut-off mode trying to figure out what to do. May 25th is a couple of months off now. ICANN should have been preparing more than a year ago to determine what was going to be needed to comply so that they had enough time to work through the details.

How do you think the Internet will change as a result of GDPR?

In theory, the Internet will be a better place for users, but because of the vast disparity of how U.S. corporations treat the activities of their users and how GDPR expects users to be treated, there will be serious problems.


Is there anything creators of the Internet or ICANN could have done differently to anticipate privacy concerns?

It is not to do with the creators of the Internet or ICANN; it is the business model of the U.S. companies that most Internet services are predicated on – paying for a service by letting more and more information about your activity to be analyzed to determine the ads to provide the highest likelihood that you will respond– that is incompatible with GDPR.


Some of this was predicted when the original IETF RFC for cookies was debated. The idea that a telephone company could record every URL you visit would be unthinkable in Europe… GDPR makes the model of the surveillance economy unviable unless the service provider is positive that none of its customers can be EU citizens, not an easy thing to be positive about.

Continue the Conversation

Please join us on April 12 to continue the conversation with Mr. Bradner as he recounts the early days of the Internet and describes how the last 5 decades explain today’s Internet and where it is heading.


We will also hear from domain name insiders on the latest updates from ICANN61 in Puerto Rico, as well as the evolution of cyber security threats and enforcement strategies to combat them.


This is a private event with limited space available.  If you would like to attend, please contact us at to request an invitation.

Cyber Threats on the Rise: Protect Your Brand

The Equifax cyber-attack of 2017 highlighted the vulnerability of corporate networks and consumer privacy in the new era of the Internet and cyber threats. In fact, 2017 saw more expansive and more high profile breaches than any other year to date.


Consequently, corporates are urging more awareness and responsiveness to cyber threats at all levels to better protect the security and information of consumers from top to bottom.


Top 2017 Attacks

The most notable attack of 2017 was against consumer credit reporting agency Equifax due to the sheer amount and sensitivity of information stolen.


Though not made public until September, the July attack against Equifax compromised 145 million people and included highly sensitive information such as Social Security numbers. Less than a month later, Yahoo! revealed that every account, over 3 billion in total, was hacked in 2013—three times as many as originally reported in 2016.


Anonymous cyber-crime groups have become more dangerous and more effective by accessing vulnerabilities or tools obtained from prior breaches of government and security organizations. After the controversial Shadow Brokers leak, which made public a suite of hacking tools developed by the NSA, Petya and WannaCry orchestrated attacks using the stolen tools and took advantage of newly revealed weaknesses, wreaking havoc on businesses and hospitals.


Corporate Response

NuData Security Inc. reported that 64% of companies experienced web-based attacks in 2016, a figure that grew by about 30% year-over-year from 2015. The attacks, which appear to be endemic, have forced a corporate response.


The Wall Street Journal echoed this sentiment in an article published on January 10, 2018. Fortune 500 corporate boards are re-evaluating, or in some instances evaluating for the first time, the risks, gaps and response times associated with cyber threats.


A survey conducted by the National Association of Corporate Directors revealed that 38% of directors surveyed would select cyber threats as likely to have the biggest impact on their company in 2018. However, when asked if they felt confident that their company was properly secured against cyber attacks, the number of positive responses dropped from 42% in 2016 to 37% in 2017.


Thus, management is aware of the increasing amount hostility of cyber threats but is not confident in their ability to respond.


Mitigating Cyber Threats at the Domain Name Level

Domain names remain a key vulnerability and can easily divert a large user group. While organizational and security infrastructure are being assessed at the higher management levels, there are steps all companies can take at the domain name level to protect employees, customers, and overall brand reputation.



In 2017, Bad Rabbit, a cybercriminal ransomware attack often linked to Petya infected computers all over the world by posing as an Adobe Flash installer to infiltrate and compromise media outlets.


The bogus Adobe Flash update is often seen as the resolution for non-filtered domain parking platforms and other malware campaigns associated with typo-squatted domain registrations. Respectively, FairWinds Partners has seen a noticeable rise in Uniform Domain-Name Dispute-Resolution Policy (UDRP) reclaim filings submitted on behalf of clients.



Russian hackers, Cozy Bear and Fancy Bear, used typo domain names as points of entry to organizations related to the 2016 national election in the United States and continue to use spear-phishing and typo-squatting to infiltrate and spy on government organizations.


On January 8, 2018, NBC Nightly News aired a special on the impact typos can pose to unsuspecting users including online scams to gain access to personal or financial information. Typo-related domain infringement can result in customer diversion, poor customer experience, and damaged brand identity.



Left unaddressed, cyber threats can pose a significant risk to customer and employee personal information, corporate reputation, and online brand identity.


With the privacy and personal data of all Internet users at risk, it is critical for companies to understand and address emerging cybersecurity threats and related domain name vulnerabilities.

Milestone Reached: 300 UDRP Victories

FairWinds Partners recently marked our 300th successful Uniform Domain-Name Dispute-Resolution Policy (UDRP) outcome, bringing our overall success rate to 99.75%.


FairWinds has a long history of success when it comes to reclaiming domain names on behalf of FairWinds’ clients.  Nearly 400 complaints have been filed on behalf of FairWinds’ clients to-date, a quarter withdrawing and settling without a need for the UDRP arbitration process.


UDRP & Benefits to Domain Owners

The UDRP is a standardized legal procedure created by ICANN that provides brand owners and trademark holders a quick, relatively inexpensive, and easy means to resolve disputes regarding a trademark-infringing domain name.


A key benefit of the UDRP is the relative expediency in which resolutions are delivered, typically within 45 days of filing. UDRP filings do not require discovery, witness cross-examination, or even a hearing.  Thus, the overall cost of filing a UDRP, as compared to more formal litigation, could be significantly less expensive and might be the right option for clear cases with minor fact issues.


When preparing to file a UDRP, a filer must be able to prove the following:

  1. The domain name is identical or confusingly similar to your trademark
  2. The Respondent has no rights or legitimate interests in the domain name
  3. Registration and use of the domain name is in bad faith


Emerging UDRP Trends

In the last year we have seen two emerging trends in the type of UDRP cases being brought to action:

  1. Increased use of Fast Flux DNS over pay-per-click parking, which can be more lucrative for squatters and more damaging to brands
  2. Cases that involve multiple domain names, suggesting a rise in organized squatting by domain investors with sizable portfolios of names


When considering filing a UDRP, seeking experienced and consistently successful counsel is critical, as UDRP cases cannot be re-filed for any mistakes. In concert with an expert domain name advisor, infringing domain names can be identified and recovered expediently and with minimal cost.


With evidence of an increase in cybersquatting and bad faith registrations as well as the proliferation and spread of malware through Domain Servers, the use of UDRP cases will continue to rise. Make sure your brand is protected by the best.

Webinar: New gTLD Usage, Trends & Planning for 2018

Join us for a free webinar on January 16, 2018, to hear from Taylor Frank, Vice President at FairWinds, with regard to recent developments, analysis and trends related to new gTLD usage and adoption.


Email us at to register!


The new gTLD initiative has proven to be fairly complex.  To date, it has been very difficult to get an accurate read on the adoption of these new platforms.  At our free webinar on January 16, 2018 we will talk about:

1.  New data and information related to use of new gTLDs,

2.  How new gTLD use stacks up against legacy gTLD platforms,

3.  What to expect as we move into 2018 and

4.  Feedback from our network of corporate brands on the relative success or failure of the first round and sentiment about the second round of new gTLDs.


Register today by emailing!

Highlights from 2017 and What to Expect as We Embark on 2018

2017 proved to be an eventful year with the United States pulling back from ICANN, the advance of opportunistic practices by bad actors, and innovative uses of new gTLDS from some of the biggest global brands.

These three trends should be top of mind as 2018 domain name strategies are considered.


In the aftermath of the United States not renewing its IANA contract, effectively cutting its ties with ICANN in 2016, and standing on even ground with other governments in the Governmental Advisory Committee (GAC) we have seen increased involvement by other key governments and the proliferation of complex issues plaguing the community.

ICANN60 in Abu Dhabi spotlighted the EU’s General Data Protection Regulation (GDRP), which regulates the collection, storage and distribution of personal information. The two-year transition period for this regulation comes to a close in May 2018.

Having already seen an impact on how registries and registrars are handling WHOIS requirements, we anticipate this trend to gather more steam and have even farther-reaching implications in 2018.

Additionally, foreign governments continue to push for the protection of country and other geographic names, especially in light of an impending new TLD round. .AMAZON will be top of mind for many looking ahead to 2018 when ICANN will re-review the .AMAZON application and make a determination to either follow GAC advice to reject the application or allow Amazon to proceed.

The next ICANN meeting will be held in San Juan, Puerto Rico from March 10-16, 2018.  Due to its proximity to the East Coast and other US destinations, it is expected that there will be significant brand participation from North America. GDPR, WHOIS, the second round of new gTLDs, and the protection of geographic names are expected to be major topics.


As the domain name system has evolved over the years, so too have the methods of domain monetization employed by domain speculators, squatters, and trademark infringers.

This year, we have seen an alarming and significant rise in the popularity of a new domain-parking platform that frequently distributes malware.

As domain owners and parking platforms are now able to generate more revenue serving malware than through pay-per-click ads, and with no mediation in sight, this trend is sure to continue gaining momentum and it will be critical for brand owners to be aware of and monitor the situation.


We have started to see a slow and gradual increase in the creative use and deployment of .BRAND TLDs.

While the total number of registrations in new gTLDs has declined over the last six months – likely as a result of large-scale deletions from TLDs like .XYZ that offered discounted registrations in the first year – the number of registrations in .BRANDs steadily increased throughout 2017.

Some of the more meaningful TLDs to be on the lookout for in 2018 include:

  • .AWS from Amazon
  • .GOOGLE and .GOOG from Google
  • .SAP from SAP
  • .YANDEX from Yandex

The continued use and adoption of .BRAND TLDs by influential corporates will drive further adoption as we head into 2018. However, it is still a very nascent space and using a .BRAND TLD has far-reaching consequences that must be considered before deploying such a platform.


Given the increasing complexity from a policy and security perspective, it is more important than ever to have a proper domain name strategy in place to guide you through this ever-changing landscape.

From everyone at FairWinds, we wish you a happy New Year!

Cyber Monday 2017: Fast Flux DNS and Other Cyber Threats to Brands

On November 23, 2016, FairWinds distributed Cyber Monday 2016: Typosquatting – A Threat to Brands and Consumers, a report on how typosquatting impacts 50 of the leading internet retail brands.

FairWinds re-evaluated the 2016 dataset for Cyber Monday 2017: Fast Flux DNS and Other Cyber Threats to Brands. The biggest take away from this year’s analysis is that the number of infringing domains hosted on a Fast Flux DNS platform has more than doubled.

This time last year, we reported 39% of third-party owned typos of the top internet retailers’ primary domain in .COM were hosting malware, phishing, and affiliate program ripoff sites via Fast Flux DNS.

Now, the figure is 80%. The growth came from 828 domains that have been migrated from predominately pay-per-click (PPC) content at this time in 2016 to a Fast Flux DNS platform today.


What is Fast Flux DNS? 

As we’ve described in the past, Fast Flux DNS is a hosting platform that monetizes web traffic via an array of results, which change based on factors including the IP address of the visitor.

For example, just prior to posting this blog,, a “missing dot” typo, resolved to the content below suggesting the visitor download the latest copy of Adobe Flash. Needless to say, the download was not the latest copy of Adobe Flash.

Moments later, the same domain resolved to and then, and in both instances the URL included an affiliate ID for the purpose of tracking the session and receiving a commission on the visitor’s purchases.


How does the 2016 Data Compare to the 2017 Data?

While the resolution of the 4,667 .COM typographical variant domains reviewed in 2016 and again in 2017 has changed immensely, very little has changed in terms of ownership:


It is noteworthy that several brands did recover a small set of infringing domains over the past year.

However, most of them were low-value domains as all but one receive no detectable traffic and 66% of the 21 were held by a service that promises to reclaim taken domains in exchange for a period of time when they are granted the right to monetize traffic via the trademark owner’s own affiliate program.

Among the 252 previously cybersquatter-owned domains that became available in the last 12 months, there is essentially no traffic associated with them. This is a clear signal that squatters are cutting domains that do not perform.

One domain,, that was registered to the correct company last Cyber Monday, but was released and subsequently squatted has been enrolled in Fast Flux DNS.

True to the platform, serves up a revolving set of results including a malware version of Adobe Flash update and the company’s own affiliate program. However, since the domain receives no detectable traffic, J. C. Penney Corporation made a reasonable decision not to renew this particular typo.

As of Cyber Monday morning 2017, the domain resolves to with affiliate ID session tracking to earn commissions for the platform and domain owner on all items purchased by visitors.



The Shift to Fast Flux DNS

With the shift from PPC to Fast Flux DNS parking, there is a case to be made to wipe out all of the infringing domains that are serving up malicious content, but it is not cost effective.

Now more than ever, companies must apply a thoughtful and holistic strategy to their enforcement programs.

Of the 1,602 infringing typo domains in the Cyber Monday 2017 dataset that are currently hosted on the Fast Flux DNS platform:

  • Just 20% (336 domains) receive detectable traffic, averaging 7,349 visitors per month.
  • An eye-catching 80% (1,989,000 visitors) of the monthly traffic across all of the infringements is associated with just the top 30 typosquatted domains.

This is not a surprising finding, as we have seen this kind of unequal distribution in domain datasets over last 10+ years.

When looking at typosquatted domains of leading internet retailers, the shift from PPC to Fast Flux DNS monetization has clearly arrived and it is a significant threat that must be addressed.  This data show that careful target selection and swift action is the immediate solution.

Fraud in Financial Services New TLDs Less Prominent than in Other New Generic TLDs

Nearly 50 of the new generic Top-Level Domains (gTLDs) launched through ICANN’s New gTLD Program directly relate to the banking industry.

While certain financial services new gTLDs such as .BANK and .INSURANCE have been established by their operators as trusted safe-havens with significant vetting and barriers to entry, most financial services industry gTLDs such as .LOAN and .FUND have been launched with no such barriers and with minimal registration qualifications. As a result, many have expressed concerns like those voiced by ICANN’s Governmental Advisory Committee (GAC)[1] and think that unrestricted financial services new gTLDs pose a significant risk of confusion and abuse.

Now that several years have passed since the first new gTLD launches, FairWinds investigated whether these concerns are well founded by examining ownership and use of exact match brand domains in financial services new gTLDs. The goal was to determine if nefarious bad actors are maliciously registering and using domains such as Citibank.Loans or CapitalOne.Cash to prey on unsuspecting customers.



FairWinds used the publicly available S&P Global Market Intelligence list[2] of the world’s 100 largest banks to create a dataset of banks and corresponding domains to test. In a majority of cases FairWinds looked at the exact same root (“bnymellon” for used by the bank for their primary website. In the case of banks that use 2-character domains as their primary website, FairWinds used the bank’s full name (“deutschebank” instead of “db”) in the analysis.

In selecting which new gTLDs to test, FairWinds selected the top 6 unrestricted financial services new gTLDs based on total number of registrations. As of September 22, 2017, the top 6 in order of total domains registered were:

  • .LOAN (2,171,965 domains)
  • .TRADE (145,598 domains)
  • .FUND (11,396 domains)
  • .CASH (10,470 domains)
  • .FINANCE (6,203 domains)
  • .FINANCIAL (3,923 domains)

Four of the registries (.TRADE, .FUND, .CASH, and .FINANCE) are operated by Donuts and therefore the domains could have been blocked via Donuts’ Domains Protected Marks List (DPML), and 2 of the registries (.LOAN and .FINANCIAL) are operated by Famous Four Media.


Our Findings

Across the dataset of 600 domains:

  •  21.7% (130) are registered,
  • 14.3% (86) are blocked for registration due to the DPML, and
  •  64% (384) are available.

Of the registered domains:

  • the bank brand owners own 11% (66),
  • other IP owners sharing the same names own 1.2% (7), and
  • unrelated third parties own 9.5% (57).

FairWinds reviewed the web content associated with the 130 registered domains and found websites that fell into 9 categories:

Only one domain resolved to official content (RTOC), BoC.Fund.

While there were some suspicious results such as the password protected website found on Sberbank.Fund (image below), no malicious content was found in this dataset.

This finding was unexpected. Both the GAC and the banking community, who have registered or blocked 159 domain names in this dataset, believed there would be heightened domain abuse where “implied trust…carry higher levels of risk associated with consumer harm.”[3]


How Did Banks Fair Amongst the Most Popular TLDs?

Curious to test the hypothesis that these same banks face an entirely different challenge in the most popular new gTLDs based strictly on volume of second-level registrations, FairWinds investigated the exact same list of bank names in the top 6 new gTLDs with the most domains registered as of September 22, 2017:

  • .TOP (3,141,279 domains)
  • .XYZ (2,431,795 domains)
  • .CLUB (1,119,390 domains)
  • .WIN (1,045,895 domains)
  • .VIP (760,829 domains)
  • .ONLINE (767,555 domains)

These 6 new gTLDs are owned by TOP Registry,, .CLUB Domains, Famous Four Media, Minds + Machines, and Radix.

In this dataset:

  • 83% (221) are available, and
  • 17% (379) are registered.

Of the 379 registered domains, just 8.7% (33) are registered by the expected bank or another similarly-named trademark owner and an astounding 91.29% (346) are owned by unrelated third-party registrants.

FairWinds also analyzed the web content and organized the data into 16 categories:


Just 5 domains resolved to official content (RTOC). On the other hand, while the majority of squatted domains did not resolve to content, FairWinds found 8 domains that are enrolled in the Fast Flux DNS parking platform, which frequently is used to distribute malware, phish for personal information, impose ransoms and present affiliate shopping sites or pay-per-click schemes.

In summary, banks face 6 times more infringement in popular Generic New Top-Level Domains than in unrestricted Financial Services New Top-Level Domains.

What Does Fast Flux DNS Look Like?

Fast Flux DNS presents a range of results including pay-per-click; however, it often leads with a snare trap to any first-time visitors.  In this instance, BNYMelon.Top presents a false alarm about a virus that has been detected on the visitor’s computer or device.  Attempts to resolve the situation (per the instructions on the page) exposes the visitor to possible identify theft and demands for payment:






At other times, the BNYMellon.Top domain leads to a website asking the visitor to install the latest version of Flash Player:



FairWinds has observed a major swing over the past 12 months from pay-per-click parking to this Fast Flux DNS parking with fake Adobe Flash malware as the most typical malicious invitation.

Earlier in 2017, PhishLabs reported that “The most common new gTLDs used to host phishing content last year were .TOP, .XYZ, .ONLINE, .CLUB, .WEBSITE, .LINK, .SPACE, .SITE, .WIN, and .SUPPORT.”[4] Five of the 6 new gTLDs FairWinds looked at in the Top 100 Bank names new gTLD study are among the domains linked most often to phishing by PhishingLabs.



Many brand owners that are active in securing defensive registrations are choosing to register their brands in category new gTLDs that represent their industry (.TECH), business (.CAREER) and where they operate (.PARIS). However, the Top 100 Bank names new gTLD research suggests that some of the most important places to protect brands are where the squatters are most active and not just in gTLDs that are directly linked to the brand.

Knowing where the bad actors are most active, and owning your brands in those new gTLDs is probably more important than choosing to register in new gTLDs that would seem to be the most likely to be infringed, like .FINANCE for an financial services company or .TECH for a technology company, and brand owners are not currently doing this to the degree that they should.

FairWinds recommends recapturing damaging, infringing domains in the most popular new gTLDs and registering available names ahead of bad actors in the busiest corners of the new gTLD world.







When it Comes to Cybersquatting How Do Canada’s Top Brands Fair?

We were curious how major Canadian brands were fairing when it came to cybersquatting, so we took a look at how well protected they are in the domain name space. We specifically took a look to see whether their customers are facing navigation challenges or security threats online as a result of the domain names these brands don’t own.


Methodology for Our Cybersquatting Research

To do that, we looked at typographical variations in .COM and .CA of the top 25 Canadian brands according to Canadian Business’s Canada’s Best Brands 2017: The Top 25. Among the brands surveyed include established names like Home Hardware, Cirque du Soleil, and Scotiabank.

Five of the brands included on Canadian Business’ list were not included in our analysis because the brand names were too short, while others were omitted because they did not own their name in .COM.

Here is a table summarizing the brands that were included and omitted in our analysis:

What Did the Data Show?

We generated 2,128 typo variations across the 20 brands, included their correctly spelled versions, and applied .COM and .CA endings for a total dataset of 4,258 domains.

We found that:

  • 85% of the domains are currently available
  • 15% or 620 domains are registered

Of the registered domains:

  • 27% (168 domains) are in Canada’s .CA extension, and
  • 73% (451 domains) are .COMs.

Just 16.5% (103 domains) of the registered domain names are owned by the brands themselves, and these include the 20 websites of the companies.

Of the 103 brand-owned domains:

  • 65 redirect to the brands’ websites
  • 3 are used by the brand owner for another site (for example and are different sites owned by the same company), and
  • 3 are being used improperly

Those being used improperly are most likely displaying the same content these domains served when they were owned by third parties before being recovered through trademark enforcement or acquisition. For example:

  • Scotiabank owns that displays PPC content, and
  • Canadian Tire’s is a Fast Flux DNS site that sometimes presents malware, phishing, and ransomware and is a PPC site.

The remaining 517 registered domains are owned by third parties. Of these third-party domains we found 60 that are legitimate and 3 that are questionable, meaning that these domains are other correctly spelled words or acronyms or a product of the company that owns the domain or it was too hard to know for sure. For example,

  • is owned by P&G for their Swiffer WetJet product, and
  • is an Apple domain although similar enough to the Canadian IMAX brand to be part of the dataset.

Among the “questionable” domains is, which is similar to and redirects to the website of InterBank however it was not immediately clear if there is a legitimate connection to InterBank so it was marked “questionable.”

A careful analysis of the brand-owned domains shows that Canadian brands that register typographic variations are focusing more on .COM (39 domains) than on .CA (27 domains).


How are the Non-Brand Owned Domains Being Used?

The majority of third party illegitimate domains are registered in .COM (344) vs. .CA (110) albeit disproportionately so. This may be a result of .COM being so much more inexpensive and accessible (no local presence requirement) than .CA. Regardless, the ratio of brand-owned to third-party owned illegitimate domains is 1:4.

It was significant to find that:

  1. 73% of the registered typo variations are illegitimate
  2. 41% of illegitimate third-party domains are used for PPC.

This would have been a bit surprising to us before 2016 when generally about 80% of infringing domains were enrolled in PPC (example:, but we have noticed a shift in domain monetization schemes over the past two years.

The uses of Canada’s top brands by third parties are attributed to 7 categories:

The largest use category beyond PPC is Fast Flux DNS (FFDNS) domains, which we wrote about in our 2017 – Perspectives on Cybercrime and Domain Names.

The decline of PPC revenue associated with cybersquatting has forced bad actors to look for other sources of revenue over the past several years. In the place of PPC, they have been enrolling their domains in FFDNS-type monetization schemes at the extreme detriment of brands and their consumers.

There are 30% more third party owned illegitimate sites resolving to Fast Flux DNS than all of the brand-owned domains combined.

We also found two domains serving up pornographic content – and While the Whois and DNS information is different, the domains were registered about 1 month apart and the format of the sites is similar raising questions about a possible link. Further, we’ve seen this type of site format appear across other studies and brand audits recently as well.


How Well Are Canada’s Top Brands Protecting Themselves from Cybersquatting?

Traffic has always been a strong indicator of value because so many domains get registered that have no impact on the brand and this must be considered when deciding which infringing domains to do something about. It is more tolerable when a third party owns a non-trafficked domain, but it sends a clear signal to brands to do something about it when an infringing domain is also trafficked. Like we found in the 2016 Cyber Monday study, third parties own more trafficked typos than the brands do themselves.

In the case of Canada’s top brands, we estimate that only 101 monthly visitors are accidentally landing on domains owned by the brands and 63,660 monthly visitors, or 630 times the number of internet users, are ending up on illegitimate websites.

This is when we look at the top Canadian brands and judge which ones are doing the best job of protecting their brands and their customers, and which are not.

Based on the number of typographical-variant domains owned by third parties and serving illegitimate content, the most maliciously-targeted audiences are those of Scotiabank, WestJet, Telus and Roots:

Based on the number of typographical-variant domains owned by the brand owner, TD Bank and Canadian Tire are putting forth the greatest effort to protect their brands and audiences from message thieves online:

It is clear that TD Bank (27 owned) and Canadian Tire (23 owned) are making the best effort to ward off cybersquatting, brand dilution, and customer harm even though third parties are still targeting their audiences and holding numerous typographical variations of these brands.

According to our data, Scotiabank is doing the worst job of protecting their image and customers with 62 un-owned typos and just 1 owned typo. Furthermore, 28 of the typo domains Scotiabank doesn’t own are hosting Fast Flux DNS, frequently malware-, ransomware-, and phishing-related websites.

Great-West Life, Canada Goose, IMAX, Roots, Telus and others are not too far behind with zero-owned typographic variations of their brands in .COM and .CA.



Canada’s top brands, like the rest of the world’s top brands and their consumers, are under assault by domain infringers who are possibly unaware of the damage they are causing by using domain names to earn a buck (or Loonie) and expose audiences to scams and fraud.

With cybersquatters’ noticeable pivot from PPC to the more-dangerous and brand-eroding Fast Flux DNS with malware/ransomware/phishing as their preferred platform for domain monetization, brands should pay closer attention to typosquatting and cybersquatting.

While FairWinds recommends triaging through quantification of harm, namely prioritizing domains with measurable traffic, it is time to also consider backing policy solutions and industry groups that discourage cybersquatting and target platforms, such as services offering commissions to domain owners who enroll their names in schemes like Fast Flux DNS and are enabling these more malicious forms of domain portfolio monetization.

Beyond the Dot 2017: San Francisco

BTD Logo - Date - Cropped


8:30am – 9:00am


9:00am – 9:10am
Overview & Introductions


9:10am – 9:55am
Fact or Fiction: The Reality of gTLDs and SEO
Andrea Fuller, Fuller Digital Strategy
Taylor Frank, FairWinds Partners


9:55am – 10:40am
ICANN Redefined: New gTLD Round in 2019?
Samantha Demetriou, FairWinds Partners


10:40am – 11:00am


11:00am – 11:30am
Draining the Swamp: Domain Name Management in the Trump Era
Josh Bourne, FairWinds Partners
Steve Levy, FairWinds Partners

How to Pick a Domain Name for Your Startup and Why It Matters

how to pick a domain nameHere at FairWinds, we receive dozens of requests a month to anonymously acquire domains. Most of these requests come from our pre-existing clients, who are, in the main, multibillion-dollar public and private enterprises. However, we have steadily been performing more work for pre-launch startups, smaller up-and-coming companies, and “unicorns,” or new ventures worth over $1 billion.

The more we have worked with startups of all kinds, the more we have noticed they have some unique needs—and challenges—related to domain names. This is more important than many founders realize, and so, at the suggestion of one seed venture capital firm familiar with our work, we’re offering here some tips to the startup community regarding branding and domain names that would be helpful.


How to Pick a Domain Name for Startups

What we have learned from buying names for well-known companies as well as for post-launch new brands is that it is hard to get a good price for the exact-match company name in a .COM. This shouldn’t be a surprising finding, but so many companies are taking the wrong approach to how to pick a domain name, and that is more unexpected and problematic.

Consider the Flickr/ case. We don’t know why, but the creators of Flickr, now owned by Yahoo!, chose a non-intuitive spelling for their company name. This was perhaps due to domain name availability issues, or perhaps due to naming preferences on the part of Flickr founders. But, as a result of this decision—and the resulting consumer confusion regarding the company’s domain name—Yahoo! endured quite a legal saga in acquiring the more intuitive, eventually winning it back from a China-based registrant. They now have in place a redirect system, which reorients consumer typos, from to

Either because of limited availability of attractive .COM names, or because of a need for trademark-supportive brand names, we’ve seen an alarming increase in popularity of this longstanding ‘fad’ of intentional misspellings, whether on the left side of the dot, as in Flickr, or on the right side, as explained below.


How ccTLDs Factor Into How to Pick a Domain Name

Certain domain name extensions are popular in Silicon Valley and elsewhere these days. For example, those ending in:

  • .VC,
  • .CO,
  • .IO, and
  • .AI.

They may seem like harmless, even ideal, choices given their relatively cheap prices, but we’ve found that in the long run they can become useless or challenging for businesses that have large consumer bases. Furthermore, there may be security concerns as registry safeguards vary from ccTLD to ccTLD.

All of the above-mentioned extensions are ccTLDs, representing, respectively:

  • St. Vincent and the Grenadines,
  • Colombia,
  • the British Indian Ocean Territory, and
  • Anguilla.

As such, they are unusual to the average internet user, but that shouldn’t be the standard when it comes to how to pick a domain name for your startup.

Many people still expect to reach a company website by typing in the company name followed by .COM, and sooner or later, once-startups invariably purchase the more expensive, more intuitive .COM domains that match their company name.


Examples of Startups That Made Costly Mistakes By Picking a ccTLD

  1. Startup baby registry site recently moved over to after having launched its business at .ST, the ccTLD for São Tomé and Príncipe. While it’s not clear how much they paid for the latter, we reckon it wasn’t cheap. This is a cost they would not have had to incur if they had known from the beginning how to pick a domain name.
  2. Artificial intelligence-backed company is using an exact match domain name (“”), but does not own While a clever use of the ccTLD for Anguilla to represent “artificial intelligence”, it’s also highly unintuitive to the average internet user. We won’t be surprised if acquires the matching .COM name in due course.


The Waiting Game For The Right Name

Buying the right name up front can mean a big investment for a startup with limited capital.  Over 90% of Fortune’s 2016 Unicorns now own their company name in .COM.

Whether it’s Uber, which started out with, or Airbnb, which started out at, purchasing the best fit .COM domain for your company name costs money. As a result, both of these noted unicorns waited until after their first funding series in the tens of millions of dollars to purchase their current domain names, and

Indeed, waiting until a business has grown and become well-known to try to buy the likely already-in-use .COM equivalent can be excruciatingly costly and difficult.  While new TLDs like .XYZ and ccTLDs like .ST can, at least in the short-term, be viable and catchy, we’re not suggesting that startups do as Babylist did; neither would we recommend the strategies of Uber or Airbnb. If you think you’re going to want to use a .COM domain eventually because it is most familiar to the general public and you can’t afford the best match .COM today, or if the .COM is in use in a significant enough way that it may never be for sale, it might be most strategic to rethink your brand name.

Other extensions, misspellings, and permutations of your brand name are also a good idea to buy up front, but don’t go overboard.

Pinterest did not register typo variants of its name from the beginning, and a few years ago was awarded dozens of these typo domain names from a Chinese cybersquatter, along with $7.2 million in damages and legal fees. (While impressive, this was about $5 million less than they had sought for their trouble.)

An expert can help you choose a limited set of domains that are likely to be useful to the company and likely to cause problems if not owned. For instance, if you were to tell me that international expansion is in your business plans, then I would advise you to acquire the appropriate ccTLDs right away. You can always add more as you gain confidence that the current business plan is going to be a hit, but don’t doubt that cybersquatters and others will not miss the chance to register your domain and, since you probably won’t yet have a global trademark portfolio, you generally will be left without a remedy to recover those names later, other than negotiating an expensive purchase.


How To Pick a Domain Name for The Long-Haul

Startups have much to think about in the pre-launch process when they are focused on developing their products and services and stretched tight financially, but in this day and age, when domain names are your storefront and interface between a world of potential consumers, it is important to remember to pick a domain that will be of value as your business grows, even if that means tweaking your company name before you emerge out of stealth mode.