Giving away the crown jewels

Stuart Fuller

Cybercriminals rarely work in an opportunist way. They will often plan their next move months in advance, looking for vulnerabilities in an organisation's intellectual property strategy and investing in online manipulations to divert legitimate traffic away from the organisation and profit from their digital assets and IP.  In recent months one particular trend has caused unnecessary issues for a number of major brands - the practice of buying expired domain names with existing natural web traffic.

One high profile case this year saw a malicious campaign launched by cybercriminals against popular news and entertainment websites, including BBC, AOL and the New York Times, after gaining ownership of an expired web domain of an advertising company.  Researchers at Trustwave SpiderLabs reported that, the domain name used by hackers to serve up malware, had expired in January and was registered by the cybercriminals in early March.  Buying the domain of a small but legitimate digital advertising company provided the miscreants with high quality traffic from very high traffic web sites that publish their ads directly.

It's not difficult to find domains that are due to be made available for registration after passing through the expiry process that have existing traffic associated with them.  Verisign's Domainscope ( allows anyone to search for domain names with existing DNS traffic based on keywords and rank them according to the traffic volume and then buy it for a few pounds in some instances.  The tool is incredibly useful or organisation's looking to build campaigns using generic keywords, essentially short-cutting some of the traditional digital marketing activities to create and drive traffic to a website.  As we have seen in many instances, cybercriminals use the same methodology as genuine brand holders and that includes the purchase of names that previously belonged to brand holders and has existing traffic.

It is important for any company to review their domain name portfolio on a regular basis not only to ensure every domain is resolving to a live website, even if it's using a redirect but to also ensure any decisions to delete or let lapse domain names are taken with the knowledge that it will not harm the company in the future.  There was an interesting example of this last summer when Heinz allowed the domain name “” to lapse after a competition had closed, which was subsequently purchased by a German adult entertainment company.  The domain name was accessible through both direct type but also by a QR code on their bottles.  Despite the campaign closing, the bottles with the QR codes were still in circulation and started resolving to a pornographic website.

Brand holders need to be part of the solution not the problem when it comes to dealing with cybercriminals.  The creation of a domain policy, with clear processes defined with owners, is essential for all organisations so that all stakeholders understand the criteria to be used to determine whether a domain name should be retained.  That includes ensuring domain names that have value through natural traffic are carefully assessed for any cancellation risks - the cost of recovering a domain name once it has fallen into the wrong hands can be hundreds of times the cost of simply renewing it.