Where Will Your Lost Cybertourists End Up? Protect Your Domain Name -- Protect Your Customers

Where Will Your Lost Cybertourists End Up?
by Sam Ott, Esq.

Action recently taken by the Federal Trade Commission brings into sharp focus the wisdom of the warning bank regulators transmitted to financial institutions last year urging them to protect their domain names. On September 25, 2001, the FTC obtained a Temporary Restraining Order in federal district court against a cyberscammer who had devised a scheme to take advantage of consumers who were attempting to access Web sites and redirect them to his sites.

By registering over 5500 copycat domain names, the scammer was counting on cybertourists mistakenly typing in the wrong URL or making typographical errors as they sought to visit legitimate Web sites. Capitalizing on common typos and wrong guesses consumers might make in trying to reach certain popular domains, he was able to divert surfers to his own Web sites, where he could then make big bucks by exposing them to ads for Internet gambling and pornography.

Using a special coding technique known as "mousetrapping", the man was able to ensnare hapless surfers in a seemingly never-ending series of Web pages and pop-up browser windows, making it virtually impossible for them to close the windows, return to the previous page, or exit the site. In some instances over 20 pop-up windows would appear in a rapid sequence, and clicking the "back" or "close" buttons activated new pop-up windows.

The FTC reported the defendant's sites contained a "stealth" feature that was hidden under the task bar, making it invisible to consumers. ". . . The stealth page contains no content. Instead, its sole function is to act as a timer, periodically launching additional pages of advertisements, without any action by consumers. Thus, even as consumers struggle to escape defendant's multi-window mousetrapping scheme, more windows launch automatically," FTC documents say.

While the FTC has now shut down this particular offender as part of Operation Cupcake, there are others using similar tactics and your institution's customers could fall prey to this abuse on their way to your site if you don't take sufficient precautions to guard against it by properly protecting your domain name.

The FDIC issued a guidance letter and the OCC issued an alert that outlined the need for banks to protect their domain names and suggested specific ways institutions could protect their sites and their customers.

Let's face it -- the domain names of many financial institutions are not intuitive and may not match the real name of the institution. If you missed the great cyberspace land run, you probably had to settle for some variation of the domain name you really wanted. Does your name use a hyphen, an underscore, an unnatural abbreviation? Is it a dot net in a sea of dot coms? Have customers informed you that they have erroneously reached some other site when trying to access yours? Are there common misspellings, typos, or wrong guesses about what your domain name would be?

Go on a fact-finding mission to determine what domain names members of the public may type in when attempting to reach your site. Investigate who owns them. If they're available, consider purchasing them just to protect against cybersquatters with confusingly similar addresses.

Even if your exact name is registered as your domain name, many customers may attempt to access your site using a nickname or trade name used in an advertising campaign. Some, who unwittingly end up taking a wrong turn on the Internet superhighway, may not even realize they've reached the wrong destination and may mistakenly believe the site they've reached belongs to you. If its content is sexually graphic or offensive, that negatively impacts your reputation. If the customer is mousetrapped, they won't be happy about it.

Even worse, the regulators warn about con artists who register copycat domains, then construct a Web Page that is almost identical to your real site. A customer viewing the bogus site could be misled into believing they're on your site and could be tricked into inputting their user name and password in an attempt to log in to your online services. Once the bogus site captures your customers confidential log-in data, it could display a message indicating the service was currently down for updating, and ask the customer to click a particular link to try again. This time, the link takes them to your real site. The customer logs in successfully, oblivious to the deception that has taken place.

The regulators' guidances referenced above provide suggestions regarding ways a bank can police its domain name and guard against such activity. They include:

• regularly check similar names and Web address to make sure no attempts are being made to mislead your customers;
  
• conduct "brainstorming" sessions in-house to come up with as many copycat domain names as possible. Go check the registration information for each of those domain names and consider registering those that are available;
  
• remind your customers of your correct domain name in statement stuffers and other correspondence;
  
• set up a tickler system to insure your domain name is renewed on a timely basis;
  
• if a third party server is used to maintain your Web site, utilize security features to ensure no unauthorized changes are made that could result in the misdirection of Internet traffic or obstruction of access to your site.

Update: The FTC announced 5/24/02 that by order of a U.S. District Court, John Zuccarini has been permanently barred from diverting or obstructing Internet consumers and launching Web sites or pages that belong to unrelated parties. In addition, he was ordered to pay back over $1.8 million and allow the government to monitor his compliance with the ban.