Over the last six years, Business Email Compromise (BEC) attacks have cost global businesses over $12.5 billion with victims not only in all 50 states, but 150 countries around the world. FBI, Business E-Mail Compromise the 12 Billion Dollar Scam.

For all of its effectiveness, the scheme is remarkably simple. A fraudster, often using stolen credentials, gains access to a business's email and monitors the traffic. When he spots a financial transaction, the fraudster inserts himself into the conversation often using a typosquatted domain—an email address that looks like the victim business's, but with a small typo, an l instead of an I, a 0 instead of an O. Once in the conversation, the fraudster convinces the party sending the money to transfer it to an account he controls.

That typosquatted—fake—domain is critical to the scheme. Without it, the fraudster would be easily spotted as an interloper in an otherwise legitimate transaction.

The Problem of Fake Domains

The problem of fake domains is not limited to the business world, or BEC. Hacking groups associated with foreign intelligence use fake domains to spread disinformation. Brad Smith, Microsoft, We Are Taking New Steps Against Broadening Threats to Democracy, Aug. 20, 2018. Criminals use them to convince unsuspecting victims to open attachments and download malicious software. The infamous phishing email sent to the DNC, for instance, came from "googlemail.com" rather than "gmail.com". Gregory Krieg and Tal Kopan, Is This the Email That Hacked John Podesta's Account?, CNN (Oct. 30, 2016). Security researchers have found hundreds of thousands of fake domains, including ones designed to resemble Facebook, Twitter, Gucci and, worrisomely, financial institutions. Hackers Are Flooding the Internet With More Fake Domain Names. Here's How You Can Protect Yourself, PBS (Jan. 18, 2018).

Legitimate domain holders have limited weapons in defense. Once a domain is identified, the legitimate owner can request it be taken down based on trademark infringement or fraud. The registrars who control the domains, however, are often hesitant to oblige on the basis of a simple similarity to an existing mark. Rather, they require detailed and technical evidence before they are willing to act. Failing to obtain relief directly from the domain registrar, the aggrieved party can file a Uniform Domain-Name Dispute Resolution Policy (UDRP) arbitration claim against the domain name registrant before an approved dispute resolution service provider. That process, even if uncontested, however, may take months and cost the victim thousands of dollars and valuable lost time.

While the burden rests with the victim of the fraud, the law provides very little recourse against those best placed to detect it in the first place—the domain registrar who registered the domain on behalf of the fraudster.

The Role of the Domain Registrar

For a website or an email address to function properly, it needs a registered domain name, such as "apple.com" or "senate.gov". Anyone can pay a small fee to register a domain that is not already registered to someone else. The non-profit Internet Corporation for Assigned Names and Numbers (ICANN) manages the world-wide domain name system. It, in turn, delegates domain name registration to a large class of for-profit, certified registrars. A fraudster cannot create a fake domain without going through these registrars. They are the first line of defense in preventing malicious domain registrations. Yet they are generally not concerned about the fraud for two important reasons.

First, the business model for domain name registration is built on volume. A top-level domain name (one ending in .com for instance) can be had for less than $10 per year. Large volume domain name registrants are thus a key revenue source. At the same time, high pricing pressure pushes up the cost of expenses, reducing the resources available for anti-fraud and anti-abuse programs. For example, registrars often do not provide a phone number to report fraud or abuse. Such claims are directed to a generic email address or live chat function with little accountability in the conversation. In addition, registrars often place barriers to fraud-based takedown requests. For instance, they may require technically cumbersome proof, such as native email files, which many of the victims are unable to provide because the fraudulent email domain is not targeted at them but at their customers. As a result, there is little economic incentive for domain name registrars to provide a prompt and properly staffed process to takedown fake domains.

Second, and more importantly, the domain name registrars are essentially legally immune from monetary damages even if they have a poorly designed and staffed abuse prevention program. In 1999, Lockheed Martin sued Network Solutions Inc. (NSI) alleging that NSI contributorily infringed on Lockheed's mark by registering domain names substantially similar to its own. Lockheed Martin v. Network Solutions, 194 F.3d 980 (9th Cir. 1999). The Ninth Circuit rejected Lockheed's theory, establishing the still existing barrier to legal liability for registering fraudulent domains. Noting that the registrar simply added the infringing domain name to a registration list, the court held that "the infringement does not result from NSI's publication of the domain name list, but from the registrant's use of the name on a web site or other Internet form of communication in connection with goods or services." Id. at 985. The victim's only recourse, according to the court, was against the registrant of the domain names, not the domain name registrar. Domain name registrars can therefore allocate expenses away from fraud prevention programs secure in the knowledge that their legal liability is limited.

The current legal framework thus leaves registrars with little incentive to fight fraud, while simultaneously forcing legitimate domain holders to spend thousands to monitor for fake domains and litigate their reclaim. It also creates an artificial market in domain registration for typosquatted domains by incentivizing those with the resources to do so to register every conceivable version of their legitimate domain to prevent fraudsters from doing so themselves. And the benefits of that market flow directly to … the registrars.

A Path Forward

Of the many actors involved in fighting fake domains—the domain registrars, the rights holders, and government authorities—registrars are best placed to stop the fraud. The domain name registrars are capable of spotting much of the fraud before it occurs. They can take reasonable steps to validate the registration information using publicly available databases. They can algorithmically identify new domains that are remarkably close in appearance to those that are already registered using the lists they already maintain. And they can recognize registration patterns—such as a request for a substantial number of domains in a short period of time—that are classic red flags for fraud.

Meanwhile, the policy rationale that may have underpinned the Lockheed decision is no longer present. Domain name registrars are not as critical as they were in 1999. At the time of Lockheed, NSI was the sole registrar for .com, .net and .org. That year NSI gave up its monopoly and competition in the registration market began. Today, ICANN accredits hundreds of registrars. See Descriptions and Contact Information for ICANN-Accredited Registrars. Many of those companies have developed into mature and sophisticated organizations with the resources to help protect the domain registration process.

There are several ways domain owners and the government can work together with the registrars to fight fraud. For instance, ICAAN can adopt a "safe harbor" process: once a rights holder makes a prima facie case of fraud, the domain name registrar could be obligated to immediately suspend the domain name unless the registrant makes a probable showing of valid purposes. If the registrars' process to implement the safe harbor is found to be reasonable and fair, then they would not be liable for monetary damages. This regulatory framework is similar to the current "safe harbor" anti-copyright-infringement process provided by the Digital Millennium Copyright Act (DMCA), which went into effect in 2000, shortly after the Lockheed decision. Because the cyber fraudsters tend to register domains shortly before using them in fraud to defeat companies' domain monitoring processes, immediate suspension will be effective in combating many cyber-enabled frauds.

Alternatively, an appropriate body, such as the Federal Trade Commission or ICAAN itself can develop and enforce a "Fake Domains Red Flags Rule" for domain name registrars, similar to the current Red Flags Rule issued under the Fair and Accurate Credit Transaction Act of 2003 (the FACT Act). The FACT Act Red Flags Rule requires "financial institutions" and some "creditors" to have policies and procedures to identify and act on identity theft and related frauds. Indicia of fraud in domain registration, such as false identities, bulk registrations and typo-variants of existing domains, can be easily identified if registrars are similarly obligated to develop and adopt programs to detect them.

The 20-year-old Lockheed decision bestowed on the domain name registrants an extraordinary gift: a long period of legal peace. But it also created an unintended consequence in the proliferation of fake domains and a net cybercrime "tax" on society. As Washington is weighing different approaches to regulate cyberspace, it is time for a sensible regulatory framework that places some of the burden of fake domains on those best equipped to help combat this basic form of cybercrime.

Max Iori, Douglas B. Bloom and Xinping Zhu are attorneys in the legal department of Morgan Stanley. Douglas Bloom was formerly an Assistant U.S. Attorney for the Southern District of New York.