Online FRAUD The Not-So-Subtle Menace of Brandjacking
Regardless of the size of a business, the level of consumer confidence and trust in its brand is critical-especially on the Internet where a company's reputation is often in direct correlation to their share of the market. So says Portland, Oregonbased iovation, Inc., when referring to recent studies that found consumers bought more from online sellers with a good brand reputation. Brand confidence is so compelling that customers are increasingly willing to buy from unproven sources in order to obtain discounted rates on their favorite brands. Unfortunately, this loyalty has led to a counterfeit pandemic that includes everything from stocks and bonds to dangerous, uncertified, pharmaceuticals.
What is Brandjacking?
Brandjacking, as defined by MarkMonitor, Inc., is the criminal act of hijacking strong brands for profit. Brandjackers know the rules of online marketing and areexploiting them to their own advantage, at the expense of the true brand owners. As a result, brand owners constantly face threats to their reputations, customer relationships, and, ultimately, their revenues.
In order to shed light on the brandjacking phenomenon, MarkMonitor created the Brandjacking Index, a quarterly report that measures the effect of online threats to brands. In its Q1 2007 Brandjacking Index, the company found over 286,000 instances of cybersquatting-the practice of registering, trafficking in, or using a domain name with bad-faith intent to profit from the goodwill of a legitimate trademark. The study found that both traditional and Internet-based media are especially attractive targets, drawing 31 percent of brand abuse. Since these brands' Web properties are some of the most heavily trafficked Internet sites, they draw the most abuse in the form of cybersquatting and false associations-resulting in lost revenue and wasted advertising costs. "Media is unsurprisingly one of the largest targets for brand abuse," said John LaCour, director of product management for antiphishing solutions at MarkMonitor.
The study also found that phishing continues to be a significant problem, with a 104 percent jump in annual attacks in Q1-07. Phishers actively avoided browser- based consumer protection technology evidenced by the more than 300,000 unique URLs used in phishing attacks. The findings suggest that brandjackers employ elaborate, multi-pronged assaults on the most recognized companies and their associated brands.
Brandjacking and Phishing
In 2006 the Anti-Phishing Working Group (APWG) reported more than 200,000 unique phishing websites set up to attack unsuspecting consumers. "In the online environment, brandjacking is perpetrated through phishing," says Jon Karl, founder and vice president of business development for iovation. "Financial institutions and major eCommerce sites are often the primary victims. Customers are lured to fake sites where they provide their login credentials. It is difficult to determine if these sites are real or bogus, unless the site has provided some form of authentication that allows the consumer to lock their account."
Richi Jennings, lead analyst of email security practice for Ferris Research, notes that phishers target businesses of all sizes. "While indiscriminate, bulk attacks work best against large targets (e.g. Bank Of America), more targeted attacks can get results against smaller targets."
iovation offers solutions to help online businesses protect their customers and their own brand's reputation from abusive behavior. According to Karl, fraud is any form of abusive behavior and can include consumer credit and eCommerce fraud, identity theft, and click fraud. Click fraud is a type of Internet crime that occurs when a person, automated script, or computer program imitates a legitimate user clicking on an online ad for the purpose of generating a charge per click, without having any real interest in the site, products, or services. Click fraud abuse has become so prevalent that it is the subject of increasing litigation and has become a felony in many jurisdictions. For example, in California it is covered by Penal code 502 and in the United Kingdom, under the Computer Misuse Act 1990.
Aimed at preserving sender reputation, iovation offers Reputation-Manager, a solution that combines iovation's device identification and reputation management platform designed to protect online businesses against fraud and abuse. ReputationManager works by exposing criminals by uncovering hidden associations, such as multiple devices accessing a common account or a single device used to access multiple accounts. Once uncovered, if a device or account is flagged as engaging in fraudulent activity, all associated devices and accounts are flagged. Once the device has been associated with fraud or abuse in iovation's system, it becomes blacklisted.
Karl believes that consumers care a great deal about buying from reputable sources with honorable reputations, noting that companies worldwide need to implement effective solutions to preserve them. He adds, "Providing a solution that gives consumers this assurance is needed. Organizations outside of the U.S. have long known the importance of this type of technology, but recently, interest in the U.S. is picking up, which is very good news for consumers. I think this is an indicator that organizations across the board are beginning to connect the dots with protecting both consumers and the reputations of their brands."
In its Q1 2007 Brandjacking Index, MarkMonitor found over 286,000 instances of cybersquatting-the practice of registering, trafficking in, or using a domain name with bad-faith intent to profit from the goodwill of a legitimate trademark.
Threat vs. Response
MarkMonitor believes that successful brand protection requires a broad-based approach as opposed to piecemeal solutions. "The growing scale and diversity of Internet exploits requires an integrated, end-to-end full lifecycle approach to online brand protection management," explains LaCour, who ranks the following as key to online fraud prevention:
- Securing domain names relevant to a company's name and products
- Monitoring the use of trademarks online
- Identifying gray market channels where counterfeiters sell knockoffs
- Countering the threat of phishing
Jennings explains that managing domain names is about much more than securing the .com associated with an organization. He points to the Domain Assurance Council (DAC), a trade body representing organizations that certify or accredit email sending organizations and customers of those organizations. Examples of such organizations include Habeas Inc. and Goodmail Systems, whose customers are typically ISPs and spam control technology vendors.
certify or accredit email sending organizations and customers of those organizations. Examples of such organizations include Habeas Inc. and Goodmail Systems, whose customers are typically ISPs and spam control technology vendors.
The standard developed by DAC will be known as Vouch By Reference (VBR). Using VBR, a receiving system would be able to look up the domain of the sender and decide if it wishes to receive an incoming message. As Jennings explains, VBR could also allow organizations within vertical industries to vouch for other organizations in the same industry (e.g., the pharmaceutical industry). The theory is that organizations in vertical markets know each other so that if one is sending spam, then its competitors are likely the first to find out about it. VBR will create a market for organizations that vouch for domains, allowing its members to compete with minimum friction. "That's because VBR will also allow customers to switch providers, i.e., there will be no lock-in to a proprietary provider," Jennings concludes.
Brand Protection
According to MarkMonitor, a successful brand protection program requires that companies establish strong identity ownership rights globally; monitor broadly for brand abuse across all Internet media; implement solutions that detect and prioritize the most serious abuse; and respond rapidly, appropriately and cost-effectively to each type of abuse. MarkMonitor's suite of online brand protectionsolutions is designed to automate the workflow and assist corporations in creating, monitoring, and protecting their brands wherever they may appear on the Internet.
LaCour points out that the best and most frequently updated vendor solutions will offer a level of defense against online crime. The sheer number of avenues available for exploitation shows that brand often puts criminals ahead in the game of threat vs. response. Because brandjackers find the economic incentives to target large companies are substantial, LaCour believes, "Brand owners have to rely on themselves for enforcement, because regulation by government and non-governmental organizations is insufficient to protect companies and their customers."
Larry Clinton, president of the Internet Security Alliance (ISA) adds that technology alone will not solve our online woes and feels that it all begins with making online crime unattractive to criminals. "Technology is not enough to bring security and trust to electronic transactions. We need good global laws and regulations. Criminals need to know they can be extradited from any country where they break the law. For global e-commerce to flourish, we need to know that the availability and integrity of information provided by businesses is maintained at the highest levels, no matter where it's created." MB/TMP
Four Tips to Combat Online Fraud
- Have an online marketing policy. Organizations should implement online marketing and channel initiatives in a consistent manner to enforce the brand and help expose brand abuses. These policies should also be communicated and enforced with business partners too.
- Have a clear and consistent domain name strategy. Implement defensive domain name registrations to prevent improper use. Register obvious variations of your company and/or brand name. For example: paypal-service, paypal_support, apple_store, appleitunes, etc.
- Protect the email channel. Implement a solution such as Domain Keys Identified Mail (DKIM) and/or Sender-ID. This will mitigate phishing and unauthorized email solicitations.
- Within the organization, establish a program and function dedicated to combating online fraud. The program should include proactive detection of fraud and appropriate response plans. MB/TMP
Source: MarkMonitor
Protecting Your Business Against Online Fraud: Things to Know
Successful brand protection requires constant care. "Given ever-changing online fraud techniques, staying ahead of fraudsters without impacting legitimate customers can be an on-going challenge," warns Jon Karl, founder and vice president of business development for iovation. When using device identification and reputation technologies to fight online fraud, Karl believes that organizations should ask the following questions:
- Does it work well as a stand-alone solution, yet also complement existing tools?
- Does it scale for real-time fraud prevention?
- Does it offer forensic analysis and reporting, including velocity and suspicious activity reports?
- Does it have the ability to efficiently expose and shut down entire fraud rings?
- Does it have proven accuracy in its underlying device identification technology?
- Does it provide a range of device identification options to address differences in client environments?
- Does it have a proven fraud prevention track record and negligible false positives?
- Does it have the ability to maintain the reputation of known devices and accounts?
- Can it share fraud information across multiple subscribers' Web sites and applications?
- Does it offer high resistance to attacks?
- Does it provide flexible integration options for supporting online processes and workflows? MB/TMP