Proofpoint and Facebook are in court fighting over how to handle the problem of domains that impersonate well-known brands, highlighting the difficulty in differentiating malicious activity and security awareness.
Facebook began cracking down on domains that resembled its brands—Facebook, Instagram, and WhatsApp—late last year. The social media giant used a UDRP (Uniform Domain-Name Dispute-Resolution) request to force domain name registrar Namecheap to hand over domains that had names similar to Facebook brands: facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net, and instagrarn.org. UDRP is a set of rules established by ICANN to help resolve domain name disagreements without having to go to court.
The domains belonged to security firm Proofpoint, which conducts simulations of phishing campaigns through its subsidiary Wombat Technologies. The simulations use lookalike domains to help users recognize potentially malicious emails as part of corporate security awareness training programs. The phishing awareness training sends employees in the program different types of email messages crafted to resemble real email attacks which would send users to phishing sites or other malicious sites. The simulation messages rely on deceptive domain names to trick users into thinking the messages are legitimate.
Proofpoint countersued Facebook, arguing that intent matters, and that UDRP should be used only for domains registered for malicious purposes. Proofpoint’s use of the Facebook and Instagram lookalike domains "has been in good faith and for a legitimate purpose," the company said in its court filing after a UDRP arbiter sided with Facebook. Proofpoint noted that these lookalike domains don't harm users, since no account credentials are collected or there is no chance of any malicious activity.
Proofpoint said its phishing awareness tests are crucial for the security of its customers, and Facebook indirectly benefits from having users who are able to recognize phishing attacks targeting Facebook and Instagram. Major brands—such as PayPal, Apple, Royal Bank of Canada, LinkedIn, Google, Apple’s iCloud, Bank of America, Dropbox, Amazon, and Instagram—are among the most targeted in attacks using typosquatting and lookalike domains, Palo Alto Networks’ Unit 42 said last fall.
"By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective training program because the workforce is more likely to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names," Proofpoint said in its court filing.
Security companies are frequently put in the difficult position of showing how they have to use techniques used by criminals and other adversaries in order to improve overall security, whether that is penetration testing, security awareness, or vulnerability hunting. Depending on what the judge decides, the ruling could affect how companies tackle future security awareness training programs centered around phishing and other email-based attacks.
Facebook followed United States trademark law in its initial UDRP request when it noted that Proofpoint’s domains are confusingly similar to its own. Proofpoint responded that users are not confused and think the lookalike domains may be an official site because they always see a message identifying the site as belonging to Proofpoint Security Awareness Training. Users are informed that the site they visited is part of a security simulation and that they should not have clicked on the link that brought them to the site.
Consumer confusion is unlikely because Proofpoint clearly states on the websites to which the Domain Names are pointed: 'Hi! This web site belongs to Proofpoint Security Awareness Training. This domain is used to teach employees how to recognize and avoid phishing attacks,'" Proofpoint said. The message also explains that the phishing simulation was provided by the employer and may use “the name, brand or logo of unaffiliated third parties.
Proofpoint asked a judge to issue a ruling to stop Namecheap from handing the domains over to Facebook (in the next ten days) and to allow the company to keep using lookalike domain names "in connection with a bona fide offering of goods or services." Proofpoint's request is to have the judge declare that Proofpoint’s domains should be subject to a classic UDRP seizure request.
That kind of a ruling would benefit other companies providing similar phishing simulations and security awareness programs.