Combatting Homographic Attacks on Domain Names

May 28, 2007

What are Homograph Attacks?


There are two types of homograph attacks. The first exploits similarities in the representation of characters, e.g. ‘google’ and ‘g00gle’.


The second type is possible as a result of how the computer, or more specifically the web browser and associated systems it uses, resolves ‘IDNs’. IDNs are domain/host names that are represented by both ASCII (American Standard Code for Information Interchange, the underlying language of the Internet which provides a code for the letters in the Latin alphabet) and non ASCII characters. Domain names can therefore contain characters from non-Latin scripts such as Arabic or Chinese.  When a browser identifies an IDN with non-ASCII characters in the address bar, it is required to convert the non-ASCII characters into a special format using only standard ASCII subset characters.


This second type of attack was discovered by a security research group which registered the domain name ‘pàypal.com’, a well-known domain name which apparently was already owned by eBay. They were able to do this because the second letter ‘à’ was a Cyrillic as opposed to a Latin character. The two characters look virtually identical and the computer translates and displays them as being so on screen. 


Consider another example – Business A holds a trade mark in the UK for the name ‘Boult Wade Tennant’ and has a website www.boultwadetennant.com. B has registered www.boultwadetennant.ru in Russia. B’s second level domain name consists of two ‘a’ characters from the Cyrillic alphabet as opposed to the Latin alphabet.


Although the computer identifies the two domain names above as different,  to a user, business A and B could be confused because the domain names look virtually identical even though they are not.


This can allow domain name registrants to use homographic domain names as instruments of fraud to gather passwords and other personal information from unsuspecting users. There are also potentially serious problems from an intellectual property point of view.


So what can be done?


Trade Mark Infringement and Passing Off


Using the example above, if A can show that B’s business is targeted towards the UK market, then A would be able to bring trade mark infringement or passing off proceedings against B to prevent B’s continued use of the confusing visually identical or similar domain name.


What if B’s Web site were aimed at Russia only? Would A be able to bring proceedings for trade mark infringement or passing off against B in the UK?


Three cases help to answer this question. In the earliest of the three, Mecklermedia Corporation v D.C. Congress [1997] FSR 627, the court held that liability for passing off in the UK could not be avoided by operating a Web site from outside the jurisdiction although the defendant was organising trade shows to be held in Germany and Austria and not in the UK. 


By contrast, in 1-800 Flowers Inc v Phonenames Ltd [2001] EWCA Civ 721 and Euromarket Designs v Peters and Crate & Barrel [2001] FSR 288, Web sites based in the US and Eire respectively which were not directed at the UK were held not to amount to trade mark use of the relevant marks in the UK. 


A would therefore be successful against B only if it could show that B’s business was directed towards the UK.  In an action against B, some initial questions would include:


• Are B’s good/services identical/similar to A’s?
• Is the marketing target for B in Russia or is it wider than that?
• In what language is the  text on the website written?
• Can B accept enquiries from the UK?
• Does B ship goods to the UK?
• Does B have a place of business in the UK?
• Does B advertise in the UK?


For B, it would be prudent to check all domain names using the ASCII representation of its domain name before choosing a domain name. If a site does exist, in our example belonging to A, B should make clear the boundaries of its activities such as stating that its market is for Russia only and that its Web site is not intended for non-Russian consumers, to avoid confusion. 


What if www.boultwadetennant.com was owned by A and www.boultwadetennant.com was registered by C using the Cyrillic letter ‘a’.  Though the computer recognises without difficulty that the domain names are different, the user would still see the names as identical, opening up opportunities for misrepresentation or even fraud. The law covered above would apply equally in this situation, and as long as C’s business is targeted towards customers in the UK, A could bring an action against C.


Uniform Dispute Resolution Procedure (UDRP)


What could A do to recover the domain name from C? As explained above, it could bring infringement/passing off proceedings against C seeking an injunction and transfer of the domain name. However, this is expensive. A much cheaper route would be for A to rely on the UDRP adopted by all registrars accredited by the ICANN. UDRP applies to all top level domains. Second level domain names such as .co.uk have their own dispute resolution procedures which are closely based on UDRP.


To succeed, A would need to show that:


• C’s domain name is identical or confusingly similar to a trade mark or service mark in which A has rights; and
• C has no rights or legitimate interests in respect of the domain name; and
• C ‘s domain name has been registered and is being used in bad faith.


The UDRP procedure could be used even where C’s business was not targeted at the UK. If A was successful then an order would be made transferring C’s domain name to A.


Conclusion


Homograph attacks can be generally be dealt with through the courts or the UDRP procedure, as can innocently registered domain names used to operate Web sites aimed at the UK. Where a domain name is registered innocently and is used for a Web site which is not aimed at the UK, it may not be quite as easy to deal with the problem and domain name owners may need to look outside the UK for solutions. 


A version of this article first appeared in Trade Mark World.


Carolyn Pepper is a Partner at Reed Smith Richards Butler LLP: CPepper@reedsmith.com.


Emma Pitcher is a Trade Mark Partner at Boult Wade Tennant: epitcher@boult.com.


Milan Joshi is a paralegal in the IP department at Reed Smith Richards Butler: MJoshi@reedsmith.com.


 


How can you check to see if you are subject to a homographic attack?


 


Milan Joshi writes:


 


Currently, the only way, to my knowledge, to check if you are subject to a homograph attack is to physically replace any letters in a domain name with its Cyrillic look-a-like and then test the validity of the site. This is probably because the widespread use of IDNs is a new phenomenon. A search facility may be created by IDN accredited registrars in the coming year for the ability to find ‘an evil twin web site’ within its directories. Nominet, in their consultation document regarding IDNs, have mooted a process where, for example, nestlé.co.uk could be prevented registration as it is too similar to nestle.co.uk.