How Cybersquatters Use 'https' to Confuse Internet Users

Cybersquatters may be adding a new trick to their repertoire: including the characters "https" in a domain name to confuse Internet users into believing not only that a website is associated with someone else but also that the website is secure when it is not.

The trick is actually just a variation on a theme.

A History of Tricks Using 'www'

For years, cybersquatters have registered domain names that are identical to a legitimate domain with the addition of "www" at the beginning of the disputed domain name itself (not as a third-level domain that simply forms a part of a URL).

That may sound confusing, so here's a real example that makes it clear: In one of the early cases under the Uniform Domain Name Dispute Resolution Policy (UDRP) that addressed the issue, a cybersquatter registered the domain name <wwwtoysrus.com>, while the (now soon-to-be-defunct) toy company used the different domain name <toysrus.com> -- but, like many trademark owners, operated a website that added "www" as a third-level domain to form, in this case, "www.toysrus.com".

The issue is that the domain name <wwwtoysrus.com> is different than the domain name <toysrus.com> (and the corresponding website at "www.toysrus.com"). So, an Internet user who forgot a period after typing "www" -- as frequently happens -- would be directed to the wrong website, in this case, a gambling website.

In a UDRP decision, a panel said that the domain name "clearly is confusingly similar" to the TOYS "R" US trademark. As a result of the decision, the domain name was transferred to the toy company.

This misleading use of "www" is a common tactic. As of this writing, at WIPO, 542 cases include domain names with "www", and the Forum reports 611 such cases. Recent examples include <wwworacle.com>, <wwwtdbankcardservices.com>, and <wwwschwab.co>. (The Schwab domain includes an additional cybersquatting trick by playing off confusion between the top-level domains ".com" and ".co".)

A New Trick Using 'https'

Now, some cybersquatters are registering domain names that contain "https" to wrongly convince Internet users that they are visiting a secure (and, therefore, presumably safe) website.

As Wikipedia notes, "https" is "an adaptation of the Hypertext Transfer Protocol (HTTP) for secure communication over a computer network" and is used for the "protection of the privacy and integrity of the exchanged data."

Importantly, Wikipedia also says: "Since 2018, HTTPS is used more often on websites than the original non-secure HTTP, primarily to protect page authenticity on all types of websites; secure accounts; and keep user communications, identity, and web browsing private."

As a result of this increasing popularity of the HTTPS protocol, more consumers are aware to check website addresses to see if they contain the "https" characters at the beginning.

And, as always seems to occur, when a technology thrives, bad actors find a way to exploit it.

That's exactly what happened in a recent UDRP decision.

The case involved the domain name <https-activate-federal-navy-sms.com>, which contains the NAVY FEDERAL trademark owned by Navy Federal Credit Union, a major financial institution. The panel didn't specifically address the fact that the domain name contained "https", but it had no problem concluding that the domain name was confusingly similar to the trademark despite the additional text and characters.

Although the domain name <https-activate-federal-navy-sms.com> was not associated with an active website when Navy Federal Credit Union filed its UDRP complaint, it's easy to see how it could have been used in a deceptive manner.

A few other UDRP decisions in recent years have used this same tactic, with the domain names <httpstd.com>, <httpstarget.com>, and <httpscapitalone.com>. In each case, the UDRP panel found that the domain name was confusingly similar to the complainant's trademark and ordered a transfer.

Bottom Line

While not yet as popular a trick as adding "www" to a domain name, this "https" ploy is one that trademark owners should know about. It can be quite confusing to everyone involved, because proper use of "https" (in a URL but not as part of the domain name itself) is appropriate and helpful, but improper use is deceptive and can cause damage.

Fortunately, domain name dispute processes such as the UDRP provide trademark owners with a relatively easy remedy if and when a cybersquatter uses this trick.

The GigaLaw Firm helps companies of all sizes protect their brands online, using domain name dispute policies – such as the Uniform Domain Name Dispute Resolution Policy (UDRP) – and other legal tools available to copyright and trademark owners on the Internet.