How many gTLD requests is ICANN expecting in this first round of applications?
ICANN is expecting between 200 and 1,000 applications. Some experts are predicting that, based upon the number of applications it receives, ICANN may not hold another application round for several years after this initial offering.

What if someone else applies for the same gTLD that I apply for?
ICANN is encouraging resolution between the parties. If the parties cannot come to an agreement, the last resort will be an auction. See Section 1.1.2.10 gTLD Applicant Guidebook.

What is the cost of owning a gTLD?
Estimates are high – up to $2 million per year at first. The application cost starts at $185,000, which does not factor in additional costs related to dealing with objections, auctions, extended evaluations, legal issues, and technical issues. ICANN will charge a fixed quarterly fee of $6,250. Additionally, each domain name registered or renewed to that gTLD in excess of 50,000 will cost an additional $0.25 per domain. Domains transferred from other registrars will be counted. See Draft New gTLD Registry Agreement Section 6.1. Add on the expense of running and maintaining the registry for the 10 year life of the contract, and the costs can be very high.

How can running a gTLD benefit my company?
You will have more control over which, if any, franchisees or other partners can use your brand on the Internet. Moreover, customers will have more trust when navigating through a site that they know is authentic. Experts predict that gTLD’s will make it easier for consumers to find products and services.

What are some of the risks?
After committing to a ten year contract with ICANN, consumers may not gravitate toward the new gTLDs. If that is the case, then the cost of running a gTLD may outweigh the enhancement to your brand. There is also a risk associated with waiting on the sidelines. It is not clear when ICANN will hold another round of applications, so your company may get shut out if you decide to wait.

What if someone tries to take a gTLD that infringes my brand?
Public portions of applications will be posted on ICANN’s website around May 1, 2012. Although some companies out there are offering services to monitor the new domain name registrations, paying for what ICANN is giving out for free would be a waste of money. If someone applies for a gTLD with your trademark, then you can file a “legal rights” objection with a dispute resolution service provider (DRSP). You will have seven months to file an objection, and you will have to wait approximately five or more months for the decision. The cost, depending on the DRSP, will be approximately $1,000-$5,000 per party to file an objection and $32,000 – $122,000 to adjudicate the claim.

Will the new gTLD’s open my brand up to a whole new set of possible infringements?
ICANN has built in several protections for trademark holders, in addition to the existing Uniform Domain Name Dispute Resolution Procedure (UDRP). First, every gTLD will be required to register with a trademark clearinghouse that will provide a trademark claims service and a sunrise process. If a trademark holder registers with the clearinghouse, then the trademark claims service will notify a trademark holder if someone else tries to register a gTLD with its trademark. The sunrise process will give trademark holders the first opportunity to register domain names before registration opens to the general public. Second, the Uniform Rapid Suspension System (URS) will give trademark holders a fast remedy in clear cut cases of infringement. The URS will cost about half of the time and money the UDRP would cost; however, the prevailing party only gets the option to renew the domain name for a year after the current registration period expires. Third, the Post Delegation Dispute Resolution Procedure (PDDRP) will provide redress for trademark holders against a registry that engages in a pattern of abuse. Finally, ICANN will look at applicants’ criminal histories, will require robust WhoIS records, and will have a centralized zone file access system.

Companies must take an in depth look at whether the protections ICANN is offering will be sufficient and whether the cost of running a gTLD will enhance its brand.

Examples of technical locks and controls are mechanisms on DVDs and video games that prevent people from copying the content. Additionally, sections of web sites that are protected by passwords are also considered controls under the DMCA. The DMCA prohibits people from working around any of these protections in order to copy the content without authorization from the copyright owner.

Just as the Copyright Act has “fair use” exceptions, the DMCA has exceptions too. Fair use exceptions provide for instances in which a copyrighted work can be copied or reproduced without violating a copyright holder’s rights. For example, a news reporter quoting a speech in a news report would probably be deemed a fair use of that copyrighted speech.

Currently, the seven exceptions where the DMCA does not apply are:

• Libraries, archives, and educational institutions for acquisition purposes;
• Law enforcement and intelligence gathering activities;
• Reverse engineering in order to develop inter-operable programs;
• Encryption Research;
• Protecting minors from material on the Internet;
• Protecting the privacy of personally identifying information; and
• Security testing.

In order to ensure that the DMCA does not prohibit any fair uses of copyrighted works, the Library of Congress updates the DMCA exceptions every three years. The number of exceptions approved at each update may vary as there is no required number of exceptions. For example, the Copyright Office approved six exceptions in 2006 and 2010. The Library of Congress is accepting suggestions on new exemptions until February 10, 2012. Submissions received on or before December 1, 2011 are posted on the Library of Congress website.

Comments
Advocacy organizations from around the country have begun to submit their proposals for new safe harbor provisions. As the use of safe harbor provisions become more prevalent, organizations and interest groups search for ways to protect their respective interests. These proposals generally reflect the organizations’ specific interests and few have the breadth necessary to be implemented. However, several of the proposed exceptions discussed below and are likely to be persuasive to the Library of Congress.

The first proposed class of works includes “literary works in the public domain that are made available in digital copies.” According to the Open Book Alliance’s supporting comment, Google requires many libraries throughout the world to impose these technological protection measures (“TPMs”) and/or others like them on digital files of public domain works. The restrictions placed by companies like Google limit access based on copyright protections under Section 1201 of the Copyright Act. The Open Book Alliance contends that copyright protection was not designed to protect works in the public domain, so in order to promote dissemination of public works and prevent misuse of Section 1201, this class of works should be protected under safe harbor provisions. Works in the public domain are supposed to be accessible by the public for use and can be used to promote creativity; thus, barriers to access can be viewed as a hindrance to the purpose of copyright protections.

The second proposal from the American Council for the Blind and the American Federation for the Blind seeks to add electronically distributed literary works that have currently have restrictions that limit accessibility by blind or other persons with print disabilities as protected class of works under the safe harbor provisions. These organizations assert that, “[w]ithout an exemption, people who are blind or otherwise have print disabilities are at risk for significant legal sanctions simply for finding a way to read material they have otherwise legally obtained.” They seek to rectify what they view as an oversight that has caused an avenue for discrimination. Lack of access and the opportunity for unintentional discrimination will make this proposal one to really consider.

Lastly, proposals were submitted by the Software Freedom Foundation and the Electronic Frontier Foundation. These proposals seek to allow computer programs that enable smartphones and other personal computing devices to use legally obtained software. These proposals contend that smartphones and other personal computing devices derive their value from the software they are able to run. Limits placed on use of software on certain devices not only limit the abilities and options of the consumer, but exclude small developers from the market. These limitations lead to numerous development issues and limitations in functionality of the devices. Smartphones and other personal computing devices are rapidly becoming a staple in American society. Addressing gaps in access and development are issues that should be considered carefully as this technology continues to permeate society.

There are quite a few proposals not addressed here. The topics range from motion pictures and other digital media to educational uses of copyrighted works. Cyveillance encourages you to educate yourself on all of the proposals and monitor how DMCA safe harbor provisions may change and affect your business.

Cyveillance: Can you explain briefly what DNSSEC is using non-technical terms, and why it’s so important?

Richard Lamb: DNSSEC (DNS Security Extensions) secures the Internet’s global “phone book” (the DNS or Domain Name System). Every time you enter a web site (www.google.com) or email (foo@bar.com), your computer uses the DNS to convert the domain name (www.google.com or bar.com) into a number (IP address) which is what is actually used to connect to and communicate (just like a phone number) with web or email server on the Internet. The protocols behind DNS were designed back in 1983 and have little in the way of security built into them. Increased network and computer performance have made it easy to falsify DNS responses to return the wrong “phone number” and possibly send you to an impersonator. Dan Kaminsky, in 2008, demonstrated the ease to which this can be done and recent attacks on 4M computers have driven the point home. DNSSEC adds digital signatures to existing records that allow machines to validate DNS responses so that this sort of attack can’t happen.

Cyveillance: This sounds like a fundamental change in the way the Internet operates. Is that accurate?

Richard Lamb: Not really. DNS operates as it did before except now cryptographically generated digital signatures (just a few more bytes) are transferred alongside existing records to allow systems to detect any changes in the original record. However, for the Internet whose protocols have not changed for decades it’s a big change. So it was/is being deployed very carefully.

Cyveillance: Exactly who is going to be responsible for helping to get DNSSEC adopted as quickly as possible? Government? ISPs? Website owners? End users? Among those you mention, which do you prioritize when trying to get the word out?

Richard Lamb: End user demand is what will drive DNSSEC deployment and its eventual success. However, selling security to the end user has always been an uphill battle. Awareness building of domain name holders / website owners (content provider for the eyes) is therefore a key part of the adoption effort.

Organizations like ICANN continue to do a good job building awareness among ISPs and top level domain (e.g., .com, .se) operators and our own DHS has played a pivotal role in pressing for DNSSEC adoption in government through the funding of initiatives and the creation of a 2008 OMB mandate for all agencies under .gov. Other governments (e.g., Sweden, Brazil) also have initiatives encouraging the deployment of DNSSEC.

ISPs and Registrars (where you buy domain names from) have little incentive to support DNSSEC until it is widely deployed. This has led to a chicken and egg scenario with these entities often pointing to the lack of deployment as reasons for not supporting DNSSEC themselves. This has placed a priority on Website owners and end users to deploy DNSSEC on their web sites and demand greater security from providers. The hope is that market forces will then prevail resulting in wider support amongst Registrars and ISPs. COMCAST is an example of a large ISP that has fully deployed DNSSEC to help protects their customers. GoDaddy is an example of a large Registrar that supports DNSSEC for their domain name holders who want it.

Cyveillance: Do you think the average end user will ever notice the change?

Richard Lamb: Ideally, improved security should not be noticed by the end user. However, with the new source of trust that DNSSEC creates on the Internet, the end user should expect to see a range of applications that ease access control (e.g., login, WiFi roaming, etc…) and improve web site and email security.

Cyveillance: Is there any similarity in the push to move from IPV4 to IPV6? Which do you see happening first – complete IPV6 adoption or complete DNSSEC adoption?

Richard Lamb: That’s a great question. DNSSEC is often grouped with IPv6 and they are similar in the sense that they are both big protocol changes for the Internet. However, IPv6 is not backward compatible with IPv4. DNSSEC is. DNSSEC secures the DNS. IPv6 updates the routing layer.

Experts have said that IPv6 and IPv4 will coexist for many years to come.

The same will likely be true for DNSSEC as well. While many sites will have DNSSEC deployed on them, there will always be a portion of the web site owners who have little interest in security. Currently, I believe DNSSEC deployment has a slight lead over IPv6 deployment. The key is that for those organizations that do have an interest in maintaining the integrity of the information disseminated by their web site – DNSSEC is a big step.

Cyveillance: What advice would you give to those who are evangelizing within their organization for DNSSEC adoption?

Richard Lamb: Deploying DNSSEC on domain names owned by their organization and turning on DNSSEC on their internal resolvers would not only help protect staff from DNS redirection attacks but also demonstrate to the public that the organization takes security seriously. I would also point out that large ISPs like COMCAST have stepped up to support DNSSEC as well and point to the recent reports on the DNSChanger attacks. Finally, DNSSEC deployment on an organization’s domain names need not be expensive as demonstrated by various Registrar offerings like those from GoDaddy, VeriSign, and others.

Cyveillance: Any last thoughts?

Richard Lamb: I think two of the most interesting things about DNSSEC are 1) how it can be a platform for entrepreneurs from around the world to create a whole new range of innovative security applications and 2) how it is a classic example of the Internet’s borderless, bottom-up, cooperative approach to solving problems.

Despite laws enacted in 2001 to combat digital-related incidents, cyber crime is still pervasive in Algeria. This is due not only to a lack of detection tools, awareness and training courses, but also to the negligence of private and public institutions in protecting their intellectual properties online. In 2010, the Center for Judicial and Judiciary Research (a branch of the Algerian Department of Justice) began developing and implementing cyber security laws. Until then, the field went mostly unregulated. Since 2010, 12 cases have been reported and to-date there has been eighty-eight cases brought to Justice.

Technological innovations in the world of cyber criminals have made the traditional bank robbery seem almost prehistoric. Computer and Internet access now replace the gun; surreptitious locations replace the need for an actual physical presence to confront the victim. Hacking, phishing, spear phishing, spamming, 419 scams, malware, web piracy and cyber terrorism, can all take place from the comfort of one’s cubicle – far from and invisible to the intended target.

A variety of those cyber crimes mentioned above are already affecting Algeria. In 2010, individuals suspected of operating from China infiltrated Algeria Telecom and hacked their servers, thus gaining control over their internet traffic in order to monitor digital communications among its citizenry.

There are other reasons why cyber criminals thrive. First, many law enforcement agencies lack the latest technological tools essential to tackling the problem. Second, the victims lack basic IT skills and an awareness of what has happened to them until it is too late. Yet if we are to address the growing threat of cyber crimes, there needs to be significant improvement in both of these areas. Expertise in the many forms of cyber attacks, training the audience on computer security, and a campaign of educational awareness must be instituted across private and public organizations. Information fliers, posters, e-mails, and videos are simple but vital tools in the war against cyber crime.

Now step back from the fact that these things are happening in Algeria, because while it may seem we are leaps and bounds in front of Algeria on the technology spectrum, the same holds true for organizations and consumers in the United States. We are so enamored with the cool new technologies that allow us to connect and share information from anywhere that we often forget that there are online criminals out there counting on us to have our guard down. We can’t simply rely on technology to protect us completely, because the criminals have found ways around technology – human error. The more people, employees and senior management understand the complexities of the cyber environment, the better off they will be in protecting their personal security and the security of their organization. Don’t become complacent with cyber security; make sure you and your organization are fully aware of the dangers and how to address them.

As a result, in October 2007, the United States, the European Community, Switzerland and Japan simultaneously announced that they would negotiate a new intellectual property enforcement treaty, the Anti-Counterfeiting Trade Agreement, or ACTA. ACTA represents a significant achievement in the fight against the infringement of intellectual property rights, particularly against the proliferation of counterfeiting and piracy on a global scale, and provides a mechanism for the parties to work together in a more collaborative manner to achieve the common goal of effective Intellectual Property Rights (IPR) enforcement. When it enters into force with all participants, ACTA will formalize the legal foundation for a first-of-its-kind alliance of trading partners, representing more than half of world trade.

Highlights

• On Saturday, October 1, 2011, Representatives of the U.S., Japan, Australia, Canada, the E.U., South Korea, Mexico, Morocco, New Zealand, Singapore and Switzerland met in Japan for the signing ceremony for the Anti-Counterfeiting Trade Agreement (ACTA).
• ACTA – initially designed to be a treaty, thus requiring Senate ratification in the U.S. — will likely be an “executive agreement” that cannot alter or supersede U.S. law. Fortunately, ACTA is consistent with existing U.S. law and does not require any change to U.S. law prior to implementation in the United States. In particular, ACTA is consistent with U.S. copyright, patent, and trademark laws. For example, the application of injunctive relief as provided for in the Digital Millennium Copyright Act (17 USC §512j) and other provisions of U.S. law is consistent with and implements the obligations of ACTA. The United States may therefore enter into and carry out the requirements of the Agreement under existing legal authority, just as it has done with other trade agreements.
• ACTA provides for: (1) enhanced international cooperation; (2) promotion of sound enforcement practices; and (3) a legal framework for IPR enforcement in the areas of criminal enforcement, enforcement at the border, civil and administrative actions, and distribution of IPR infringing material on the Internet. Listed below are the most notable provisions:
  • ACTA will require that border enforcement authorities be empowered to act on their own initiative (“ex officio”) against both imports and exports of counterfeit and pirated goods.
  • ACTA will require that criminal authorities be able to act on their own initiative in piracy and counterfeiting cases, rather than waiting for a complaint.
  • ACTA will further clarify existing international requirements for the availability of criminal penalties when piracy or counterfeiting is carried out for commercial advantage.
  • ACTA will require criminal remedies for the importation or use of labels or packaging for counterfeit goods
  • ACTA will include new rules on criminal seizure and destruction of counterfeit goods, seizure of the equipment and materials used in their manufacture, and seizure of the criminal proceeds from piracy and counterfeiting offenses.
  • ACTA will clarify existing international requirements to protect against circumvention of digital security technologies (such as passwords or encryption).
  • ACTA will require parties to address copyright piracy on digital networks, while preserving principles such as freedom of expression, fair process, and privacy.
  • ACTA will enhance the international framework for civil enforcement provisions dealing with issues such as damages, provisional measures, recovery of costs and attorneys’ fees, and destruction of infringing goods.
• With respect to the legal framework, ACTA establishes a strengthened standard, as demonstrated in the highlighted parts above, that builds on the minimum standards of the WTO Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS). This marks a considerable improvement in international trade norms for effectively combating the global proliferation of commercial-scale counterfeiting and piracy in the 21st Century.
• What ACTA is NOT about:
  • Seizing portable music players and laptops at the border
  • Extending the term of protection for copyrights
  • Preventing “parallel” imports
  • Filtering internet traffic for infringing copyright works
  • Limiting access to generic pharmaceuticals
  • Reducing the court’s involvement in determining infringement
  • Weakening privacy laws
  • Lowering evidentiary standards for injunctions
  • Freezing bank accounts of suspected infringers
• Not all participants are completely satisfied with the final version of ACTA. Critics in the E.U. have suggested the trade agreement doesn’t comply with Europe’s data privacy laws, and have questioned its compatibility with E.U. law.

Commentary

Critics claim that ACTA has several features that raise significant potential concerns for consumers’ privacy and civil liberties, for innovation and the free flow of information on the Internet, for legitimate commerce, and for developing countries’ ability to choose policy options that best suit their domestic priorities and their level of economic development.

Additionally, the secrecy of the negotiation process has left the public with many concerns and questions. Gigi Sohn, Public Knowledge’s president and co-founder, called the ACTA negotiations an “extremely flawed” process. “ACTA should have been considered a treaty, and subject to public Senate debate and ratification or, in the alternative, debated in an open and transparent international forum such as the World Intellectual Property Organization,” she said. “Instead, public interest groups and the tech industry had to expend enormous resources to force the process open to permit public views to be presented and considered.”

The Impact

Although this agreement does not change U.S .law, it will alter international law. Companies engaging in business on an international level will need to educate themselves on the effects of ACTA. Critics of ACTA in the U.S. have said the treaty could allow foreign organizations to target U.S. companies and websites that don’t comply with overseas copyright laws. The truth of this statement has not been proven. However, ACTA leaves the door open for countries to introduce the so-called “three-strikes rule”, which would see Internet users cut off if they download copyrighted material, as national authorities would be able to order the ISPs to disclose personal information. This concern about the privatization of enforcement has the potential to impact the operations of U.S. companies.

You may just type in your first candidate name for the product into a browser and see what happens when you add .com to the end, like so:

Great! It’s available. Now you head off to register the domain and along the way the domain registrar makes the generous offer to sell you the .net, and .org versions for you too, so you purchase those too just for good measure. Time to call it a day, right?

It would be nice if it were so straightforward (like most things on the internet!). Unfortunately, the top level domain space is probably larger than you think. Verisign’s August 2011 Domain Name Industry Brief reports that .com accounts for about 95 million of the 215 million domain names registered. What accounts for all those that aren’t .com? According to the Verisign report:

The largest TLDs in terms of base size were, in order, .com, .de (Germany), .net, .uk (united Kingdom), .org, .info, .nl (netherlands), .cn, .eu and .ru (russian federation).

Even if one’s company is not currently physically present in Germany, the UK, China, etc, would it be a terrible idea to defensively register them?

Consider that there is more at stake than the loss of brand integrity when web traffic is diverted to the website created by a cybersquatter. If that weren’t bad enough, there are legitimate security considerations to think about. A brand not registered in a foreign top level domain can make an attractive destination to send potential victims in phishing campaigns and other nefarious schemes. Think about it – what percent of your company’s customers would click a link that was sent from an email address that contained yourcompany.co, or yourcompany.cn? The theft of banking information, drive by malware downloads, and customers who remember your name associated with a really bad experience are all possibilities in that scenario.

We don’t recommend that a company attempt to register its name and brands in the hundreds (yes, hundreds!) of possible top level domains and country code top level domains out there. Not only would that probably be impossible because of the requirements placed on registrants in some locales, it’s certainly impractical and almost definitely a poor use of resources. We simply recommend that extra consideration is paid to registering domains that one traditionally might not (yes, including .xxx!). The specific business needs of your company and its aspirations in global markets will determine whether it makes sense to go ahead and register domains outside the normal .com, .net, and .org.

Finally, even once the decision is made to not register a domain somewhere overseas, that doesn’t mean one can forget about them. Companies must actively monitor the web to make sure that others haven’t decided they can put your brand to use, lest they learn about fraudulent uses of their brands in domains the hard way.

(Not scared yet about the risk posed by variations of your brands in unusual domains abroad? Check out Wired’s report on doppleganger domains, if you dare!)

Trademark owners outside of the adult industry may sign up with ICM Registry to block trademarks from showing up on its new .XXX gTLD. Trademark owners have been making several common errors when applying for a .XXX gTLD.[1] If your company plans on submitting an application before the Sunrise B October 28, 2011 deadline, keeping these mistakes in mind can help you avoid paying multiple fees and having to reapply.[2]

Research which registrar you will use when submitting an application. Some registrars are more experienced than others.[3] Make sure you choose a registrar that will pre-check your application for compliance with all of the application guidelines.[4]

Also, the most common application mistakes to avoid are:[1]

• Eligibility. Make sure that your trademark is eligible. To be eligible, you must have a trademark that was registered prior to September 1, 2011, and you must have the following information:
  • Trademarked Name
  • Trademark Registration Number: Note that your trademark registration number is not the same as your application number
  • Nation Code: The country where your trademark was registered
  • Trademark Registration Date: The date your trademark was registered
  • Trademark Ownership: Your relation to the trademark: Owner or Assignee
• Dropping .com from Trademark. Do not drop the ‘.com’ from your trademark if it includes a ‘.com’. If you want ‘example.com’ to be eligible for ‘example.xxx.’ and not just ‘examplecom.xxx’ you can file amendment 7 with the United States Patent and Trademark Office to have the ‘.com’ removed.
• Inexact Match. Apply to register a domain that is an exact match for your trademark. If you want to register characters in addition to the actual brand name, such as slogans or tag lines, apply under Sunrise AD using a pre-existing domain name because members of the adult entertainment industry (the “Sponsored Community”) is very broad.

Cyveillance recently asked Alex Bobotek, Co-Vice Chairman, of the Messaging Anti-Abuse Working Group (MAAWG) to comment on security risks and trends in spam sent by SMS.

Cyveillance: Most mobile users in North America would not report that they receive much text message spam. Is that because text message spam is not sent to North American users or because the filters set up by mobile carriers are very effective? In either case, is text message spam considered a problem that’s mostly solved here?


Alex Bobotek: Text message spam in North America accounts for less than 1% of messages. It is a problem but it isn’t, and hasn’t been, as severe a problem as email spam, where 80-90% of messages are spam. This is largely due to the carriers’ best-in-class spam filters at the email interfaces, higher costs to senders of mobile spam, and aggressive actions against spammers. These conditions have made it more difficult to spam phones than email inboxes.


Cyveillance: Although certain types of email spam are reportedly on the rise, the overall volume of email spam sent appears to have dropped. How do the current levels of text message spam compare with what you’ve seen in the past?



Alex Bobotek: Unfortunately, although the volume is still comparatively low, the quantity of North American text message spam reaching subscribers’ phones has been increasing rapidly over the past two years. From around 2003, email-to-text spam – traffic sent as email to carriers’ email SMS gateways for delivery as text messages – has been a problem. But the industry has dealt with this effectively, reducing deliveries to a trickle. In the last two years, however, abusers have been exploiting unlimited or other low-cost messaging rate plans to send high volumes of spam. Some of this comes from mobile phones, chiefly prepaid, anonymously-purchased devices controlled by spammers. Additionally, as SMS services become more open to Internet marketers through short codes, affiliate spam has also increased.


Cyveillance: Is there a common topic in text message spam? Does it share the generally slimy advertising for adult sites, illegal online pharmacies, gambling (the “3 P’s: porn, pills, and poker), payday loans, replica rolexes and gucci bags? Or does the mobile environment tend to bring out other topics?



Alex Bobotek: Text messages are more expensive to send, even for spammers. So some of the spam campaigns that depend on high message volume such as pharmaceuticals are rare. Campaigns with higher expected profit per message, such as “free gift cards” and “payday loans,” are more common.


Cyveillance: When spammers send messages by SMS, what are the tactics they often use to avoid detection?



Alex Bobotek: As with email, there are techniques for staying under the radar, such as “snowshoeing,” which is spreading the load across multiple sending devices or accounts, and “polymorphism,” which is generating variations in the messages. Interestingly, it’s more common in SMS than email to bury a small volume of spam in a larger stream of legitimate messages. This is probably because it is much more difficult to spoof an SMS sender’s address (i.e., a sender’s phone number or a short code) than an email address.

Additionally, there’s little mobile botnet activity to date in North America. There are two leading theories as to why this is: First, there is more profit in botting PCs because of the lower cost to infect and the higher value when they are infected, so the professionals are attacking computers instead. The second theory is that the conditions aren’t ripe yet, but mobile botnets are coming as mCommerce and mBanking grow, smartphones gain market share, app downloads explode, and a single mobile OSs gains a dominant market share.


Cyveillance: Do any particular text message spam campaigns that you’ve seen stand out in your mind as being particularly clever or devious?


Alex Bobotek: Absolutely, but I’m afraid I can’t publicize these. On the other side of the spectrum, one not-so-clever spammer bought postpaid phones from a carrier’s mobile phone store, showing his driver’s license to set up an account. He allegedly then sent millions of diet pill spam messages. This turned out to be quite convenient for the carrier’s lawyers, who needed a name and address where they could to which to send the legal process notices. The case got almost comical when the guy tried to argue that it was academic research.


Cyveillance: In your experience, where are the senders of most text message spam to North America located geographically?


Alex Bobotek: They are mostly in North America. Sending from a mobile phone, the most common source of text spam, to a North American mobile is most economical from phones located in North America. Of course, botnets and more sophisticated or specialized spam organizations could change this. However, today most of the text spammers are just developers and hi-tech entrepreneurs with an ethics deficit, rather than script kiddies who have rented resources or obtained an affiliate kit. Therefore, they tend to be in the areas with the most hi-tech developers and entrepreneurs. 



Cyveillance: The advanced persistent threat is a common topic in information security these days. Have you seen evidence of unsolicited text messages being used as part of APT attacks?


Alex Bobotek: APT isn’t my specialty, so I’ll just comment on a few factors that may make text messaging more or less likely to be used in APT attacks. Numerous surveys show that people – correctly, due to much lower levels of mobile abuse – trust their SMS inbox more than their email inbox, which would seem to make text messaging spam a good choice for these attacks. However, many APT attackers targeting U.S. organizations seem to prefer not to use resources that can be traced to parties located in the U.S., such as a prepaid phone traceable to a U.S.-based purchaser. Additionally, it’s difficult to spoof a local phone number from outside the country and a message from a foreign phone number, would likely raise suspicion.


Cyveillance: What is MAAWG’s recommended response for consumers who receive text message spam? 



Alex Bobotek: Text message spam should be reported to the carrier. Some carriers, such as AT&T and Verizon, have set up the short code 7726 – “SPAM” on the keypad – to report spam so you just forward the spam text message to 7726. North American carriers are quite aggressive in protecting their subscribers through both technical defenses and legal means. But with billions of legitimate text messages passing through their networks every day, they need consumers’ help in identifying the spammers, which will then enable carriers to block and prevent their subsequent spam activity. Google “report text message spam ” for instructions.


Cyveillance: Any parting comments?


Alex Bobotek: As with wired Internet abuse, collaboration between ISPs and network operators, government, vendors and academia is the key to managing abuse. Industry led the way in creating collaboration forums such as MAAWG that have worked well in email and that are now working to control mobile messaging abuse. Attending these forums is the best way for security professionals and vendors to learn about and collaborate in fighting mobile abuse.

Many thanks to Alex Bobotek and the MAAWG for taking the time to answer our questions.

While this process is intended to provide greater security, it also opens the doors for brand abuse. To help thwart misuse, ICM Registry, the company that will act as a registry for all domains ending in .XXX, has developed a comprehensive rights protection mechanism (RPM) for the launch period of these new gTLD’s. To protect non-adult entertainment industry rights holders from trademark infringement, ICM is also providing an opportunity for these rights owners to block their mark from registration. The opt-out effectively blocks names at the .XXX registry and means they cannot be used as conventional web addresses. This feature, provided by ICM for a onetime fee, will only be available to trademark holders during the sunrise period, which began earlier this week on September 7^th.

There will be two initial sunrise periods (A and B) for the launch of .XXX, allowing trademark holders and adult entertainment webmasters to secure their .XXX domains. This includes companies that own trademarks outside of the adult entertainment industry that wish to defensively register domains the same way that they register “sucks” sites. Both sunrise periods will run concurrently followed by a landrush period and finally a general availability period:

Sunrise A Sunrise A is dedicated to members of the adult entertainment community with either verifiable trademark rights or owners of exact matching domains in other Internet Assigned Numbers Authority (IANA) TLDs which is also known as “Grandfathering.” This period is open from September 7, 2011 to October 28, 2011.

Sunrise B Sunrise B was created especially for Intellectual Property holders who are non-members of the adult entertainment community with verifiable trademark rights so that they can block their domains in the .XXX sTLD. This period is open from September 7, 2011 to October 28, 2011.

Landrush Landrush is for members of the adult Sponsored Community but NOT on a first come, first served basis. Unlike Sunrise A and Sunrise B, there are no qualification requirements needed for Landrush. Applications for competing names will go to a closed-auction at the end of the Landrush period. This period is open from November 7, 2011 to November 25, 2011.

General Availability General Availability is when members of the adult entertainment community get regular, resolving names on a first come, first served basis. Non-members of the adult Sponsored Community can also get “Non-Resolving” names.[1] The period opens December 6, 2011 and is ongoing.

Please note that to be successful, applications made during the sunrise periods must provide basic trademark particulars such as the mark, registration number and date, designated class(es), the country or region, and the status of the entity submitting the request. Applications are $200-$300 per registered mark, assessed as a one-time fee and will run for the length of ICM’s contract with ICANN (at least 10 years). If you miss the Sunrise Period or want to block others from using a .XXX domain corresponding to an unregistered trademark, you can defensively register .XXX domains once the general availability period opens in December 2011. However, keep in mind that the annual registration fees for .XXX domains are expected to be significantly higher than the annual fees for domains in existing TLDs like .com, .net, etc.

The .XXX registration process requires all registrants to agree to participate in and abide by specific dispute resolution procedures that will provide mechanisms for brand owners to challenge .XXX domains that infringe trademarks. ICM is contracting with the National Arbitration Forum to provide the RES and CEDRP dispute resolution services. ICM estimates that the cost for each service will be US$750 to US$1,500. During these disputes, the domain will be locked against transfers. Decisions will not be published. Statistical information about the process itself will be made available. In the event of a conflict between a trademark rights holder and a member of the adult entertainment industry, the domain will be awarded to the adult entertainment industry member and the Sunrise B applicant will be notified.

Although ICM services have been approved by ICANN, there are legal issues that have not been tested. Participating in this process could limit your legal remedies because of your agreement to participate in and abide by the dispute resolution procedures outlined. Additionally, porn and mainstream businesses alike complain they are being forced to buy domain names they don’t want, don’t need and won’t use. A few companies are refusing to pay, but also demanding that ICM block their domains free of charge. ICM responded to the legal threats with a seven-page report in July, claiming that a registry cannot be sued for trademark infringement. The letters, though, have placed ICM on notice, which increases the potential for liability if ICM sells the trademarked names.

As this exchange indicates, registering domains with ICM is one option but may not be the only option available to companies seeking to protect their trademarks. Cyveillance encourages companies to take a hard look at their brand protection strategy to determine if defensively registering for .XXX gTLDs is the only and best option for their brand protection. The ongoing battle for domain name registration and brand protection is always going to be waged; the key to minimizing losses is tied to a company’s assessment of their true threats and their proactive approach to minimizing those threats.

In total, these promoters would help Glavmed process in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010. All told, Glavmed generated revenues of at least $150 million.

The problem with online pharmacy sites selling lifestyle drugs like Viagra and Cialis, the controlled substances vicodin and hydrocodone, and even cancer drugs is that without the oversight of a medical professional, patients may misuse or abuse the medications – whether genuine brand or generic. Another possibility is that what they receive in the mail from these faraway online pharmacy operations is not even real medication at all, but fake pills that contain inert ingredients like corn starch or dangerous chemicals like mercury. People can and do die in all of the scenarios above.

Remember the “Canadian” Pharmacy?

The availability of cheaper medication above the United States’ border has resulted in the creation of websites that appear to be from Canada, but actually originate far overseas, as we have written before. Cyveillance currently sees more than thirteen hundred websites out there today that mention Canada and the word pharmacy in the site’s domain. Of course there are many, many more which suggest they have a connection to Canada in other parts of their website.

But competition for customers who search for a Canadian pharmacy online is stiff, and operators of these illegal websites diversify by offering alternatives to American consumers with sites that suggest an origin in Mexico.

Cuidado!

Americans have long headed below the border for cheaper medications. In addition to the many opportunities for recreation that greet visitors in Tijuana are many brick and mortar pharmacies looking for Americans in search of a deal. These establishments may not always be safe either. According to a former federal law enforcement officer who worked cases of counterfeit pharmaceutical sales along the border…

There are over a thousand pharmacies lining the border in Tijuana; over twice the count you’ll find in neighboring San Diego. The number of storefronts is greater than what can serve the daily foot traffic from the U.S. Many make their earnings through illicit Internet and mail order sales.

The person greeting you from behind that counter in that white jacket and making healthcare recommendations is not a pharmacist. He’s a salesperson. That’s because there is no college of pharmacy in Mexico, nor is there a requirement to staff these businesses with licensed professionals. The pharmaceuticals are pre-packaged by the manufacturers with general dosage recommendations, as opposed to dispensed into amber vials with a professional consultation that you’d find in the U.S

U.S. law enforcement has seized millions of dollars of counterfeit pharmaceuticals from these operations. I recall an operation that imported from an unsanitary plant that I subsequently visited in India. This operation used day laborers to repackage the pills in bottles with English language labels. Some of these laborers placed the diabetes medicine in bottles intended for heart medication. One of the manufacturers supplying the operation could not keep up with the demand and, instead, supplied tablets that had no active ingredients which were ultimately repackaged and sold to Americans. I have also seen pretty good knock offs of American brands in Mexico. It is difficult to know exactly what you’re getting on the border.

Dangerous Online Pharmacies Which Claim to be from Mexico But Are Not

This site’s domain contains the words “online mexican pharmacy”. Click to enlarge.

The above site’s domain name couldn’t be more explicit about where it wants visitors to think it is from: it includes the words “online mexican pharmacy” right in the domain name. However the domain is registered anonymously, which is never a good sign when you want to entrust your health to someone. The site is hosted in the Netherlands, and belongs to an illegal pharmacy network from Russia.

This fake Mexican online pharmacy’s homepage is full of contradictory information. Click to enlarge.

The second impostor calls itself a “Real Mexican Online Pharmacy”. Unfortunately the domain’s registrant claims to be from Bulgaria and the site is hosted in Atlanta. The text on the very same page states that the medications will come from pharmacies in the United States. Which is it? And why the misinformation? No prescription is required from a healthcare provider to receive prescription drugs on this site.

Dangerous Online Pharmacies Which are from Mexico

Click to enlarge.

The illegal online pharmacy shown above does not require prescriptions for the very powerful prescription drugs it offers. Several are high-potency pain killers like Oxycontin that are known to place patients at risk for addiction. This domain’s registrant is in Mexico, and is hosted in Atlanta. Open source intel about this operation confirms that they’re shipping from Mexico into the United States.

Click to enlarge.

The “new formula” Oxycontin for sale at the premium price of $450 for ten tablets in our final example today is another example of controlled substances being sold online without a prescription. Like the site above, the domain is registered to a Mexican citizen. It’s hosted in Dallas, and information we’ve seen online suggests that the drugs are indeed shipped north from a brick and mortar pharmacy in Mexico.

Are they All Bad?

To be clear there is such thing as a safe online pharmacy. The FDA has a page with tips on safe ways to buy medication online. Please be safe out there.