Wednesday, May 02, 2007

The Brandjacking Index

Picture a situation where a customer gets tricked into authenticating at the wrong site of company XXX. Would they do business with company XXX after they get scammed, trojan-ized, and spammed to (virtual) death? I doubt so, and as we can also see in the results of a recently released survey on whether or not customers would do business with retailers who exposed personal data - they'd rather dump them right away.

MarkMonitor just released their first quarterly Brandjacking Index :

"The Brandjacking Index investigates trends, including drilled-down analysis of how the most popular brands are abused online and the industries in which abuse is causing the most damage. The report examines the ever-adaptive tactics of brandjackers such as cybersquatting, false association, pay-per-click (PPC) fraud, domain kiting, objectionable content, unauthorized sales channels and phishing. The Brandjacking Index tracks the top 25 brands from the 2006 Top 100 Interbrand study plus additional Interbrand ranked companies for business segment analysis."

The old marketing rule that a dissatisfied customer will share the bad experience with at least five more fully applies here, and given he or she's an opinion leader in their circle - you've got a problem as it's your brand in the domain name. Therefore, despite the companies developing a market segment for timely and reliably shutting down phishing sites, the most obvious "cybersquatted" domains shouldn't even be allowed to get registered at the first place. But given the flexibility of registering a domain these days, from a company's perspective, cybersquatting's an uncontrollable external factor, and in order to protect their future flow of "soft dollars" efforts to monitor the domain space are highly advisable.

There're several key techniques you should keep in mind. Cybersquatting, vulnerabilities within the browser to spoof the status bar and make it look like the legitimate page, or a malware infected PC that's basically redirecting all the known E-banking sites to fake ones. No anti virus, no Ebanking is highly advisable, yet not a solution to the problem, and E-banking site's compatibility with the most popular -- and targeted -- Internet Explorer browser ONLY, turn many precautions into a futile attempt to deal with the problem -- heading in the opposite direction. The question is, which technique is more effective at the end user's perspective, and how should the targeted organizations deal with this indirect form of attack on their brands, reputation and the rest of the "soft dollars" goodies such as favorable PR and stakeholder's comfortability? From another perspective, who's more irresponsible, the unaware end user, or banks whose web application security ignorance make it easier for phishers to establish trust?

One solution to the problem is shortening the lifetime of such a domain to the minimum by tracking and shutting them down by using a commercial service like this online trademark monitor, a screenshot of which you can see at the top of the post. Perhaps rather resources-consuming, but educating your customers for their own safety in times when anyone can register a pay-pal-login.tld domain like through third-party registers, is another way to go. Did I mention that anti-phishing toolbars are a free alternative in case common sense fails -- like it does?