Phishing awareness gone wrong: Facebook tries to seize websites set up for staff security training

Security biz Proofpoint and its subsidiary Wombat Security Technologies have sued Facebook and its Instagram subsidiary to prevent the seizure of internet domain names used for security testing.

Proofpoint conducts cybersecurity training for organizations, part of which includes phishing awareness testing. This involves sending participating employees simulated phishing messages with deceptive domain names to entice them to click on links or visit web pages that in a real threat scenario would be trying to trick visitors into submitting sensitive personal information like login credentials.

To do so, the firm follows the cybercrime playbook. It sets up domain names that incorporate trademarked terms, like Facebook and Instagram, or fragments of those terms that have similar looking domain names. In the context of this case, th security biz registered: facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net, and instagrarn.org.

The company’s complaint [PDF], filed in US District Court in Arizona on Tuesday, explains its rationale for doing so: “By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective training program because the workforce is more likely to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names.”

Proofpoint claims such tests help protect both the employer providing the training and the owners of legitimate domain names, like Facebook and Instagram.

Nope, ICANN rules

Facebook however isn’t on-board with that line of reasoning. Last November, the social ad biz filed a complaint under the Uniform Domain Name Dispute Resolution Policy (UDRP), a set of rules established by internet overseer ICANN to help resolve domain name disagreements without sending every dispute to court.

Facebook objected to Proofpoint’s domains as confusingly similar to its own, which happens to be the sort of the trademark policing that trademark law requires. As the US Trademark Office puts it [PDF], “Throughout the life of the registration, you must police and enforce your rights.”

Pixellated Facebook thumb

Facebook’s anti-trademark bot torpedoes .org website that just so happened to criticize Zuck’s sucky ethics board

READ MORE

Though the domains at issue, when visited, state “This web site belongs to Proofpoint Security Awareness Training,” the UDRP arbitrator nonetheless sided with Facebook last month and directed the registrar handling those names, Arizona-based Namecheap, to turn control over to the social media giant.

Proofpoint is seeking a declaration from the court to prevent the domain transfer and to affirm that the company’s use of the lookalike domains is lawful. In its complaint, the company contends that Facebook’s UDRP arguments – that Proofpoint was not making legitimate use of those domains and acted in bad faith by registering them – are inaccurate.

And the security biz maintains that no one is likely to confuse its similarly named domains to Facebook.com or Instagram.com.

Confusion is unlikely among program participants, the company argues, because links to the domains at issue include a disclaimer: “This phishing simulation was provided by your employer to help teach you to recognize commonly-used phishing risks. To appear as realistic as possible, it may contain the name, brand or logo of unaffiliated third parties.”

Facebook did not immediately respond to a request for comment. ®

READ MORE HERE