Copyright 2001 Prentice Hall Law & Business
The Computer & Internet Lawyer
July, 2001
SECTION: INTERNET; Vol. 18, No. 7; Pg. 1
LENGTH: 10292 words
HEADLINE: Webjacking
BYLINE: by Robert J. McGillivray & Steven C. Lieske; Robert J. McGillivray is a commercial litigation partner in the Minneapolis office of Oppenheimer Wolff & Donnelly, LLP and a member of the firm's domain name dispute team. He can be reached via email at rmcgillivray@oppenheimer.com. Steven C. Lieske is an associate in the Minneapolis office of Oppenheimer Wolff & Donnelly, LLP. He practices in Internet, trademark, and patent law. He can be reached via email at slieske@oppenheimer.com. © 2000 Robert J. McGillivray & Steven C. Lieske. An expanded version of this article was published in the William Mitchell College of Law Journal, Vol. 27, Issue III.
HIGHLIGHT:
The Internet is like a vault with a screen door on the back. I don't need jackhammers and atom bombs to get in when I can walk through the backdoor. n1 n1 Anonymous at www.quoteland.com.
BODY:
Introduction

A mid all of the hype over Internet security with respect to computer viruses, n2 denial of service (DOS) attacks, n3 and consumer privacy issues, n4 one of the Internet's "screen doors" -- Internet hijacking, also known as webjacking -- has been overlooked. By definition, the term "hijacking" refers to the seizure of a moving vehicle by use of force, especially to reach an alternate destination. n5 By extension, the term "webjacking" refers to the seizure of a domain name to force Web traffic to an alternate Web site location.

n2 Mark Landler, "A Filipino Linked to 'Love Bug' Talks about His License to Hack," N.Y. Times, October 21, 2000, at C1. The Love Bug virus caused an estimated $ 10 billion in damages.

n3 Matt Richtel, "Canada Arrests 15-Year-Old in Web Attack," N.Y. Times, April 20, 2000, at C1. In a DOS attack, a computer is bombarded with large amounts of meaningless data to bog the computer down so that it cannot respond to legitimate requests.

n4 Erik Lipton, "2 Hired to Calm Fears for Web Privacy," N.Y. Times, March 8, 2000, at B3. DoubleClick announced these new hirings a week after it announced its intentions to use its vast amount of information about how individuals use the Internet.

n5 The American Heritage Dictionary of the English Language 854 (3d ed. 1992).

A webjacking is often accomplished by the webjacker sending a counterfeit email message to the registrar controlling a domain name registration. The counterfeit message appears to have been sent from someone with authority over the domain name, and the message instructs the registrar to "connect" the domain name with a new Internet Protocol (IP) address. Once this connection is set up by the duped registrar, any Internet user who types the domain name in his or her Web browser is taken to whatever Web site the webjacker has installed at the new IP address. Sometimes the webjacker's Web site is a fraudulent copy of the original Web site, causing Internet users not to notice the webjacker's scam.

Webjacking is a surprisingly easy way to take control of a Web site. While Web site owners fortify their systems with firewalls and other security measures, some have lost control of their sites as a result of a webjacker simply emailing the registrar. Unless the door that allows webjacking to occur is closed and locked, no amount of front-facing security will protect Web sites from such a rear attack.

Web sites and the e-commerce that they provide have truly changed the structure of commerce. Before the Internet, although a crook could hold up a cashier for the money from the register, a thief could never take over an entire department store and pose as the owner. Generally, it would have been too costly for a scam artist to mail counterfeit catalogs. In contrast, Web sites are not hard to create. In fact, someone with intermediate computer skills can, in short time, create a forged duplicate of another Web site. Such forgeries have been reported a number of times. For example, The AJ Park law firm in New Zealand discovered that someone copied the code for its Web site at http://www.ajpark.com, changed the "New Zealand" references with references to Russia and routed three domain names to the bogus site. n6 Although these forgeries could be by some kid trying to learn hypertext markup language (HTML), they also could be by some start-up law firm trying to get a Web site up as soon as possible. Whatever the reason, these forgers do not pose a huge threat because when AJ Park's clients type www.ajpark.com in their Web browsers, they are not misdirected to the forged Web site, but are correctly steered to AJ Park's real site.

n6 Reported by Damian Broadley (dbroadley@ajpark.co.nz) to the International Trademark Association (INTA) newsgroup on August 12, 2000. After AJ Parks complained to the registrant of the domain names, the registrant blamed a third party. The registrant has since instructed its ISP to redirect all Web traffic for the three domain names to AJ Parks' legitimate Web site.

Webjackers, on the other hand, do pose a threat. Should AJ Park's Web site be webjacked, its clients would surreptitiously be sent elsewhere. If the webjacking were done for political reasons, the client might be sent to a Web page condemning the legal system, legal fees, and attorneys. If, however, the webjacking were done in an attempt to gain credit card or other information from unwary clients, clients could be redirected to a doppelganger, forged copy of the original, authentic site. Because the clients have typed in the proper domain name and are presented with what appears to be the proper Web site, they are easily fooled into revealing their private information. Because webjacking a domain name is not difficult to accomplish and does not require a great deal of computer skill, it may become a favorite con game of the 21st century. n7

n7 "DNS Intrusions Spotlight Security Debate," Network News (Eur.), May 3, 2000, available at 2000 WL 7833925.

Webjacking -- A 21st Century Con Job

A webjacking occurs when a registrar is tricked into connecting a domain name with the name server that resolves the domain name to the webjacker's IP address, thus sending unknowing consumers to a Web site controlled by the webjacker. Although Internet trademark infringement issues and cybersquatting have received more publicity, webjacking promises to be another serious e-commerce problem. A number of webjackings have recently been reported and undoubtedly, many cases go unreported.

Recent Webjackings in the News

In May 2000, a webjacker stole the web.net domain name. The domain was registered by a small Internet service provider (ISP) to 3,500 nonprofit organizations. It took the ISP a week of battling with the registrar to regain its domain name. n8 In the same month, a tourist portal for Bali lost its Web site due to webjacking. This caused the portal to lose substantial business. n9

n8 "Internet Domain Names Stolen: Businesses Are Crippled after Pirates Take Over Their Web Site Addresses," The Gazette (Montreal), June 2, 2000.

n9 "Hijacking Going High-Tech," The London Free Press, June 9, 2000, at D3.

The next month, nike.com was webjacked. Until the webjacking was reversed, consumers who typed www.nike.com in their Web browsers were automatically directed to a Web site in Scotland maintained by a group called S-11 and hosted by Firstnet On-Line Ltd. n10 The redirected traffic overloaded Firstnet's server, making the company unable to serve its legitimate customers. n11 After the company billed Nike for the use of the servers, Firstnet considered suing Nike for neglecting to secure its domain name registration. n12

n10 Ann Harrison, "Companies Point Fingers over Nike Web Site Hijacking," Network World Fusion, June 30, 2000, at 2000 WL 9443184.

n11 Id.

n12 Id.

Also in June, a $ 500 million public net media company had internet.com, 1,300 other domain names, and virtually all of its business stolen. n13 This large-scale webjacking was accomplished with merely a fax machine. n14 The thief faxed a request to the registrar and the registrar promptly switched control of the domain names to the webjacker. Although the sites were regained in several days, the company's confidence in its registrar was not. n15

n13 "NSI's webjacking Epidemic," Wired News 3:00 a.m. (June 8, 2000).

n14 Id.

n15 Id.

One of the longest publicized webjackings is still underway. In 1994, Gary Kremen registered the domain name sex.com. In October 1995, the sex.com site was allegedly stolen via a forged letter to the registrar. n16 The webjacker, Stephen Cohen, developed a pornographic Web site connected to the domain name and made millions. n17 It took Kremen two years of litigation before a court ruled on November 27, 2000, that Cohen was guilty of webjacking the site. n18 Pending a final decision on potential damages, the judge has frozen $ 25 million in Cohen's business assets. n19 A related lawsuit against the registrar for allowing the webjacking to happen was dismissed. n20

n16 "Sex.com Ruling: It Wasn't Stolen," Wired News 3:00 a.m. (Aug. 25, 2000).

n17 "Judge Returns Valuable Porn Site to Original Owner, The Minneapolis Star Tribune, Nov. 29, 2000.

n18 Clint Boulton, "Sex.com: A Chapter of Prurient Jurisprudence Closes," Internet News, Nov. 28, 2000, at http://www.internetnews.com/bus-news/ article/0,,3_520901,00.html.

n19 "Judge Returns Sex.com Domain to Owner," USA Today, Nov. 28, 2000, at www.usatoday.com/life/cyber/tech/cti845.htm.

n20 "Sex.com Ruling: It Wasn't Stolen," Wired News 3:00 a.m. (Aug. 25, 2000).

As one would expect, it is the more highly recognized domain names that become the target of webjacking. In addition to internet.com and sex.com, the domain names for Adidas, LucasArts.com, Viagra.com, Croatia.com, Washington.com, and Canada.com have all been webjacked. n21 Even aol.com n22 has been stolen.

n21 Bob Sullivan, "Web Sites 'Stolen' by Cyberthugs," ZDNet News, May 31, 2000, athttp://www.zdnet.com/zdnn/stories/news/0,4586,2580039,00.html.

n22 Leslie Walker, "Fake Message Sends AOL Email Astray; Security Breach Changes Net Address," Wash. Post, Oct. 17, 1998, at G01.

How a Webjacking Occurs

Every registrar has a procedure for registering domain names, as well as a procedure by which the registrant can update its registration information, which usually can be done online or by sending an email message. n23 Webjackings can be divided into four primary phases: (1) planning the attack; (2) sending a counterfeit request to the registrar; (3) having the registrar incorrectly determine that the request is authentic; and (4) transferring the registration to a new registrar so that the rightful registrant has a more difficult time recovering from the webjacking.

n23 E.g., http:// www.networksolutions.com/makechanges (last visited Jan. 3, 2001).

Planning the Attack

Registrars allow several fields in a domain name registration to be modified through a change request. Registrants can update their registration record with a new legal name or a new address. At first glance, one might assume that webjackers are concerned with these. A Web site, however, is not based on the real or alleged name or street address of the registrant. Thus, these fields are not of concern.

Contacts are the second set of fields that can be added, deleted, or modified. Contacts are agents, either individuals or a group of individuals who act in a specific "role," who represent the registrant on matters related to the registrant's domain name. n24 The registration lists the administrative, the technical, and the billing contact. For example, although the administrative contact may be listed as "John Doe" with an email address of john.doe@company.com it may just as well be listed as "Administration Group" with an email address of admincontact@company.com. The entity listed as one of the three contacts should be the entity best able to answer questions about that particular aspect of the domain name registration and should be authorized to represent the domain name registrant. The administrative contact is usually the owner of the domain name or a representative of the company who owns it. Some registrars operate under the rule that the administrative contract is the actual registrant. n25 The billing contact should be the person to whom the invoices for registration and renewal should be sent. The technical contact should be the person best able to answer questions about the Web site's host servers.

n24 Http://www.networksolutions.com/cgi-bin/glossary/lookup?term=Contact/Agent (last visited Jan. 3, 2001).

n25 This causes problems when the administrative contact leaves the company and the company then tries to get the registrar to update the records with a new administrative contact. Domain name administrators say that in the past, registrars have stated that the only way such a change request would be approved is if the request was made via the former employee's email address. In response, domain name administrators have had to set up a temporary mail account in the former employee's name and send the change request from this dummy account. Carole Fennelly, "Domain Name Hijacking: It's Easier Than You Think, JavaWorld, July 18, 2000, available at 2000 WL 14587742.

Webjackers are very interested in the contact information because it is this list of people who are authorized to change the domain name registration information. Some webjackers may already be listed as one of the contacts because they are current or former angered employees of the domain name registrant who were previously set up as a contact. Otherwise, the webjacker chooses to impersonate one of these contacts during the webjacking.

The name servers are the third set of fields on the registration that can be updated. As discussed previously, a name server is a computer that works as part of the domain name service (DNS) to resolve domain names to their corresponding IP addresses. Each domain name registration lists an IP address for both a primary and secondary name server. In practice, when a Web user types a uniform resource locator (URL), such as www.oppenheimer.com, the hierarchical DNS is contacted and the primary name server assists in resolving the domain name to the proper IP address. If the primary server does not respond, the secondary name server is used.

Because the name server controls where Web traffic is directed for the domains within its network, a webjacker usually seeks to change the listed name servers to ones within his or her control. All of the registration information for a given domain name is publicly available through the registrar's whois database. n26 Planning a webjacking attack is easy because the contract information and name servers for a domain name can be discovered in less than a minute. n27 Based on the whois database, the webjacker knows whom to impersonate in order to get the name servers changed. The webjacker must now figure out how to accomplish the impersonation.

n26 The "whois" name is quite descriptive of the database, since its purpose is to tell "whois" the registrant of a domain name. Network Solution's whois database can be accessed at http://www.networksolutions.com/cgi-bin/ whois/whois (last visited Jan. 3, 2001).

n27 "Domain Name Game," Computerworld, June 12, 2000, 71(1).

Sending Fakemail

Email is often used as the impersonation tool because it is not difficult to do. Fake email messages have been nicknamed "fakemail" and the process of sending them is known as "spoofing." Fakemail messages are altered so that the message appears to have been sent by someone else. Webjackers configure fakemail so that the administrative contact appears to be the sender.

Unfortunately, sending fakemail is easy. There are several Web sites that allow anyone to create and send a rudimentary fakemail message. n28 Such Web sites alter the headers that are traditionally attached to the beginning of email messages. The header information includes data about the sender -- including his or her name and email address -- and the route the message followed during delivery.

n28 Fakemail can be sent from, inter alia, http://www.cyborg.net/mail-html; http://www.hughesclan.com/fakemail.htm; http://www.virtualdrawing.com/ fakemail; and http://fakemail.itgo.com (last visited Jan. 3, 2001).

Most fakemail Web sites produce email the average reader would accept as real. To create a first-rate fake message, however, requires more knowledge. Hackers can learn how to do this from the many documents available on the Internet. n29 There is even a "Fake Mail FAQ." n30 These tutorials point out that fakemail is possible because all Internet email is managed with simple mail transfer protocol (SMTP). n31 A hacker only needs to gain access n32 to an Internet-connected server. Once connected to a server, the hacker can manually issue SMTP commands n33 to fool the server into believing it received the SMTP email instructions from another computer. n34

n29 E.g., http://hackersclub.com/km/library/hack99/Mail.txt; and http:// hackersclub.com/km/library/hack/gtmhh1-2.txt (last visited Jan. 3, 2001).

n30 Rourke McNamara, "The Fake Mail FAQ," at http://www.hackerscatalog.com/ mailfaq.htm (last visited Jan. 3, 2001), "FAQ" stands for "frequently asked questions."

n31 McNamara, supra.

n32 Access is gained via "telnet," a protocol that allows a user to log on to a remote computer system and then to issue commands as if the user were physically located at that other computer system.

n33 STMP commands are simple; for example, "mail from" and "rcpt to" are two STMP commands.

n34 McNamara, supra n.30.

Hackers say university servers in the ".edu" domain are the best ones to try for access, because colleges and universities often have lazy security. n35 In addition, because the Internet is not hampered by distances, a hacker does not need to limit his or her search for a server. A server in Europe or Asia works just as well as a server in the United States. Of the hundreds of thousands of servers worldwide, the hacker only needs to find one with inadequate security measures. From this server, the hacker can create and send a fraudulent service request through a fakemail message instructing the registrar to modify the registration information for the desired domain name.

n35 The Mob Boss, a.k.a. Mafia-man777, "The Wonderful and Evil World of Email: The Art of Email Forging and Tracing Explained in One Simple Text," at http:// hackersclub.com/km/library/hack99/Mail.txt (last visited Jan. 3, 2001).

Mistaken Authentication

Before any modification is made to a registration, the registrar should first authenticate the request -- verify that the sender in fact sent the email message, and check that the sender is one of the authorized contacts. As more registrars enter the market, it is difficult to state that all registrars have equally adequate authentication policies. It is possible that some lax registrars may process service requests without even looking up the list of authorized contacts; however, it is more likely that most webjacking takes place because although the registrar checks the list of contacts, the registrar is fooled into believing that the fakemail message was sent by one of the contacts.

Registrars must determine how to ascertain if an email message is authentic. For example, Network Solutions (NSI) has set up Guardian -- an authorization and authentication system that helps protect domain name registration records from unauthorized updates. n36 During the initial registration process, the registrant chooses from one of three Guardian methods: (1) Mail-From; (2) Crypt-Password; or (3) PGP.

n36 "Frequently Asked Questions about Authentication," Network Solutions, at http://www.networksolutions.com/en_US/help/guardian.jhtml (last visited Jan. 3, 2001). Other registrars have similar authentication systems, but only NSI will be covered here.

Mail-From. This is the least secure Guardian method. For domain name registrations protected by this method, all registration contacts provide NSI with their email address. Whenever NSI receives an email message requesting change to the registration record, the email's headers are checked and the "mail from" field must match the contact's email address that is listed in the whois database. Of course, because the email addresses are publicly available through the whois database and because fakemail easily modifies the "mail from" field, this Guardian method is simple to use, but not very secure. NSI now advertises that it has additional measures built in its policies to further authenticate users having the Mail-From Guardian method. As with most authentication policies, however, registrars do not release details of the policies to prevent hackers from devising ways to circumvent them.

Crypt-Password. This is the method in which the contact chooses a password and all request messages must include that password. When the contact first chooses his or her password, NSI encrypts it as the master password. Each email request must then be accompanied by a password. NSI encrypts the password and compares it to the contact's previously encrypted master password. If the passwords match, the request is processed.

To ensure that hackers cannot gain passwords from its system, after the master password is encrypted NSI destroys the plaintext version of the password. From this point forward, even NSI cannot determine what the contact's correct password is. If the contact forgets his or her password, the contact can ask NSI to reset the password. NSI then follows a policy to attempt to ensure that the contact is legitimate before resetting the password. Of course, a hacker could abuse this password resetting procedure as part of his or her webjacking scheme. The webjacker could also try to guess the password or find an electronic or paper copy of the password kept by the contact. n37 For these reasons and other reasons, the Crypt-Password method is not without its security concerns. n38

n37 The FTC noted that "[many] consumers use the same password at multiple places, or leave themselves reminders on yellow stickies, or use obvious passwords that are easily guessed, for example, one of the most commonly used passwords of all is 'password'," "FTC Advisory Committee on Online Access and Security, Final Report -- Second Draft," May 8, 2000, at http://www.ftc.gov/acoas/ papers/acoasdraft2.htm.

n38 Webjackings have allegedly occurred even when password security has been in place. Ann Harrison, "Companies Point Fingers over Nike Web Site Hijacking," Network World Fusion, June 30, 2000, available at 2000 WL 9443184.

PGP. The most secure Guardian method is Pretty Good Privacy (PGP). This is a dual key, digital signature methodology. The specifics of PGP are beyond the topic of this article, therefore only a simplified explanation will be offered here. n39 PGP operates by a contact setting up his or her digital signature. The digital signature has two parts: (1) a public key; and (2) a private key. The contact can freely distribute its public key to anyone who may receive digitally signed email messages from the contract. To make distributions of the public keys simple, they are often posted on certification servers throughout the Internet. Although the public key is widely distributed, the contact must keep the private key confidential.

n39 For a more comprehensive explanation of PGP and digital signatures, see "How PGP Works," Network Associates, Inc., at http://www.pgpi.org/doc/pgpintro (last visited Jan. 3, 2001). This document is chapter 1 of the document "Introduction to Cryptography from the PGP," 6.5.1 documentation.

When the contact composes an email request to NSI, the contact "signs" the message before sending it. To "sign" the message, the entire email message is encrypted with the contact's private key. The encrypted message is emailed to NSI and NSI attempts to decrypt the message using the contact's freely accessible public key. If the message is successfully decrypted, then NSI is assured that the message is really from the contact because the public key is the only key that will decrypt messages encrypted with the contact's private key.

Using PGP can be bothersome because contacts are accustomed to the ease of traditional email messaging. Thus, some registrants choose not to rely on PGP. Additionally, NSI does not currently support PGP digital signatures from Windows-based computer systems. Only Unix-based systems are supported. This further limits the usage of PGP.

The three-tier Guardian system is NSI's security strategy. Other registrars have their own ways to provide registrant protection. For example, Tucows' OpenSRS registrar system provides registrants with a username and password. All changes to the domain name registration must be accompanied by the proper username and password. While not as technologically hip as PGP digital signatures, passwords are easier to use and provide some safety. Of course, passwords are only safe as long as they are not easily guessed and are kept from disclosure. Tucows believes in its username/password method because it is unaware of any fakemail that has caused the OpenSRS to turn a domain name registration over to a fraudulent party. n40

n40 Telephone Interview with Ross Rader, Director of Product Management, Tucows (Nov. 6, 2000).

Once the registrar uses its internal procedures to authenticate the email message, the registrar responds by carrying out the request. If a webjacker's fakemail message evades detection and is authenticated, then the registrar may unknowingly replace the current contacts with fake contacts having email addresses controlled by the webjacker. Then the registrar may fulfill the webjacker's request to change the address of the name server to one that will resolve the domain name to the webjacker's Web site. Once these changes are processed, the domain name has been webjacked. All Web traffic will be automatically directed away from the legitimate Web site and to the webjacker's Web site. The legitimate registrant will not be able to easily recover from the webjacking because its legitimate contacts are no longer authorized to make changes to the domain name registration.

Laundering the Registration

After the webjacker is successful in gaining control of the domain name, webjackers usually attempt to cover their tracks by "laundering" the domain name. Transferring the registration to another registrar accomplishes the laundering. n41 Once the registration is transferred to a new registrar, the legitimate registrant must gain the assistance of both the original registrar and the new registrar in order to recover the domain name registration from the webjacker. This addition of another third party adds complexity to the recovery of the registration, thus slowing down the process.

n41 K. K. Campbell, "The Anatomy of a Domain Name Hijacking," The Toronto Star, June 8, 2000.

Unfortunately, transferring registrars is easy. The webjacker contacts a new registrar and requests that the registration be transferred. The new registrar compares the credentials of the requesting party against the whois database. If the information matches -- which of course it does after a webjacking -- the new registrar submits the transfer request to the registry and the transfer is automatically completed. The former registrar, to whom the webjacker sent the fakemail message and duped into turning over control of the domain name, is sent an information message that the domain name will be transferred. The former registrar, however, is either not asked for approval, or else the transfer occurs before the rightful registrant discovers that the domain name has been webjacked.

Although NSI and other registrars recognize that the current registrar transfer policy assists webjackers in their con games, the Internet Corporation for Assigned Names and Numbers (ICANN) -- which controls the transfer policy -- has not yet acted to improve the transfer system.

What Do Webjackers Gain?

As with any improper conduct, there are a multitude of reasons regarding why webjackers do what they do. The International Trademark Association (INTA) researched why cybersquatters knowingly register domain names that are confusingly similar to known trademarks. The term "cybersquatter" refers to a person who buys a domain name hoping to resell it for a large profit when the company wants to open a Web site with that domain name. n42

n42 "Computer User High-Tech Dictionary," http://www.computeruser.com/ resources/dictionary (last visited Jan. 3, 2001).

Although not all webjackers are cybersquatters, there are many similarities between the two and thus the reasons for their actions may be similar. INTA found that cybersquatter conduct is usually associated with: (1) extracting money from the trademark owner; (2) offering to sell the domain name registration to third parties; (3) using the well-known domain name in connection with a pornographic site; or (4) engaging in some sort of consumer fraud, including counterfeiting. n43 In addition to these four reasons, webjackers may also gain (5) revenge; and (6) counter-culture respect.

n43 "Cybersquatting and Consumer Protection: Ensuring Domain Name Integrity," Before the US Senate Committee on the Judiciary (July 22, 1999), (statement of Ann Chaser, President of International Trademark Association), at http://www.senate.gov/ judiciary/72299ac.htm (Testimony of Chaser).

Selling a domain name can be quite profitable. Warner Brothers was offered warner-records.com and other similar domain names for $ 350,000. n44 In January 1999, Bank of America bought the domain name Loans.com for $ 3 million, and in 1999, ECompanies spent $ 7.5 million buying the domain name Business.com. n45 As proof that domain name sales are big business, a number of commercial Web sites exist that conduct domain name auctions. n46

n44 Id.

n45 Lisa Meyer, "URLiquidation," Redherring.com, November 10, 2000, at http://www.redherring.com/investor/2000/1110/invurl111000.html. The days where domain names sell for such large amounts may be over with the cooling of tech stocks. As evidence, the average sales price for a domain name from online auctioneer GreatDomains.com in August 2000, was $ 5,150; this is a 72 percent decrease from just one month earlier. Id.

n46 "Google Web Directory," at http://directory.google.com/ (last visited Jan. 3, 2001) for a list of domain name auctions.

Selling a domain name is not the only way to make money. The webjacker turned cybersquatter may also gain money from the domain name as part of the booming online pornography industry. In the year 2000, experts predict the online sale of pornographic videos, pornographic Web site subscriptions, and the like will generate $ 1.4 billion. n47 By capturing the registrant's domain name, the webjacker can easily redirect all traffic intended for the registrant's Web site to a pornographic Web site, in hopes of encouraging more sales.

n47 Kenneth Li, "Silicone Valley: Porn Goes Public," TheStandard.com, October 31, 2000, at http://www.thestandard.com/article/display/0,1151,19696,00.html (Datamonitor's estimate).

Not all webjackers plan on making money from the heist. According to registrar representatives, many Webjackers are just angry current or former employees who want to meddle with the Web site and domain name to retaliate against the registrant. n48 Other webjackers are political protestors (e.g., when several domain names were taken over and the corresponding Web sites displayed a coat of arms bearing the title "Kosovo is Serbia"). n49 Still other webjackings are done for fun, challenge, or simply to obtain respect from other hackers. As one expert said, "These [webjackers] are not 50 year olds. They're just showoffs." n50

n48 Interview with Phil Sbarbaro, Chief Litigation Counsel, NSI (Nov. 2, 2000).

n49 Alana Juman Blincoe, "DNS Intrusions Spotlight Security Debate," Network News, May 3, 2000, available at 2000 WL 7833925.

n50 Interview with Phil Sbarbaro, supra n.48.

What Do Victims Stand to Lose?

When a commercial Web site is webjacked, the company registrant is harmed. The company loses online contact with its customers. If the domain is redirected to an offensive site, such as a pornographic site, customers may be offended and turn away. Even if the domain name is quickly recovered, a company may lose customers as a result of the confusion or doubts regarding security.

Financial institutions and other companies transferring funds on the Internet may be vulnerable to direct monetary damage after a webjacking. For example, merchants who receive funds via the Internet could have their Web sites mirrored by the webjacker. A customer or client might unknowingly make payments to the webjackers. If a financial institution has its domain webjacked, the fraudulent Web site might ask clients for password information or other financial information that would allow the hacker to later access the client's accounts or fraudulently obtain credit in the client's name.

In July 2000, the Office of the Comptroller of the Currency (OCC) n51 issued an alert to financial institutions, warning the banks to ensure their domain names are registered to them, are under their control, and are clearly communicated to their customers. n52 The alert pointed out that a webjacking could result in the loss of a bank's online identity and a misdirection of its customer communications.

n51 The OCC charters and regulates approximately 2,400 banks in the United States, which account for over half of the nation's banking assets. (OCC News Release, NR 2000-53, July 19, 2000)

n52 Alert 2000-9, OCC, July 19, 2000.

Options for Webjacking Victims

Registrants who are the victim of a webjacking have several options to recover the use of their domain name as well as damages resulting from the incident. Each course of action has its advantages and disadvantages. Because webjackings are a new and infrequent problem, the registrars, the authorities, and the courts are still learning how to respond appropriately.

Work with the Registrar

Contacting the registrar is probably the best first response after discovering a webjacking. Although the registrant and registrar enter into an agreement at the time of registration, the agreements offered by the various registrars offer little assistance to a webjacked registrant. For example, NSI's and Tucow's n53 agreements explicitly state that the registrar makes "no warranty that [its] services will meet [registrant's] requirements, or that the services will be uninterrupted, timely, secure, or error free." n54 In addition, Tucow's agreement also makes no warranty that "defects in the Service will be corrected." n55

n53 Tucows operates OpenSRS, a wholesale domain name registration service. An ISP, Web hosting company, IT consulting company or other e-commerce business can become a partner of the OpenSRS system. OpenSRS provides access to the domain registry and the tools necessary for the business to become a retail provider of domain name registration services. At www.opensrs.org or www.tucows.com (last visited Jan. 3, 2001).

n54 "Service Agreement," Network Solutions, at P 18 at http://www.networksolutions.com/legal/service-agreement.jhtml (last visited Jan. 3, 2001); "Form of Registration Agreement, Appendix A of Registration Service Provider Agreement, Tucows Inc.," at P 17, at http://www.opensrs.org/OpenSRSDRAv3.0.0.pdf ( last visited Jan. 3, 2001) (Tucows Registration Agreement).

n55 Tucows Registration Agreement, id.

Although the registrars do not explicitly agree by contract to help a registrant recover a webjacked domain name, registrars realize that such a situation carries a strong customer service element. n56 This is especially true because the registration business is no longer a monopoly, but rather a competitive field in which dozens of registrars battle for registration revenue. As a result, some registrars have set up special teams that can be contacted with dispute resolution issues. For example, NSI's special team can be reached at www.domainmagistrate.com or by email at resolution@netsol.com. It appears, however, that these special services are primarily directed toward trademark infringement disputes rather than recovery from a webjacking.

n56 Interview with Brenda Lazare, General Cousel of Tucows, (November 6, 2000).

Because a webjacking usually includes laundering by transferring the registration to a "clean" registrar, it is important to prevent this transfer from occurring so the problem can be resolved more easily. n57 Once the registrant contacts the registrar about the webjacking, and after the registrar freezes the domain name registration so it will not be transferred to an unsuspecting new registrar, the next step is for the registrar to investigate and resolve the issue. The investigation may take seven to ten days, or even longer, to get fully resolved. n58

n57 Id.

n58 Interview with Brenda Lazare, General Counsel of Tucows and author's own experience.

Although registrars may see the need to quickly assist with the resolution of webjackings, the registrars can be so overworked that it is difficult for them to resolve the problem swiftly. Unfortunately, by the time the registration is returned to the registrant, the registrant may have lost both money and customers.

One of the authors has experienced first hand the frustrations that can be encountered when working with a busy registrar after a webjacking. A company purchased the domain name registrations and other assets of an Internet service provider (ISP) and hired the principal to act as president of its subsidiary. After the president failed to properly perform his duties for six months, the company terminated him in the Spring of 2000. The former president, who controlled the server for a number of the domain names, immediately webjacked many of the company's domain name registrations through the registrar by changing the domain servers. For some of these changes, the former president was still listed as the administrative contact and easily submitted a seemingly proper request to the registrar for the registration changes. For other registrations in which he was not the administrative contact, he apparently used fakemail to submit the requests.

Once he captured the domain name registrations and rerouted them to servers under his control, the former president was able to obtain and control all of the electronic traffic and emails directed to the webjacked domain names. The registrar's customer service department was contacted. The registrar, however, was slow to respond and not very cooperative. Even after the domain registrations were returned to the company after a number of days, the problems were not fully resolved. Although the domain name registrations had been updated to use encrypted passwords, the former president somehow managed to get the registrars system to again change the name servers. Some of the domain name registrations were changed between the proper registrant and the former president more than once over the course of several weeks. Several months later, the former president attacked again. Although most of the domains were eventually regained, it was only after lengthy struggles with the registrar. Because of this problem, the registrant lost a number of its customers and was forced to abandon certain of its service offerings.

Consider Using the UDRP

In addition to working directly with a registrar, the victim of a webjacking may wish to avail itself of the Uniform Dispute Resolution Policy (UDRP) adopted by all registrars. The UDRP is a relatively quick and inexpensive way to resolve domain name disputes. Although the UDRP was intended to resolve cybersquatting and trademark disputes, it appears that in October 2000, the UDRP was first used to recover a domain name that was Webjacked after a fakemail request was sent to the registrar. n59 In that case, Gerald Mikkelson, doing business as Internet Host Corporation, registered the domain name HOST.COM. Mikkelson was listed with the registrar as both the administrative and billing contact. On May 24, 2000, nearly six years after Mikkelson first registered the domain name, an email message was sent to the registrar requesting that the administrative, technical, and billing contacts be changed. The email also requested that the address of the name servers be altered. The change request was refused -- probably because the email message's return address was not the same as the current administrative contact for the domain name (i.e., Mikkelson). n60

n59 Agent Host Co. v. Host Dot Com Investments, eResolution, Case No. AF-0343 (October 16, 2000), at http://www.eresolution.com/services/dnd/ decisions/0343.htm.

n60 In fact, the return address was not a genuine address for anyone. Id.

Five days later, the registrar received a second email message. This message appeared to originate from Mikkelson. The message requested that the contacts and domain name servers be changed. Believing the request to be authentic, the registrar made the changes after approval was given by a follow-up email message, again appearing to originate from Mikkelson. Once the changes were made, the domain name was laundered by being transferred to a new registrar. Some time later, Mikkelson discovered that his domain name had been webjacked.

Mikkelson filed an online complaint through eResolution on August 24, 2000. Soon thereafter, an eResolution clerk notified the respondent by an email message sent to postmaster@host.com and the recently changed electronic address for the administrative contact. In addition, the complaint and accompanying materials were sent via registered mail to the respondent in Canada. The respondent did not respond to any of the notices.

The panelist appointed to the case noted in his decision that to obtain relief under the UDRP, the complainant must prove three elements, namely that (1) respondent's domain name is identical or confusingly similar to a trademark in which the complainant has rights; (2) respondent has no right or legitimate interests with respect to the domain name; and (3) respondent's domain name has been registered and is being used in bad faith. n61

n61 Agent Host Co., eResolution, Case No. AF-0343.

In analyzing the allegations before him, the panelist first determined that because respondent controls the identical domain name through which complainant previously performed business, confusion is certain. Although the panelist failed to state that the complainant had trademark rights to the domain name, because Mikkelson operated a business over the Internet with the domain name, it appears that he had indeed obtained common law trademark rights to the mark HOST.

Second, the panelist searched for any legitimate interests by the respondent in the domain name. Noting that a thief does not have good title to what he steals, the panelist checked respondent's actions against the indicia set forth in the UDRP regarding what demonstrates rights in a domain name. Unable to find any indicia or explanation by respondent, the panelist determined that respondent had no legitimate interest in the HOST.COM domain name.

Third, the panelist determined that the respondent had registered the name and was using it in bad faith. Although the UDRP provides factors that indicate registration and bad faith use, most of these factors relate to situations involving commercial competitors. Because this was not the case, the panelist was forced to look outside of the non-exclusive factors of the UDRP. Stating, "it would also be difficult to say a thief acts other than in bad faith," and pointing to how respondent gained the registration of the domain name from the complainant (i.e., the fakemail messages), the panelist held that the respondent demonstrated the requisite bad faith.

Because complainant proved all three elements: (1) the domain name is identical; (2) respondent had no legitimate interest in the domain name; and (3) the respondent acted in bad faith -- the panelist ordered HOST.COM transferred back to complainant.

With the HOST.COM case, there is now precedent that the UDRP can be relied on to recover from a webjacking. Because the intent of the UDRP was not for this purpose, however, it is unknown whether subsequent panelists will allow webjacking cases to be resolved in this fashion. In addition, because the UDRP does not provide for expedited relief and relief is limited to the transfer of the domain name (no damages are allowed), victims of webjacking may wish to rely on another option for faster relief and to recover damages. Significantly, by submitting a dispute through the UDRP, the registrant purportedly releases the registrar from liability, which may be the only real source from which to recover monetary damages. n62 It is not known whether a court would enforce this release.

n62 "Uniform Domain Name Dispute Resolution Policy," ICANN, § 4(h) at http:// www.icann.org/udrp/udrp-policy-24oct99.htm (last modified Oct. 24, 1999).

Work with Authorities

For egregious cases, a victim of webjacking should also contact the authorities; however, as with anything related to the Internet, webjacking is a new and unfamiliar territory for many attorneys, police officers, and federal agents from the Secret Service, FBI, or other federal agencies. As one business consultant noted, "This is like the Wild West days." n63 Thus, although there are now federal statutes criminalizing certain Internet activity, n64 authorities may be slow or reluctant to get involved.

n63 K. K. Campbell, "Internet Domain Names Stolen: Businesses Are Crippled after Pirates Take over Their Web Site Address," The Gazette (Montreal), June 2, 2000.

n64 Statutes, such as the Computer Fraud and Abuse Act, are discussed infra.

Seek Expedited Relief in Court

When subjected to a webjacking, in addition to trying to rectify the situation with the registrar and the authorities, the registrant may immediately seek expedited injunctive relief or damages from a court. The disadvantages of suing a webjacker include: (1) it can be expensive; (2) it can take a long time; (3) the webjacker may have no assets; and (4) it may not be possible to identify the webjacker or obtain jurisdiction over him or her.

There are a number of federal statutes and common law causes of action that may provide relief, including the following:

* The Computer Fraud and Abuse Act; n65

* The Electronic Communication Privacy Act; n66

* The Anti-Cybersquatting Consumer Protection Act; n67

* The Federal Lanham/Trademark Act; n68

* Unfair competition;

* The Copyright Act; n69

* Fraud, theft, or conversion;

* Tortious interference with contract and prospective business advantage;

* Misappropriation of trade secrets; and

* The Racketeer Influenced and Corrupt Organizations (RICO) Act. n70

n65 18 U.S.C. § 1030 (2000).

n66 18 U.S.C. § 2511, §§ 2520, 2701, & 2707 (2000).

n67 15 U.S.C. § 1125(d) (2000).

n68 15 U.S.C. §§ 1051-72, 1091-96, & 1111-29 (2000).

n69 17 U.S.C. § 101-1332 (2000).

n70 18 U.S.C. § 1961-68 (2000).

Thus, depending on the circumstances, a domain name owner may have state or federal protection.

Seek Relief against Registrars?

A damaged webjacking victim may not be able to identify or obtain jurisdiction over a defendant, or the defendant may have no assets. Such a victim might consider an action against a registrar if the registrar was negligent in allowing the webjacking to occur. For example, some webjacked parties allege that the registrars do not always follow their standard operating procedures, therefore the registrar should be liable for damages resulting from its own negligent actions. As one victim said, "The fact is that if you pay [the registrar for your registration], you are presuming that in the morning the last thing you have to worry about is whether you own your domains." n71

n71 "Nike Web Hijacking Sparks Finger-Pointing: Company Trades Blame with NSI and Host," Computerworld, July 10, 2000, at 21(1).

Although the case law is not well developed, initial decisions have been reluctant to find registrars liable for their actions in connection with domain name registrations. In the Lockheed Martin Corp. v. Network Solutions, Inc. case, n72 the Ninth Circuit likened the role of NSI to that of the US Postal Service and found that the registrar could not be held liable for contributory trademark infringement by reason of its registration of a third-party's service mark. If the registrant seeks trademark infringement damages, the Trademark Act explicitly exempts registrars from liability absent a showing of bad faith intent to profit from such registration. n73 Similarly, in the Kremen v. Cohen case, n74 the court granted NSI summary judgment on a claim that it improperly transferred the domain sex.com pursuant to a forged letter. The court found, among other things, that a domain name is not property subject to a conversion claim. Other courts have likewise been hesitant to find registrars liable. n75

n72 194 F.3d 980 (9th Cir. 1999).

n73 15 U.S.C. § 1114(2)(D)(iii).

n74 No. C 98-20718JW, 2000 WL 708754 (N.D. Cal. May 30, 2000).

n75 Beverly v. Network Solutions, Inc., 49 U.S.P.Q.2d 1567, 1574 (N.D. Cal. 1998); Academy of Motion Picture Arts & Sciences v. Network Solutions, Inc., 45 U.S.P.Q.2d 1463, 1467 (C.D. Cal. 1997); Oppendahl & Larson v. Network Solutions, Inc., 3 F. Supp. 2d 1147, 1164 (D. Colo. 1998).

Preventing a Webjacking

It would take a large and influential group of Internet gurus to get a more secure protocol developed and approved to replace SMTP, so that email messages would be more difficult to forge. It would take a call center the size of a small town for a registrar to replace their automated procedures with personnel manually checking and approving each change or transfer request. n76 Fortunately, many webjackings can be prevented without resorting to any of these costly measures, although the onus is on the registrant to follow the procedures. As one Ernst & Young expert said, "The solution is look after yourself, because basically the sheriff can't." n77

n76 The registrar Melbourne IT is marketing itself as a more secure registrar, stating that all domain name registration transfers will be first checked by a human. Jenny Sinclair, "Alarm on Hijackings," The Age, June 13, 2000, available at 2000 WL 21652726. This noble policy may be impractical due to the large number of transfers that occur in the world each day.

n77 Susan Pigg, "More Web Sites Caught in Net Scam," The Toronto Star, June 2, 2000 (quoting Chris Anderson).

To combat webjacking, registrants should execute a four-fold plan: (1) use a good registrar; (2) maintain security; (3) manage registrations and paperwork; and (4) educate their counsel and employees. First, registrants should find a registrar that uses good authentication measures. n78 Unfortunately, many registrars have a wholly inadequate authentication system. n79 Although digital signatures have been the promise of e-commerce for the past several years, digital signature technology has not become user friendly enough to be adopted by the general public. A simple password system, however, although a low-tech alternative to PGP e-signatures, may provide adequate authentication and may counter many webjacking attempts.

n78 Interview with Ross Rader, supra n.40.

n79 Id.

In addition to its authentication policies, registrants should look for a registrar with good customer service capabilities. If a problem does develop with the registration, registrants should be certain that they would be able to contact the registrar and receive quick assistance.

Second, corporate registrants should draft and follow proper security measures. In addition to passwords remaining confidential and difficult to be guessed, a policy must be put in place to ensure that contact information is updated when the prior contact person leaves the company. Some webjackers are really former employees looking for revenge and disabling a company's Web site can be an easy target. To safeguard against an internal attack, registrants should ensure that the registrar is promptly notified to remove the contact person before that person leaves his or her employment.

Another precaution that registrants can take to protect their rights is to manage their registrations and keep associated paperwork. In the 1990s, businesses began creating the role of a CIO (Chief Information Officer). Today, information management has been promoted as a critical task. Securing Web sites from webjacking and other hazards is a full-time job. n80 This is especially true now that many large corporations have dozens, if not hundreds, of domain name registrations. Now that registrars offer multi-lingual registrations, as well as country level registration in nearly 200 countries outside of the United States, corporations will continue to acquire more domain name registrations. Corporations should set up CIO or other formal positions charged with domain name management and security.

n80 5 "Material Handling Management, Lock Up Your Data," (May 2000) at 30.

As part of the security program for a corporation, a new service offered by SnapNames may be useful. SnapNames provides monitoring of domain name registrations "to reduce the impact of domain-related catastrophes." n81 As soon as a registration is altered (i.e., the name server or the contact information), SnapNames' SnapBack system will send email alerts to three pre-designated people. The alerts show what the domain name registration looked like prior to the change and after the change. Such quick notifications may allow the registrant to recover from a webjacking before the registration changes propagate through the Internet.

n81 Press Release, SnapNames, SnapNames and Major Registrars Partner in New Domain protection Technology, (Nov. 15, 2000) (quoting Len Bayles) at www.snapnames.com/press_partnersPR.html.

Part of the domain name management includes maintaining a paper copy of the registration activities. The email notifications that are received when domain names are set up and copies of the requests for registrant data changes make a paper trail that can be offered as proof of registration ownership. Registrars are surprised when multi-million dollar companies are unable to produce a paper copy of an email that shows their legitimate interests in a domain name registration, especially since domain names are so valuable to many corporations.

Fourth, in-house or law firm counsel, and employees who will be the administrative, billing, or technical contacts for registrants must be fully trained regarding the security issues in domain name registration. The Internet is becoming such a fundamental aspect of so many areas of everyday business that soon all attorneys will need to have more than a cursory understanding of webjacking and other Internet law issues. In addition, because it is easier to prevent a webjacking than to recover from one, employees who are the contacts must be fully aware of the importance of their roles.

Registrars' Actions to Combat Webjacking

Statistically, webjackings do not occur very often. Although NSI processes around 30,000 change requests each day, it contends that there are only one or two webjackings (or similar problems) each month. n82 Similarly, Tucows reports that its OpenSRS system handles over 2,000 change requests a day and has not yet experienced a webjacking. n83 Because webjackings account for such a small portion of their transactions, and because the registrars are hounded with other issues needing resolution, registrars have not issued any strong, new policies to combat webjacking, although some registrars have made improvements to their policies.

n82 Interview with Phil Sbarbaro, supra n.48; see also NSI's webjacking Epidemic, Wired News 3:00 a.m. (June 8, 2000).

n83 Interview with Ross Rader, supra n.40.

Registrars state that they do have certain checks that work to detect fraudulent change requests during message authentication. To maintain effectiveness, details of most of these anti-fraud mechanisms are not disclosed. One method that at least one registrar has set up is the use of a series of queues for handling change requests. The queues are used for different types of domain names. n84 The first queue is for open transfers. The majority of domain name registrations have been assigned to this queue. Transfers from the first queue are processed by the registrar's automated system.

n84 Interview with Ross Rader, supra n.40.

The second queue is for well-known domain names that might be very appealing for webjacking or other hijinks. Some well-known domain names, such as msn.com or att.com, have been placed into this second queue, which is for restricted transfers. Restricted transfers are processed manually to ensure that webjackings do not disturb such busy sites.

Outdated domain name registrations form the third queue. Outdated registrations often are so old that the contact information may not be accurate. Often, the email addresses listed for the contacts are no longer valid addresses. When a change request is made for outdated registrations, the registrar uses extra effort to communicate with the listed contacts, including by phone or by regular mail. If there is no response to these inquiries, the change request is not processed.

Some of the registrars have also discussed how to more easily help a registrant recover from a webjacking. Because a webjacking usually includes the transfer of a domain name registration to a new, unsuspecting, registrar, some registrars now cooperate with one another, allowing the webjacked registration to be returned to the original registrar. Although this is a lost customer for the new registrar, it allows the original registrar to return control over the domain name to the rightful owner. n85

n85 Id.

Registrars are also reacting to webjackings by educating the public regarding how to avoid being a webjacking victim. NSI's idNames division now offers a continuing legal education class (CLE) in domain name basics for attorneys. n86 By educating counsel on the importance of security measures for the registrations, NSI hopes to diminish the potential for webjacking problems.

n86 See announcement online at http://www.nsol.com/news/.

Although the registrars have not issued any major changes to prevent webjacking, that is not to say that the registrars view webjacking as unimportant. As previously discussed, at the very least, registrars view webjacking has an important customer service and public relations issue because registrars suffer from bad press for every webjacked domain name registration that gets published in the news.

In the end, registrars maintain that they are not the proper entity to issue major changes to prevent webjacking. Many believe that this authority rests instead with ICANN.

Conclusion

NSI processes over 30,000 registration changes a day. n87 Tucows processes over 2,000 transfers daily. If the remaining registrars process a total of 8,000 changes each day, the current system of registrars must make over 10 million changes a year. Because only a handful of webjackings are reported yearly, registrants toss aside concerns of being webjacked. Many think that they are just as likely to be hit by lightening or to win the lottery as they are to have their domain name webjacked.

n87 "NSI's webjacking Epidemic," Wired News 3:00 a.m. (June 8, 2000).

As with lightening, however, webjacking does not seem to be a big deal -- until it happens to you. Then webjacking becomes very serious and very expensive. The owner of the bali.com domain name registration estimated it lost $ 100,000 a week when its site was webjacked. n88 In addition, registrants are not the only victims who are damaged by webjacking. While webjacking continues, consumers will be hesitant to place their trust in e-commerce. While such concern remains, growth of the Internet economy cannot be fully reached. Therefore, webjacking and similar Internet fraud problems must be addressed. As former President Bill Clinton stated, "We must give consumers the same protection in our virtual mall they now get at the shopping mall." n89

n88 "Hijacking Going High-Tech," The London Free Press, (June 9, 2000) at D3.

n89 "The Electronic Frontier: The Challenge of Unlawful Conduct Involving The Use of The Internet, A Report of the President's Working Group on Unlawful Conduct on the Internet," Appendix B (Mar. 2000), at http://www.usdoj.gov/criminal/cybercrime/unlawful.htm