The sheer AUDAcity of scammers

Two weeks ago auDA, the organization that has responsibility over the Australian ccTLD, .au, implemented a new set of rules on ownership of its domain names. Whilst the changes have been controversial within Australia, it has also led to an increased threat from scammers who have been exploiting the implementation of new rules by demanding the sharing of personal information from registrants.

From the 12th April, all new registrants of .AU domain names, and those renewing existing registrations need to comply with a number of registration criteria, designed to protect Intellectual Property holders. Whilst the sentiments behind this are good, those hell-bent on causing issues are utilising the new rules to try to attempt to hoodwink unsuspecting domain name owners.

The new rules state that to be eligible to hold any name in the .au ccTLD you must first meet the Australian Presence requirement. For organisations, this means being able to meet the Australian Presence requirement by holding an Australian trademark (including a pending application) that appears on the Australian IP database.

Prior to the 12th April, the domain name could be “closely and substantially connected” to the trademark registered, which gave organisations the opportunity to register misspellings and domains with subtle differences, providing additional protection against Typosquatting. The new rules state that domain names now need to be an exact match of the registered trademark (there is some leeway in the use of punctuation and common adjuncts). If an organisation isn’t able to provide the necessary trademark registration then it will lose their domain name.

For some registrations proof of Australian presence or citizenship is necessary, which has led to auDA, issuing another warning about the rise in malicious activities from scammers who have been contacting existing registrants and asking for copies of identification such as passports and drivers licences. The nefarious actions were first seen back in January, with very authentic and official looking emails asking registrants for this information.

Whilst the domain names themselves didn’t appear to be under threat, the fraudsters would use the personal, and in many cases, confidential information from the IDs to either resell or to assist in fraudulent activity themselves, such as applying for loans, bank accounts and other financial instruments.

The changes will impact brand holders in a number of ways. They may now need to look at alternatives as to how they hold and register their .au domain names if they are based outside of Australia as well as potential additional brand protection measures to cover typographic registrations. On the flip side, restricting registrations just to exact trademark records means additional costs for any cyber criminals looking to exploit the IP of a brand as they would need to also consider a trademark registration as well as the domain name.

For more details of the change, please go to auDA’s information page here.