Proofpoint Sues Facebook To Get Permission To Use Lookalike Domains For Phishing Tests

Cyber-security powerhouse Proofpoint has filed a lawsuit this week against Facebook in relation to the social network's attempt to confiscate domain names the security firm was using for phishing awareness training. From a report: The case is a countersuit to a Facebook filing from November 30, 2020, when the social network used a UDRP (Uniform Domain-Name Dispute-Resolution) request to force domain name registrar Namecheap to hand over several domain names that were mimicking Facebook and Instagram brands. Among the listed domain names were the likes of facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net, and instagrarn.org.

In court documents filed on Tuesday, Proofpoint said the UDRP should not apply to these domains, which it should be allowed to keep and continue using. Proofpoint argues that UDRP requests should only be used for domains registered in bad faith. The security firm instead says its use of the Facebook and Instagram lookalike domains "has been in good faith and for a legitimate purpose." Proofpoint claims its phishing awareness tests are crucial for the security of its customers, but also for the security of Facebook itself, as the phishing awareness tests teach users to recognize Facebook and Instagram lookalike domains and phishing attacks -- something that Facebook also benefits from, although indirectly.

follow the $$$

[nnet]

Did fb contract them to do security work?

Re:

[account_deleted]

Comment removed based on user account deletion

Re: follow the $$$

[yakatz]

They weren't hired by Facebook, they are hired by other companies and they use Facebook lookalike domains in their phishing tests for other companies.

Re:

[EvilSS]

Could be, but most likely this isn't targeted at them, but their trademark and/or security guys doing scans of new domains for trademark infringing domain names. If you own a trademark, there are services out there that will do this for you and send you a report or if you want even go after the names. I once had a domain I registered for a project that I never used (project pivoted, name didn't make sense anymore). About 6 weeks after I registered it, I got a phone call from a lawyer representing a online

Did they ask first?

[jellomizer]

Your Neighbors House was open, but they weren't there. So you went into their home, got their keys and closed and locked their door. And went home with their keys. You went to sleep for the night, and they get back home to find there door is locked, with no way to get in.

So if you see them the next morning (sleeping in their car) and tell them what you did, they will probably be really pissed at you. However if you gave them a call, and asked for permission, they would probably say yes, and grateful to

Re:

[Known Nutter]

Maybe Facebook should have locked the fucking door -- that is, maybe Facebook should have secured the look-alike domains themselves either by registering them first or purchasing them from the registered owner. Money is a powerful persuader.

Fuck Facebook,

Re:Did they ask first?

[omnichad]

The domains didn't belong to Facebook. This is more like if you left your door locked and your neighbor built an identical looking house and left their door unlocked.

Re:

[Anubis IV]

Exactly right. The police might use a bait car that's nearly the same make and model as your car, but that doesn't mean it's your car or that you're entitled to anything regarding it. The fact that it looks like your car doesn't make it your car. When they leave their car unlocked, they are in no way infringing on your rights, even if they happen to leave it unlocked in your neighborhood where you might mistake it for your car at a glance.

It's more like

[bob8766]

It's more like if someone built an identical bank near your bank. Maybe the teller in there is asking for your account information "for research", or maybe they're trying to steal your money. You don't even know what happens to the information that they collected. In any case I think your bank has an interest in shutting it down.

Re:

[omnichad]

I think the private street comparison is more apt. This is not a name being put on a public space and advertising - a building on a public street with a logo is advertising itself to the public at large. It is only being used within a private context. The existence of the domain registration is public record, but you'd have to go looking for it and already know it exists.

Re:

[bws111]

Except it's not like that in the slightest. More like you got an email that says 'you should stop in at the National Bonk at 123 4th St', and when you get there all you find is an empty space with a sign that says 'you failed the phish test, you should read more carefully'. They aren't 'pretending' to be anything. They didn't build an identical anything. They don't have any public presence that would lead you to them. They aren't collecting anything. They aren't stealing anything. There is zero reason

Re:

[Travelsonic]

More like you got an email that says 'you should stop in at the National Bonk

Oh, scout, is that you? Shouldn't you be pestering Spy for tips on attracting ladies? :P

(Sorry, couldn't resist. :D )

Re:

[FaxeTheCat]

Your analogy is false.
Having a Facebook lookalike domain without bad intentions is in no way causing problems for Facebook.
The domains are used for IT security training.
How can that cause problems for Facebook?

Re:Did they ask first?

[bws111]

Did they ask who first? This is a company that other companies hire to do phishing tests of their employees. So they send phony 'phishing' letters to employees with plausible looking links in them (like real phishing), and when the employee clicks on it they get a page that says 'you flunked the phishing test, you must take the following security education'.

They aren't pretending to be Facebook, they are pretending to be a fake Facebook.

Re: Did they ask first?

[ISayWeOnlyToBePolite]

Continuing the analogy: Building a copy of your house at a nearby street that we've named similarly with the expressed intention of causing confusion and ripping people off that enter. But we're good guys and we only do it to people who are in on it and even if might affect your friends and your reputation it's got nothing to do with you because someone finds this interesting and is paying us to do it.

Wouldn't a reasonable way to do these kinds of tests to change the local dns?

Re:

[omnichad]

Wouldn't a reasonable way to do these kinds of tests to change the local dns?

If you're impersonating the actual domain, and you've added the CA that signed the SSL certificate to the computer's trusted root store, is that really a phishing test?

Re:

[ISayWeOnlyToBePolite]

They could add their fake domain, only difference no one else can get to it.

Re:

[YourMissionForToday]

It IS a phishing test, albeit a very sophisticated one. I don't think we'll be able to administer it to Gretchen from HR, but maybe on the self-appointed security "experts." If they pass, good job, you get a wallet full of seaweed!

Re:

[bws111]

No, that would not be a reasonable way to do the test. I (and I'm sure many other people) can read my work email whether I am on the corporate network or not.

The rest of your post makes no sense at all. What 'confusion' are they causing? They are sending out supposed phishing emails. If you know how to spot a phishing attempt (and you should), you recognize it as phishing and ignore it (or report it if that is what you are supposed to do). If you don't recognize it is phishing, that is a problem you ne

Re:

[ISayWeOnlyToBePolite]

I assume most companies interested in security only lets people access their company data on a company provided and configured device. The device could be configured to only use the company dns and I'm sorry if referring to this as "local dns" confused you.

Imagine building a publicly accessible KFC with Colonel "Saunders" that has salmonella laced buckets of chicken, but as you'll give your word that you'll only send out flyers to people who's employers are in on it, and you're not going to let someone actu

Re:

[bws111]

I think your assumption is entirely wrong. My company takes security VERY seriously, but we can certainly access our email outside of the intranet. You never heard of BYOD? Yeah, you are supposed to install some particular software, and there are rules about using the devices, but there is no (good) reason to force people to be connected to your network just so they can see email.

Your KFC example makes no sense at all. Having salmonella laced buckets of chicken is the equivalent of malware. But there i

Re:

[YourMissionForToday]

>> Imagine building a publicly accessible KFC with Colonel "Saunders" that has salmonella laced buckets of chicken,

I imagine it! And Colonel Saunders has wears a leather thong, and has maggots crawling in his goatee....and the biscuits are all moldy and crunchy....I'm sorry, what were we talking about?

Re:

[lactose99]

Not if you're using those domains to send phishing email tests, you'd need real domains, with your own DKIM / SPF / DMARC settings.

Re:

[sjames]

Yes, they did. Implicit to the process of registering a domain name is the question "is this taken yet?" The answer was obviously "No, it's up for grabs" so they grabbed it.

I am allowed to buy the empty lot next to you and build my own house that looks almost exactly like yours.

If your guests get confused and come to my house I am even allowed to play a bit of a joke and pretend I was expecting them as long as I don't try to scam money out of them or somehow damage your reputation.

If you don't want neighbor

Facebook Didn't learn....

[DraKKon]

Facebook forgot about what happened to eToys.com vs etoy.com. https://yro.slashdot.org/story... [slashdot.org]

Enough with the analogies

[dpille]

Let's read the actual UDRP instead:

You are required to submit to a mandatory administrative proceeding in the event that a third party (a "complainant") asserts to the applicable Provider, in compliance with the Rules of Procedure, that
(i) your domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; and
(ii) you have no rights or legitimate interests in respect of the domain name; and
(iii) your domain name has been registered and is being used in bad faith.
In the administrative proceeding, the complainant must prove that each of these three elements are present.

We can also read the relevant UDRP decision here [wipo.int]

You'll note that the panelist indeed finds no legitimate interests and bad faith. However, the panelist clearly doesn't understand the actual argument:

Respondent is admittedly using Domain Names that are confusingly similar to Complainant’s famous trademarks, with the aim that an Internet user will arrive at the landing page (described above in the “Factual Background” section) of Respondent’s parent, Proofpoint. Once arrived at the Proofpoint site, the Internet user becomes aware of Proofpoint’s commercial cybersecurity offerings... Respondent is, in essence, riding on the considerable goodwill of Complainant and its famous trademarks to capture the attention of Internet users looking not for cybersecurity goods and services, but for FACEBOOK or INSTAGRAM social media offerings.

The aim is that an internet user will never ever see the page, having recognized the security risk. Proofpoint couldn't give less of a shit if users "become aware" of its cybersecurity offerings- they're not the customer. I think it's 100% appropriate to go to district court to get the erroneous UDRP result overturned.

Re:

[jythie]

And a rather critical piece the arbiter skipped over is that the 'user' is not a random internet user, but instead an employee of a company who has hired the firm to perform this type of test. The panelest makes it sound like they are trying to solicit the user into purchasing their service.

Though if I recall correctly, and this might be dated, but in the past at least arbiters were paid by the company filing the complaint, so they have an incentive to keep _their_customer happy.

logical

[SuperDre]

As the names are using the trademark names it's more than logical that facebook has a claim on those domainnames.