Splunk UDRP : Malware spreading from bogus domain

UDRP result: Transfer domain.

The IDN domain spłunk.com has been used to spread malware and perform phishing attacks, riding on the coat-tails of the real Splunk brand.

Splunk Inc. of San Francisco, filed a UDRP to take over the domain, which translates as xn--spunk-l7a.com in ASCII.

The decision: Transfer the domain. Details follow:

Splunk Inc. v. Super Privacy Service c/o Dynadot
Case No. D2017-1150

1. The Parties

Complainant is Splunk Inc. of San Francisco, California, United States of America (“United States” or “USA”), represented by Chestek Legal, United States.

Respondent is Super Privacy Service c/o Dynadot of San Mateo, California, United States.

2. The Domain Name and Registrar

The disputed domain name <spłunk.com> [XN–SPUNK-L7A.com] is registered with Dynadot, LLC (the “Registrar”).

3. Procedural History

The Complaint was filed with the WIPO Arbitration and Mediation Center (the “Center”) on June 12, 2017. On June 13, 2017, the Center transmitted by email to the Registrar a request for registrar verification in connection with the disputed domain name. On June 13, 2017, the Registrar transmitted by email to the Center its verification response confirming that Respondent is listed as the registrant and providing the contact details.

The Center verified that the Complaint satisfied the formal requirements of the Uniform Domain Name Dispute Resolution Policy (the “Policy” or “UDRP”), the Rules for Uniform Domain Name Dispute Resolution Policy (the “Rules”), and the WIPO Supplemental Rules for Uniform Domain Name Dispute Resolution Policy (the “Supplemental Rules”).

In accordance with the Rules, paragraphs 2 and 4, the Center formally notified Respondent of the Complaint, and the proceedings commenced on June 22, 2017. In accordance with the Rules, paragraph 5, the due date for Response was July 12, 2017. The Respondent did not submit any response. Accordingly, the Center notified Respondent’s default on July 13, 2017.

The Center appointed R. Eric Gaum as the sole panelist in this matter on July 19, 2017. The Panel finds that it was properly constituted. The Panel has submitted the Statement of Acceptance and Declaration of Impartiality and Independence, as required by the Center to ensure compliance with the Rules, paragraph 7.

4. Factual Background

Complainant owns numerous registered trademarks and service marks that wholly incorporate the mark SPLUNK, including, without limitation, the following:

Trademark Jurisdiction Application No. Registration No. Date of Registration
SPLUNK European Union 009888934 009888934 March 30, 2012
SPLUNK European Union 009976481 009976481 March 31, 2012
SPLUNK European Union 010223576 010223576 April 4, 2012
SPLUNK USA 78526393 3269249 July 24, 2007
SPLUNK USA 85336540 4199665 August 28, 2012
SPLUNK WIPO 1085353 1085353 June 2, 2011

The trademark is registered for, succinctly, computer software and related services.

This dispute concerns the domain name <spłunk.com> [XN–SPUNK-L7A.com] registered on May 17, 2017. The registrar with which the disputed domain name is registered is Dynadot LLC, located in San Mateo, California.

5. Parties’ Contentions

A. Complainant

Complainant contends that its trademark, SPLUNK, is an invented, fanciful trademark with no meaning in any language. The trademark is registered for computer software and related services.

Complainant contends that Respondent’s domain name, when viewed in html, is identical to Complainant’s domain name except that the letter “l” has a small line across it, imperceptible to an ordinary viewer:

Complainant’s domain name: splunk.com

Respondent’s domain name in html: spłunk.com

Complainant therefore concludes that Respondent’s domain name is confusingly similar to Complainant’s trademark and basis this conclusion on the Declaration of Joel Fulton, the Chief Information Security Officer for Complainant.

More specifically, the Declaration of Mr. Fulton states the following:

On or about May 17, 2017, Splunk’s security team learned of a domain name “spłunk.com” that is linked to a common IP address 52.0.7.30 associated with the dissemination of malware.

The domain name is designed to deceive visitors about the owner of the domain, as it looks like “splunk.com,” but the “L” has been replaced with another character that is an “L” but with a small bar diagonally across it.

This is likely to lead to confusion as the crossed “L” is not noticeable when hovering over a hyperlink in an email to ascertain the linked domain name.

Further the following redirection is suspicious—the url “www.xn--spunk-l7a.com” decodes to asci as <http://www[.]spłunk[.]com> (note the strikethrough l), which resolves to the disputed domain name <http://xn--spunk-l7a[.]com/>. Currently the disputed domain name <xn--spunk-l7a[.]com> has a temporary redirect to Complainant’s website at “www.splunk.com”. (Attachment 1 to the Complaint.)

The IP address 52.0.7.30 hosts multiple domains, including <spłunk.com> and <xn--spunk-l7a.com>. According to VirusTotal, this IP address is linked to malware distributed as late as May 31, 2017, malicious URLs as late as May 23, 2017, and malicious command and control (C2) software as late as May 23, 2017.

The malware associated with this IP address encourages visitors to download a Word document that causes the document downloader to become infected with the “Locky” ransomware virus when the downloader enables macros to properly view the text.

The fact that the domain is associated with an IP address that issues malware, coupled with its deceitful name, suggests the intent of the registrant is to use the <spłunk.com> domain name to deceive the public into thinking the domain name belongs to Splunk and in so doing infect them with the Locky ransomware virus.

B. Respondent

Respondent did not reply to Complainant’s contentions.

6. Discussion and Findings

The Policy adopted by the Internet Corporation for Assigned Names and Numbers (“ICANN”) on August 26, 1999, (with implementing documents approved on October 24, 1999), is addressed to resolving disputes concerning allegations of abusive domain name registration. The Panel will confine itself to making determinations necessary to resolve this administrative proceeding.

It is essential to dispute resolution proceedings that fundamental due process requirements be met. Such requirements include that a respondent have notice of proceedings that may substantially affect its rights. The Policy, and the Rules, establish procedures intended to assure that respondents are given adequate notice of proceedings commenced against them, and a reasonable opportunity to respond (see, e.g., paragraph 2(a) of the Rules).

The Center forwarded notification of the Complaint to Respondent via email and the written notice of the proceeding via courier in accordance with the contact details found in the Complaint and in the appropriate WhoIs database confirmed by the Registrar. The Center also forwarded notification of default to Respondent via email.

Based on the methods employed to provide Respondent with notice of the Complaint and default the Panel is satisfied that the Center took all steps reasonably necessary to notify Respondent of the filing of the Complaint and initiation of this proceeding. The Panel also finds that the failure of Respondent to furnish a reply is not due to any omission by the Center.

Paragraph 4(a) of the Policy sets forth three elements that must be established by a complainant to merit a finding that a respondent has engaged in abusive domain name registration, and to obtain relief. These elements are that:

(i) the respondent’s domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights;

(ii) the respondent has no rights or legitimate interests in respect of the domain name; and

(iii) the respondent’s domain name has been registered and is being used in bad faith.

In the administrative proceeding, the complainant must prove that each of these three elements are present. As Respondent has failed to submit a response to the Complaint, the Panel may accept as true all of the allegations of the Complaint (see Talk City, Inc. v. Michael Robertson, WIPO Case No. D2000-0009).
A. Identical or Confusingly Similar

Based upon the registered trademarks and service marks for SPLUNK and the continuous use of the mark, Complainant clearly has rights in the mark. The Panel agrees with Complainant that <spłunk.com> is comprised entirely of Complainant’s registered SPLUNK mark with the only difference being an “ł” (“L” with a diagonal line through it) as opposed to an “L”. The ACE encoded version of the <spłunk.com> international domain name is [XN–SPUNK-L7A.com]. The ACE form of a domain name allows users to include non-ASCII characters in domain names, e.g., in this case the “ł” (“L” with a diagonal line through it).

The threshold test for confusing similarity under the UDRP involves a comparison between the trademark and the domain name. In order to satisfy this test, the relevant trademark would generally need to be recognizable as such within the domain name, with the addition of other terms (whether dictionary, descriptive, or negative terms) typically being regarded as insufficient to prevent a finding of confusing similarity. Application of the confusing similarity test under the UDRP involves a straightforward visual or aural comparison of the trademark with the alphanumeric string in the domain name. (WIPO Overview of WIPO Panel Views on Selected UDRP Questions, Third Edition (“WIPO Overview 3.0”), Sections 1.7 and 1.8).

In this case, a straightforward visual or aural comparison of SPLUNK with <spłunk.com> [XN–SPUNK-L7A.com] illustrates that the two are almost identical and certainly confusingly similar. The Panel finds that the disputed domain name <spłunk.com> [XN–SPUNK-17a.com] is confusingly similar to the trademark SPLUNK owned by Complainant pursuant to paragraph 4(a)(i) of the Policy.
B. Rights or Legitimate Interests

Paragraph 4(c) of the Policy lists several circumstances, without limitation, that if found by the Panel shall demonstrate the respondent’s rights or legitimate interests to a domain name for purposes of paragraph 4(a)(ii). In particular, paragraph 4(c) states:

(i) before any notice to you [respondent] of the dispute, your use of, or demonstrable preparations to use, the domain name or a name corresponding to the domain name in connection with a bona fide offering of goods or services; or

(ii) you (as an individual, business, or other organization) have been commonly known by the domain name, even if you have acquired no trademark or service mark rights; or

(iii) you are making a legitimate noncommercial or fair use of the domain name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue.

There is no evidence in the record that would indicate that Respondent has any rights or legitimate interests in respect of the disputed domain name <spłunk.com> [XN–SPUNK-17a.com].

The Panel finds that Respondent has no rights or legitimate interests in respect of the disputed domain name <spłunk.com> [XN–SPUNK-17a.com] pursuant to paragraph 4(a)(ii) of the Policy.

C. Registered and Used in Bad Faith

Paragraph 4(b) of the Policy lists several circumstances, without limitation, that if found by the Panel to be present, shall be evidence of the registration and use of a domain name in bad faith.

(i) circumstances indicating that you [respondent] have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration to the complainant who is the owner of the trademark or service mark or to a competitor of that complainant, for valuable consideration in excess of your documented out-of-pocket costs directly related to the domain name; or

(ii) you have registered the domain name in order to prevent the owner of the trademark or service mark from reflecting the mark in a corresponding domain name, provided that you have engaged in a pattern of such conduct; or

(iii) you have registered the domain name primarily for the purpose of disrupting the business of a competitor; or

(iv) by using the domain name, you have intentionally attempted to attract, for commercial gain, Internet users to your web site or other online location, by creating a likelihood of confusion with the complainant’s mark as to the source, sponsorship, affiliation, or endorsement of your web site or location or of a product or service on your website or location.

Complainant alleges that the domain name <spłunk.com> is linked to a common IP address 52.0.7 30 associated with the dissemination of malware. It further argues that “[c]urrently the disputed domain name http://XN–SPUNK-L7A[.]com/ has a temporary redirect to the Complainant’s website at https://www.splunk.com, and that the IP address 52.0.7.30 hosts multiple domains including” <spłunk.com> and <XN–SPUNK-L7A.com>. Complainant then concludes that “[t]he only reasonable inference from the associated IP address is that the Respondent has a malicious intent and the domain name was therefore registered and is being used in bad faith.”

The Panel finds that Respondent likely chose the disputed domain name with full knowledge of Complainant’s rights in the SPLUNK trademark. Registration of a domain name that is a confusingly similar variant of the Complainant’s trademark suggests opportunistic bad faith.

Furthermore, the dissemination of malware through a predictable typo-variant is often used to steal consumer information for commercial gain and this is evidence of bad faith. (See Wikimedia Foundation, Inc. v. Yangmin Fang, Huli Jing Internet Holdings Ltd., WIPO Case No. D2015-2140).

The Panel therefore concludes that Respondent has intentionally attempted to attract Internet users to its websites for commercial gain by creating a likelihood of confusion with Complainant’s mark as to source, sponsorship, affiliation, or endorsement of Respondent’s websites. The Panel finds that the foregoing establishes Respondent’s registration and use of the disputed domain name in bad faith pursuant to paragraph 4(b)(iv) of the Policy.

7. Decision

For the foregoing reasons, in accordance with paragraphs 4(i) of the Policy and 15 of the Rules, the Panel orders that the disputed domain name <spłunk.com> [XN–SPUNK-17a.com] be transferred to Complainant.

R. Eric Gaum
Sole Panelist
Date: August 13, 2017

Copyright © 2024 DomainGang.com · All Rights Reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *

 characters available