Last Friday, the Gioconda Law Group, a New York-based brand protection and anti-counterfeiting law firm, filed a suit against Arthur Wesley Kenzie, a self-styled cyber security expert living in Canada.
Kenzie is accused of trademark infringement and Cybersquatting – the act of intentionally registering a domain with a deliberate misspelling of a protected name for the purpose of personal gain or misdirection. In addition, he used the misspelled domain to acquire emails intended for the law-firm.
According to the complaint, Gioconda Law recently discovered that Kenzie registered the domain GiocondoLaw.com (notice the O) as a confusing misspelling of GiocondaLaw.com (with an A), the firm's domain name and e-mail address. Moreover, the complaint adds, Kenzie went on to create fake e-mail accounts in order to intercept private communications addressed to the firm's lawyers and staff.
According to the suit, Kenzie is running similar Cybersquatting operations targeting many major corporations without their knowledge or permission, including MasterCard, McDonald's, News Corp. and McAfee.
In July 2011, Kenzie got into hot water when he purchased the confusingly similar domain names LockheedMarton.com and LockheedMartun.com. Again, he leveraged the misspelled domains to capture communications intended for the legit company, but were incorrectly addressed. When confronted, Kenzie claimed that he was performing research about Lockheed's email vulnerabilities.
In a letter to the firm addressing the lawsuit, Kenzie said that he had no problems transferring the domain out of his control and that his “intentions with the domain name you are concerned about are transparent and above board.”
He goes on to add that his intentions and usage of GiocondoLaw.com “are part of y research into an email vulnerability that I have been studying since September 2011...”
"We weren't certain if Mr. Kenzie was, in fact, actually collecting emails until he offered to 'share his findings' with us confidentially," Joseph Gioconda, Founder of Gioconda Law Group, told SecurityWeek. "That's when we filed suit."
Oddly, Kenzie used a similar claim when he approached HD Moore about email vulnerabilities. As it turns out, the vulnerabilities are nothing by collecting email on a typo domain. His research, and subsequent reaction to HD Moore when politely dismissed, earned him a spot on Attrition.org’s charlatan watch list.
Attrition’s report on Kenzie is worth reading for those following the case; the watch list report itself has been entered into evidence in the case. You can see the original here.
An interesting, side note. In the complaint itself Kenzie is noted to have registered rnastercard.com (RNASTERCARD.com). Domains registrations such as this are commonly linked to Phishing attacks, due to the fact that on a passive glance a lowercase R and N together looks like a lowercase M. There are eight domains listed in the complaint against Kenzie that leverage such tactics.
Aside from the stated claim of security research, it remains unknown why he would have registered those domains in the first place or how he used them.
“Domain name typosquatting is a decade-old headache for marketing and legal departments, but evidence suggests that it is becoming a risk that also needs to be on the CSO's radar,” noted SecurityWeek columnist Ram Mohan in a 2011 column. “Recent research shows that the exploitation of confusingly similar Internet domain names is not just a threat to brand equity and consumer trust; it’s now in use by those seeking to steal confidential corporate data.”
Last August, researchers Peter Kim and Garrett Gee of Godai Group – a security consultancy – highlighted an example of typosquatting that relies on mistakes of omission rather than misspelling. The two set up “doppelganger domains” that are identical to legitimate fully-qualified domain names for Fortune 500 companies but that were missing the dot between the host/subdomain and domain. Over the course of six months, they claimed in a paper to have collected more than 120,000 individual emails (20 GB of data) that included trade secrets, business invoices and other information.