Not necessarily illegal under current laws, but highly annoying and potentially dangerous practice by online scammers is gaining speed and attention. Typosquatters are people who register a domain name which is just a slight variation (usually misspelling) of a famous domain name hoping to attract users inadvertently misspell the name of a large or popular domain name. After being shown a page full of sponsored links, often provided by Google AdSense, the user often clicks on one of the paid links and generates a profit for the typosquatter.

Typosquatters register hundreds or thousands of domain names with variations of popular domains hoping to attract a larger number of users and obtain a larger profit of misspelled domain names. While in most cases there is no damage to the user (who only has to make an extra click to go to the desired site,) a typosquatter can easily deliver a page that looks like the intended domain and then possibly phish the users to submit personal or financial information.

The individual companies and domain name owners have little recourse other than buy the domain names themselves (if they thought about this early enough) or fight the typosquatter under the domain registrar agreements (usually arbitration) for each domain name - a costly and time-consuming endeavor, considering the amount of typosquatted domain names that an organization might have.

Many of you would remember that as of November 12th, ICANN made a change on its domain ownership rules. Under the new policy, if a the registrar of record fails to respond within five calendar days to a notification by the Registry regarding a transfer, this will result in a default approval [emphasis added].

It appears that the recent case of Panix.com, an ISP whose domain name was hijacked was caused exactly by this change of ICANN policies. The domain name panix.com thus was reassigned to somebody else who, in turn, repointed the domain to a Canadian server. As a result, all incoming mail for Panix’s customers, including sensitive emails, passwords, etc, went into the Canadian unauthorized server. Imagine what they can do with this.

This incident comes at a time of increased criticism of ICANN’s change of policies. The policy change was intended to allow companies looking to move their domains from one registrar to another. Ease of transfer, appears to be balanced by ease of hijacking. Domain name owners can and should "lock" their domains. Locking  a domain against transfer requires a formal authorization before a transfer takes place, but not all registrars lock the domains automatically after the new policy went into effect.  [Thanks IPTAblog and InternetNews]

"Anyone that doesn’t have their domain locked down at the registrar is at risk to a registrar that has a loophole in their system or doesn’t follow the appropriate guidelines," he said. "They’re basically at risk to more than 200 accredited ICANN registrars that have the ability to submit a command to request transfer of the domain and we have no way to know whether that command was authorized or wasn’t authorized."

As a reslt of the Panix.com incident many registrars are locking their domains by default, but there are and will be more who do not do so. Moral of the story - if you are a domain name owner - make sure it is locked at the registrar level, or risk public embarassment, information leak, or lawsuits by angry customers.

A recent change by ICANN on the domain transfer rules is to take effect on Friday, November 12th. The new rules provide that domain name transfers would be automatically approved in five days unless they are explicitly denied by the account holder, as opposed as current procedures where no response meant denial of transfer.

“Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default ‘approval’ of the transfer,” the new rules state. “In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed.”

Because many domain owners do not keep accurate or outdated information in their WHOIS records, it is possible that a change of transfer request would come in, be sent to a non-existing or non-checked address, and after 5 days of inactivity be approved. I personally received a message from my registrar warning me that they would automatically approve the domain transfer request within 5 days if I don’t respond or if I don’t lock my domains against transfer.

Many other domain name registrars are scrambling to notify their users or put in place policies that would limit the possibility of a domain hijack. Some registrars, such as Network Solutions are automatically locking the domains on behalf of its users. In the meantime, ICANN, in anticipation of increased number of domain name disputes has announced appointments to manage its domain name dispute policy.

Practical note: if you want to check whether your domain is locked - do the following. Use a WHOIS lookup tool (WHOIS.sc, ZoneEdit) and do a check on your domain name.