Minimize the Risk of Cybersquatting When Cancelling a Domain

Often, domain cancellation is related to resource optimization, but in very few cases is this cancellation carried out following good practices that prevent efficiency from becoming a vulnerability.

Behind a domain released by a brand lies an opportunity for cybercriminals. As one of our mantras says, domains are the first line of defense against online fraud.

What are the risks after cancelling a domain?

When we cancel a domain and the Registry’s grace or redemption period ends (the period during which we can reactivate a canceled domain), the domain becomes released. This term is telling: anyone is free to register that domain.

Although domain registration policies from Registries usually set some requirements, generic top-level domains (those not associated with specific themes like .edu or .music) generally do not restrict the registration rights over a domain.

In fact, as we explain in our article dedicated to risky domains, the lack of requirements and verification, together with the cost, are the main factors that turn a domain extension into a threat.

In short, a released brand domain can be registered by anyone, with good or bad intentions.

What makes a released brand domain interesting?

In terms of cybersquatting, the main interest lies in the legitimacy of that domain. Since it was legitimately used by the brand, using it in spoofing and phishing campaigns inherently grants it greater credibility, which translates into a higher number of victims falling for the scam.

Although a registered trademark has legal protection against fraudulent or illicit uses—both in the domain name and the website content—claiming its deactivation requires proving bad faith or misuse. This means that to prevent fraudulent campaigns with a domain we have canceled, we must detect them before they happen. Otherwise, it will be too late, and the brand’s reputation will suffer the consequences.

With the enforcement of PSD3, we are seeing a shift in liability for economic losses by individuals due to impersonation. While banks seem to be the first affected entities, it is quite likely this will become widespread.

The prior authority of the domain is another reason why a released brand domain can be attractive. Although in this case the interest is mainly in terms of search engine positioning (SEO), the subsequent use of that domain can impact the brand’s reputation, especially if the domain gained popularity—for example, through a marketing campaign—and still resonates with users.

Currently, there are tools for tracking released domains that provide relevant information about their previous use, popularity, and authority. Therefore, we must consider how easy it is today to detect released brand domains that may be useful to cybercriminals.

How to Detect Attacks Using Released Domains

To prevent spoofing and phishing attacks using a domain we have canceled, we must implement a Domain Monitoring service. This is a preventive service, so it allows us to anticipate attacks and take timely action.

What is Domain Monitoring and How Does It Work?

Domain Monitoring is a service that tracks a domain—whether registered or not—and detects signals indicating it might be being prepared for a cyberattack. The signals it identifies to help anticipate attacks are:

Changes in Whois information, which let us know when the domain has been registered or DNS changes have occurred.
Changes in web content, which indicate when potentially fraudulent content is being created.
Changes in DNS zones, allowing detection of MX record configuration or hosting changes.

All these signals potentially indicate that the domain is being set up with web content and mail servers to launch impersonation and phishing campaigns. Once any of these signals appear, they must be analyzed to differentiate real threats from false alarms (for example, legitimate use by a new domain holder). At Ubilibet, we offer a simplified Domain Monitoring service that adds value for the client without additional workload, backed by the expertise of our specialized legal team. It consists of three basic steps:

We set up the canceled domain to be monitored.
Our legal team receives risk alerts and analyzes them.
We send you an email with the required actions when the legal team detects a real risk.

This way, we handle the analysis and you only receive a call to action when necessary, with clear guidelines. You can see a couple of examples here:

Other Uses of the Domain Monitoring Service

The Monitoring service, due to its preventive nature, is widely used as a brand protection tool for assets actively in use—meaning not only for cancelled domains—but also to monitor domains of interest because they are similar to the brand or protected or strategic names, or when suspicious activity has been detected on them.

Here are some examples of how domain monitoring is used:

Example of Using Domain Monitoring

Priority

To ensure that a fraudulent domain that has been deactivated following legal action complies with the requirement.

Essential

Monitor changes or activations of features on domains occupied by third parties that do not display textual or graphical content.

Highly recommended

Monitor changes or activations of features on domains taken over with content that is not serious enough to disable or challenge.

Highly recommended

Detect when a domain of interest to the brand has been released or put up for sale.

Recommended

Do you want to know more or need help fighting online fraud?

Write to us with your inquiry, and we will get in touch with you soon.