Track Down a Serial Counterfeiter—DIY Domain Research Suite (DRS) Guide
We investigated 360+ cybersquatting domains targeting Gucci added in the second half of the year (1 July–10 October 2022), leading us to an active counterfeiter targeting multiple fashion brands.
We’ll take you through the process using a variety of domain search and monitoring tools within the Domain Research Suite (DRS), so you can also do it for your brand.
Step #1: Determining the Typosquatting Landscape
Obtain a list of web properties containing the brand name under investigation by following these steps.
1. Go to Domains & Subdomains Discovery.
2. Type the brand name into the search field and select the string parameter of your choice. For Gucci, we set this to Contains, so all domains containing the brand name will be returned. For brands that begin with vowels, choosing Starts with may help lessen the number of false positives. Adding exclusions can also make the results more restrictive.
3. Set the Added since date parameter. Leaving this blank will return all domains added throughout time.
4. Click Search. For this investigation, the tool returned 367 domains containing “gucci” added since 1 July 2022.
Step #2: Spotting Live Infringing Properties
At this point, you can start looking for cybersquatting resources currently hosting or redirecting to active web pages.
1. Click the arrow (>) on the right of the potential cybersquatting domain.
2. Select Build WHOIS report.
3. You can do several checks from here.
- Check the website screenshot. For gucci-outletonlines[.]us, we can see that it hosts or redirects to a live web page featuring Gucci bags.
- Check the domain’s website category and contact details. The domain we’re investigating has a meta title, meta description, and other content that contributed to its correct classification as a Style & Fashion website.
- Check the potential typosquatting domain’s WHOIS ownership details. Interestingly, this domain was very recently created as of this writing and its public WHOIS records do not mention Gucci as its registrant organization.
4. To check Gucci’s WHOIS records and related information, go to WHOIS Search, enter gucci[.]com, and click Search.
When comparing this domain with gucci-outletonlines[.]us, note that:
- The websites’ categories match, but the messaging used in the typosquatting domain’s website contacts leans toward giving big discounts.
- The domains’ ages widely differed, as gucci[.]com is 25+ years old.
![The domains’ ages widely differed, as gucci[.]com is 25+ years old.](https://lh5.googleusercontent.com/qI5KgJVfEiE1cfpNG3kpjoZieOvZFQskDx9WjomjXLVGaFjDrFvJcj6FBkgu8MWnPhb96bE_yshn3BNh3HKJCJoMv9c-cMY6GMfckzdjOGHxibXZlTC18j63XDbridI3SOjiw0g1IKoXbPfm12Pq3odscXQJi2rhql6RAsfi7fUfP6Q4-J8XhNuOwQ)
- Though redacted, the registrant contact for gucci[.]com specifies “Guccio Gucci S.P.A.” as its registrant organization.
![Though redacted, the registrant contact for gucci[.]com specifies “Guccio Gucci S.P.A.” as its registrant organization](https://lh4.googleusercontent.com/1_SogoH3ouIT8-MQHB77mZl7S4MVdIt7d6nLa19ILL8NrvDz3DHT42mPAc9WrnaX1fkbdh-gFesJ8jDVtVSPHnV5Kq05IFz5TnpVLiQ0uWc7nzXCeV1Riln9u04kjDA5eoXmuJskoQF4pF8Bffra_L_dZYUzxH4CIixJugHQ-B7RNjw9acJPCvuCWg)
Step #3: Setting Up Surveillance: Registrant-Targeted
Monitor registrants involved in cybersquatting properties and get alerted when they add to, drop domains from, or update their portfolios. Here’s how to use Registrant Monitor.
1. Select an unredacted WHOIS record belonging to the identified live infringing domain.
2. Click the arrow (>) beside it.
3. Click Add to Registrant Monitor to track the domain activities of the registrant.
4. Go to Registrant Monitor. Note that it takes 24 hours for new activities to be reflected. For the registrant email address associated with gucci-outletonlines[.]us, we detected that aside from updating the Gucci domain, they also dropped several cybersquatting domains targeting other fashion brands.
Diving Deeper with Reverse WHOIS Search
These activities led us to investigate what other cybersquatting domains the registrant currently has in their portfolio. The following steps show how we did this.
1. Open Reverse WHOIS Search and go to Advanced search.
2. Select In specific WHOIS fields and set the search term to Exact match for Registrant Contact: Email. You can configure this depending on the type of record you are investigating.
3. Search through Current WHOIS records to obtain a list of domains currently under the registrant’s control.
4. For our demonstration, we uncovered more than two dozen cybersquatting domains targeting different fashion brands, such as Nike, Rayban, Birkin, and Burberry.
Step #4: Setting Up Surveillance: Brand-Targeted
Lastly, obtain a list of newly added cybersquatting domains every day using Brand Monitor.
1. Open Brand Monitor and type the brand name into the search field.
For Gucci, we didn’t include typo variants to avoid as many false positives as possible since the brand name is only five characters long. For longer names, it might be better to include typo variants in the monitoring.
2. Click View changes to see the DNS activities related to domains containing the brand name.
3. Every day since we set up the monitor on 5 October 2022, several domains containing “gucci” have been added, dropped, and updated.
4. Click the arrow (>) beside each domain to generate WHOIS reports and learn more about them.
There you have it—a four-step process to investigate counterfeiting web properties using search and monitoring tools within the Domain Research Suite (DRS).
What began as an investigation focusing on Gucci typosquatting domains led us to an email address associated with dozens of other infringing domains targeting other fashion brands.
Are you interested in doing a similar investigation for your brand? Access DRS if you are an existing user or sign up if you are a first-timer.