Proofpoint Sues Facebook Over Use Of Lookalike Domains

‘By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective [security awareness] training program,’ Proofpoint writes in a complaint filed against Facebook.

Proofpoint has sued Facebook seeking permission to keep using domain names that look like Facebook and Instagram as part of its security awareness training exercises.

The Sunnyvale, Calif.-based email security vendor was hit Jan. 25 with a decision from an arbitrator ordering the transfer of five lookalike domain names from Proofpoint to Facebook within ten business days. The decision came in response to a complaint Facebook filed Nov. 30 with an administrative body, where the social media giant alleged that Proofpoint registered and used the domain names in bad faith.

The <facbook-login-com>, <facbook-login.net>, <instagrarn.ai>, <instagrarn.net> and <instagrarn.org> domains will be shifted from Proofpoint to Facebook unless the World Intellectual Property Organization Arbitration and Meditation Center’s decision is over by the U.S. District Court in response to Proofpoint’s lawsuit. Proofpoint is asking the court to have full ownership and use of those domain names restored.

[Related: Proofpoint To Buy Phishing Simulation And Training Provider Wombat Security Technologies for $225M]

“By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective training program because the workforce is more likely to learn to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names,” Proofpoint wrote in an 11-page complaint filed Tuesday in U.S. District Court in Arizona.

Neither Proofpoint nor Facebook responded to requests for comment from CRN.

The disputed domain names are registered with Phoenix, Ariz.-based NameCheap, which is why Proofpoint is arguing that Arizona is the proper jurisdiction for the lawsuit. Proofpoint’s security awareness training capabilities came from $225 million acquisition of Pittsburgh-based phishing simulation and training provider Wombat Security Technologies in February 2018.

To make its training exercises more realistic, Proofpoint said it intentionally uses domain names that look like typo-squatted versions of recognizable domain names. The training offered by Proofpoint protects both the employer that provides this training as well as the owners of legitimate domain names including social media companies like Facebook, according to the company.

As part of its security awareness training, Proofpoint said it sends an imitation phishing email containing the lookalike domain names to people undergoing training. The folks undergoing training end up either: ignoring the fake phishing email; reporting the email as suspicious to their IT department; or clicking on the simulated phishing link, in which case they receive a teachable moment notice from Proofpoint.

“By doing so, Proofpoint is helping those individuals who were baited into clicking on the simulated phishing link to safely learn from their mistakes and further train them to identify similar malware, phishing, and Internet bad actors so that they can avoid actual cybersecurity breaches in the future,” Proofpoint wrote in the lawsuit.

And when consumers type in one of the Proofpoint-owned domain names into an internet address bar, a message appears on the website informing the consumer that the domain belongs to Proofpoint and is being used for training services offered by Proofpoint, according to the company.

“Plaintiffs [Proofpoint] registered and used the Domain Names in good faith as part of their business of providing effective training programs that enable employees to learn to distinguish typo-squatted domains from legitimate domain names,” Proofpoint wrote. “Such use does not suggest an association between Plaintiffs and Defendants or create a reasonable likelihood of consumer confusion.”