The Challenges of Brand Protection in the New Domain Era

Three things got harder after 2012. Not complicated in a theoretical way, harder in a "this will cost you real money if you ignore it" way.

Challenge 1: Monitoring at Scale

Before the gTLD expansion, a reasonably attentive IP team could do a manual audit of their brand strings across the major TLDs in an afternoon. Query a WHOIS database, check a few zone files, done. You'd miss things, but the miss rate was acceptable.

With 1,200+ TLDs, manual monitoring is not a strategy. It's not even a starting point. The arithmetic is simple: if each TLD check takes three minutes (realistic for a thorough manual check), monitoring 1,200 TLDs takes 60 hours. That's assuming you do it once. New registrations happen every day.

What automated monitoring actually looks like at scale:

New registration alerts pull zone file data from TLD registries and flag new domains containing your brand string. Most gTLD registries provide zone file access under ICANN's Centralized Zone Data Service (CZDS). The data updates daily. A monitoring service watches that feed and surfaces matches.

Passive DNS goes further: it tells you not just that a domain was registered, but what it resolved to, when, and whether it ever served web content. Tools like DNSDB (Farsight Security) and DomainTools maintain historical passive DNS data that lets you investigate a suspicious domain's full resolution history.

Content analysis looks at what's actually on sites behind brand-matching domains. This matters because not all squatted domains are immediately weaponized. A registrant might park a domain for six months, then activate a phishing page. Monitoring new registrations tells you about the first event. Content analysis tells you about the second.

The problem with automated monitoring is cost. Serious monitoring tools, Markmonitor, CSC's Digital Brand Services, BrandShield, or the platform I work on (X-RAY at EBRAND), run from a few hundred dollars a month to tens of thousands per year depending on portfolio size and feature depth. For a mid-sized company with a modest brand portfolio, that's a real budget line.

The alternative is discovering abuse from downstream signals: a customer emails your support team asking why your website is asking for their credit card number again, or a partner flags that they've been receiving phishing emails from your domain. By that point, the phishing campaign may have been running for weeks.

Challenge 2: Typosquatting and Homograph Attacks

Typosquatting in .com is old news. googel.com, facebok.com, amazom.com, these registrations have existed for decades and the major brands deal with them through a combination of UDRP filings and automated takedown programs.

The new TLDs expanded this surface in two ways.

First, the obvious: every new TLD creates new opportunities for the same string. If your brand is "Acme" and you own acme.com, a squatter now has acme.shop, acme.online, acme.store, acme.tech, acme.app, and 1,195 others to work with. Most won't be registered. Some will. The ones that matter are the ones that get used for consumer-facing abuse.

Second, less obvious: the combination of new TLDs with Punycode creates homograph attacks that are genuinely difficult for consumers to detect.

Punycode is the encoding system that allows internationalized domain names (IDNs) to be represented in DNS. A domain like аcme.com, where the "а" is Cyrillic, not Latin, would be registered as xn--cme-5cd.com in the DNS system, but displayed as аcme.com in a browser. To most users, it looks identical to acme.com.

With 1,200 TLDs, homograph attacks can be layered. A phishing domain might use a near-identical brand string in a TLD with brand-relevant keywords. аcme.store looks like a branded storefront. аcme.bank looks like a banking portal. These aren't theoretical, they show up in phishing campaigns targeting financial services and e-commerce brands.

Detection of homograph attacks requires monitoring that checks Unicode representations, not just ASCII. Most basic monitoring setups miss these. It's worth asking your monitoring vendor specifically whether they check for IDN homographs.

Challenge 3: Consumer Confusion from Competitive Registrations

The third challenge is distinct from squatting and phishing: it's legitimate-ish competitors registering brand-adjacent domains in TLDs that create consumer confusion.

Here's a pattern that came up at EuroDNS and that I've seen repeatedly in monitoring work since: Company A operates in the home improvement sector as "BuildRight." Company B, a competitor in the same space, registers buildright.tools, buildright.pro, and buildright.services. None of these infringe on Company A's trademark in a legally clear-cut way, they're using the term in descriptive contexts, or they have a different geographic presence, or the registrations are technically in a country where Company A doesn't have registered trademark rights yet.

Company B isn't necessarily doing anything illegal. But customers searching for Company A's products find Company B's sites. In some cases, the competitor's site is designed to look generically "BuildRight-like," benefiting from the brand association without technically counterfeiting.

The legal options here are less clear than in clear-cut cybersquatting. UDRP requires demonstrating that the registrant has "no rights or legitimate interests", that's harder to prove against a competitor that has some business reason for using the terms. A cease-and-desist might work; it might escalate. A UDRP complaint that you're likely to lose is worse than not filing, because it creates a public record of the dispute.

The practical response is often different from the legal response. Sometimes the right move is to negotiate a purchase. Sometimes the right move is to file UDRP on the weakest registrations (the clearly infringing ones) and ignore the others. Sometimes the right move is to ensure you have strong content and SEO on the TLDs you do own, so the competitor's brand-adjacent pages don't rank above yours.

There's no universal answer. But the question has to be asked deliberately, not discovered accidentally six months after the registrations were made.

Key Takeaways

Manual monitoring of 1,200 TLDs is not operationally feasible. Automated monitoring is a requirement, not an upgrade.
Typosquatting in new TLDs follows the same patterns as .com but at scale. Every new TLD creates new infringement surface for the same brand strings.
Punycode homograph attacks are genuinely difficult for consumers to detect. Most basic monitoring tools miss IDN variants. Ask your vendor specifically.
Not all brand-adjacent domain registrations are cybersquatting. Competitive registrations that create confusion may require a different response than legal enforcement, negotiation, SEO, or selective UDRP on the most egregious cases.
The most expensive monitoring failure is the one you discover from downstream signals (customer reports, partner complaints) rather than your own systems.

Up Next