back to article Phishing awareness gone wrong: Facebook tries to seize websites set up for staff security training

Security biz Proofpoint and its subsidiary Wombat Security Technologies have sued Facebook and its Instagram subsidiary to prevent the seizure of internet domain names used for security testing. Proofpoint conducts cybersecurity training for organizations, part of which includes phishing awareness testing. This involves …

  1. alain williams Silver badge

    Is proofpoint being malicious

    or deceptive* in its use of these domain names ? If not it seems as if their use is reasonable. To provide good training it has to use domains that have to be good enough to fool those being trained. The UDRP arbitrator is wrong and facebook is being an ass (nothing new there).

    * Other than trying to deceive those being trained.

    1. NoneSuch Silver badge

      Re: Is proofpoint being malicious

      Maybe Facebook should be grabbing the similar domains NOT in responsible hands as a first step.

      I almost typed that without cracking a smile. Almost...

      1. The commentard formerly known as Mister_C

        Re: Is proofpoint being malicious

        Or perhaps proofpoint should allow the relevant domains to be transferred because trademark. On the understanding that the big boys lease the names back gratis so that the training company has a valid, above board training resource. Because pro bono.

        And preferably rinse repeat with other web giants for other training and/or security companies.


          Re: Is proofpoint being malicious

          You and I both know that will not happen. For Zuck & co., "pro bono" is what they call it when they professionally ram it up your...

    2. JimboSmith Silver badge

      Re: Is proofpoint being malicious

      A mate who works for a firm who uses Wombat got creative. He reverse searched all the domain names Wombat have registered that he could find. Then added them to his spam list and hosts file so he wasn't bothered by the emails. He had to remove their main domain from both those though. This was because the emails telling him he had training to complete were being dumped directly into spam.

      1. Anonymous Coward
        Anonymous Coward

        Re: Is proofpoint being malicious

        I have the same issue with my filter - fortunately IT are good at telling us out of band as well, so I still get told.

        Of course the "forward suspicious email to IT's phishing line" doesn't help, 'cos that does prelookups on the links - oops

    3. Grease Monkey Silver badge

      Re: Is proofpoint being malicious

      Are they begin malicious? No.

      Are they being deceptive? Quite clearly yes, otherwise there would be no point in the whole exercise.

      I think the question here is not whether the rules are broken, but whether the rules are correctly drafted in the first place.

    4. Danny Boyd

      Re: Is proofpoint being malicious

      It's not about Proofpoint being malicious. It's about "Facebook" and "Instagram" being registered trademarks. Facebook MUST "police and enforce" the ownership in order not to lose the registration.

      1. Cuddles Silver badge

        Re: Is proofpoint being malicious

        Being required to police and enforce ownership does not mean you must take court action to confiscate domains. It's perfectly allowable to just license the use. This is the sort of situation you'd normally just agree on a pepperorn rent - Facebook has no need of the domains, Proofpoint has no need to actually pay anyone since there are plenty of other domains they could use, so both parties benefit would from a nominal license contract to allow use while protecting the trademark. The fact that Facebook insists on confiscating the domains isn't a requirement of trademark law, it's just Facebook being dicks.

        1. yetanotheraoc Silver badge

          Re: Is proofpoint being malicious

          If Facebook licenses the trademark infringing domains, Wombat gets the clicks. If Facebook owns the domains and then licenses them, Facebook gets the clicks. Since the clicks come from users failing the phishing test, this is *great* information to add into Facebook's database.

          "there are plenty of other domains they could use"

          Yes, but Wombat already knows it's the Facebook-alike domains that have the highest failure rate, that's why the chose them. If they choose another Facebook-alike domain, Facebook will do the same thing. And if they choose a non-Facebook-alike domain, they miss out on a vulnerable population. The point is to educate users, to do that you need to figure out what they will click on. I actually clicked on a phishing test link once, never thought it would happen to me. But now I watch out for that internal scenario, so the phishing testing/training did its job.

      2. Mage

        Re: Is proofpoint being malicious

        But this and many other cases by companies like Coca-Cola are simply corporate bullying, over-reaching just in case. This isn't real trademark protection. It's scorched earth policy. It's not just the domain names, but they seem more narrowly policed by aggressive companies like Facebook. They'd be better occupied policing their own nasty, malicious and lying content. The same rules that are applied to radio, TV, papers and billboard surely shouldn't be ignored because it's the internet. Seems they only want laws that suit them applied. And overly harshly.

  2. Terry 6 Silver badge

    Where is human decision making?

    In another thread* Google's use of automated decision making is covered.

    In this one we must assume a human chose to pursue this matter against a valid security training company.

    But the outcome is broadly the same- a bloody stupid decision is made without any sense of human common-sense, case-by-case, judgement.

    I had joked in that thread that maybe there weren't any humans and they were really being run by computer.

    But I'm starting to think it wasn't a joke.



    1. Doctor Syntax Silver badge

      Re: Where is human decision making?

      Common sense will probably be above the pay grade of those responsible.

      1. Kevin Johnston

        Re: Where is human decision making?

        I get the feeling that common sense needs to be re-branded to 'once in a lifetime' sense

        1. HorseflySteve

          Re: Where is human decision making?

          or Critically Endangered Sense...

        2. Doctor Syntax Silver badge

          Re: Where is human decision making?

          It's certainly uncommon.

      2. IGotOut Silver badge

        Re: Where is human decision making?

        "Common sense will probably be above the pay grade of those responsible."

        Common sense will probably be BELOW the pay grade of those responsible.


      3. A.P. Veening Silver badge

        Common Sense

        The problem with common sense is that sense never ain't common - Lazarus Long

  3. Anonymous Coward
    Anonymous Coward

    Clickable links

    Where I work we get fairly regular phishing test emails from seemingly legitimate sources with seemingly legitimate links, no problem with that.

    If you are caught you then get an email with a link directing you to take a training course.

    That email comes from a seemingly legitimate source with a seemingly legitimate link.

    I report those emails to the phishing team and don't click on the link.

    It has been like this for years.

    Why they can't email me saying something like 'log in to your personal training portal on the intranet where a course link will be available'?

    That would seem sensible to me.

    Just a personal rant I know, but as I can't go to the pub El Reg is my new best mate ever.

    1. JimboSmith Silver badge

      Re: Clickable links

      I've had at least one phishing test email sent to my work address. I've probably had more but I ignore anything I think is spam, which is quite often. I've deleted a few legitimate emails and just blamed the spam filter.

      The one phishing one I bothered to look at had a link and an attachment. I reported it and told IT support I thought others may have received it too. When their response was glacial that time, I cottoned on to the fact it was a test. As I don't do LinkedIn or use my work email for any social media mails with those as a link won't work for me. I don't do internet banking either so those would be another massive red flag. The address I've given work as my personal email is unique to them. If a test one is sent to that address it'll be obvious.

      1. Terry 6 Silver badge

        Re: Clickable links

        This is another issue. Banks' marketing depts have a history of sending emails with clickable links of the "Click here to log in and see our latest rates" variety. One month I got one such email from them within days of receiving one from their security dept, warning all customers never to click links in emails to log in!

        Why is there no icon for despair?

        (Which, to be fair, was also the response of their customer service person when I phoned to complain about this- a sense of despair, but knowing that the most they could do was pass this up the line).

        1. Doctor Syntax Silver badge

          Re: Clickable links

          "One month I got one such email from them within days of receiving one from their security dept, warning all customers never to click links in emails to log in!"

          I'm pretty sure I've had such security emails that actually contained links themselves. My building society has a leaflet listing the domains they'll genuinely use. This hasn't penetrated as far as their marketing department who have used others. The links which appear to be genuine are actually sub-domains that resolve to marketing companies. I've even raised this at their AGM., not least because they're training their customers to be phished.

          What should really concern security departments is that if marketroids expect customers to click on random links in random emails it's because they themselves see no issue in doing so. I strongly suspect that most successful phishing attacks are through marketing departments.

          1. the hatter

            Re: Clickable links

            There's a market in (a) finding where those subdomains are hosted (generally, which cloud) (b) waiting for the campaign to finish/be abandoned then (c) new customer thrashing the cloud to be assigned that IP when it's no longer bound it it's original customer. That way, scammers have the bank (or other major organisation's) real domain to include in their emails, only now it's pointing at a web server who's contents are controlled by the scammer. Not yet a practice that marketing and IT are in lock-step on defusing.

            It's not the cloud, it's someone else's highly recyclable but not entirely as-new computer (and infrastructure)

        2. Orv Silver badge

          Re: Clickable links

          And half the time those links don't even go straight to the bank's site, they go to some marketing company's redirect first.

  4. Version 1.0 Silver badge

    Every few days I get emails stating that my AmericannExpress account has been locked - so I guess I can't post about this this on Farcebook?

  5. Sorry that handle is already taken. Silver badge

    "By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective training program because the workforce is more likely to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names."
    and yet
    the security biz maintains that no one is likely to confuse its similarly named domains to or

    It's fair to say it's difficult to reconcile these two statements.

    1. doublelayer Silver badge

      Mostly because, when you're seeing it in a security training email, you just get the URL. If you go to one of them expecting it to be real, it will look different and tell you what it is. Someone going to one of the URLs won't be faced with a lookalike service, but instead a warning that looks like this:

      "Hi! This web site belongs to Proofpoint Security Awareness Training. This domain is used to teach employees how to recognize and avoid phishing attacks. This page is here to let you know that this is not a malicious web page. The email that led you here was likely sent by your employer as part of a training program."

      And thus, they contend that people are unlikely to misidentify the site as the real one, because they look totally different. Nor would anyone typing in a URL type the other version--'rn' may look like 'm' when you see it, but it's very different to type or say. Those are the points that lead to the statement you quoted.

  6. a_yank_lurker

    Cybersquatting anyone?

    Cybersquatting is a real problem and training people to pay attention to what they type and the site itself is a good idea.

  7. Mike 137 Silver badge

    Differences in law?

    In the UK, a trademark is fundamentally attached to a business class (essentially its type of activities), so for example "knots" could in principle be trademarked independently by a string tangling service and a marine speedometer manufacturer.

    Maybe it's different in the USA, but it would seem that the activities of farcebook and Wombat are sufficiently different not to cause confusion (at least I would, hope so).

    1. adam 40 Silver badge

      Re: Differences in maritime law?

      Mike you do know that the unit of speed "knots" is determined by knots in a rope?

      The two things are inextricably tied together!

      1. the hatter

        Re: Differences in maritime law?

        As with most older units, the knot is no longer tied to any string, but to the speed of light and the frequency of caesium. The waves measure the knots - how the tables have turned.

    2. Orv Silver badge

      Re: Differences in law?

      The same is true in the US, but deciding what is or isn't in the same class can be pretty hazy. Facebook may feel that since these are both websites, that's close enough.

      ICANN also has its own rules about trademarks and domain names.

  8. Eclectic Man Silver badge

    Are they both 'right'?

    Facebook, Instagram etc. are rightly protective of their registered names, and do not want anyone pretending to be them. Proofpoint and Wombat security provide security training to companies, which includes spoof phishing emails, and there are lots of actual phishing e-mails pretending to be from Facebook and Instagram (I even got one purporting to be from the UK's MI5 at work once).

    Surely the solution is for 'responsible' organisations to register some of these mis-spelt domains for the use of security training and allow companies like Proofpoint to use them for training? That way the actual decoy websites used by criminals can be blocked, the training ones left as allowed at the firewalls and everyone is happy?

    The problem is that Proofpoint should have asked for permission from Facebook and Instagram first.

    1. A.P. Veening Silver badge

      Re: Are they both 'right'?

      The problem is that Proofpoint should have asked for permission from Facebook and Instagram first.

      It is easier (or at least a lot quicker) to ask forgiveness than permission.

    2. Mage

      Re: Are they both 'right'?

      No, Facebook overly aggressive. This isn't real trademark violation. Do NOT pay the the bullies!

    3. tiggity Silver badge

      Re: Are they both 'right'?

      "The problem is that Proofpoint should have asked for permission from Facebook and Instagram first."


      Thats just Facebook using trademark law in a poor way - as there is no confusion for anyone visiting the sites (unlike "genuine" phishing sites),

  9. Cynic_999

    Not so clearcut

    Assume that it has come to your attention that someone has registered a domain that is obviously designed to be mistaken for your company domain. Would you (a) assume that it must be a security training company (b) someone wanting to trade on your company's goodwill or (c) someone intending to launch a phishing scam?

    Personally I would think it could be any of those possibilities.

    Who should be responsible for finding which of the three situations is the case? Bearing in mind that just because the web page accessed by the URL "" takes you to a page saying that it is a security test does not mean that there is not another page with the URL "" that is a phishing attack. Or just because the person who registered the domain goes under the name of "Security Consultants Ltd" does not mean that they must be one of the good guys. Believe it or not, there are blackhats who masquerade as whitehats. (Are we allowed to use those terms these days?)

    Is it not easier to just pull the plug on the domain and let the registrant fight to get it back by proving innocent intent than to conduct an in-depth investigation?

    Anyway, maybe someone should register "" and see whether the company in question has any objections.

  10. Anonymous Coward
    Anonymous Coward


    I'm not defending either Facebook or ProofPoint on this issue but from my own personal experience, if you DID want to create a malicious phishing website... NameCheap is the go-to registrar for such a thing.

    1. williamsth

      Re: NameCheap

      Whoever gave you the down vote clearly hasn't seen the amount of phishing sites Namecheap host and their awfully relaxed approach in taking them down.

  11. Kevin McMurtrie Silver badge

    Proofpoint just wants a good sales pitch

    Phishing and legitimate emails are indistinguishable today because businesses and spammers are using the same "customer loyalty" companies. Oracle and SendGrid are big and there must be hundreds of fly-by-night trackers on AWS. I've configured my mail server to refuse those networks for it's own health and survival.

  12. Blackjack Silver badge

    I don't like Facebook


    A) Nowadays you don't need any real domain name to do phishing. Most phishing is done by people clicking the wrong links in an email or by malware infecting a legitimate site or the web browser. Infecting Apps or doing fake Apps is also becoming more and more common.

    B) Any time those domains could either be seized by bad actors or infected by malware.

  13. Steve Graham

    Proofpoint are doing it wrong

    Let's say you want your staff to have some training to recognise dodgy links. Why do & actually have to exist on the internet? Shirley you would use your internal DNS to point them at a local server.

    1. Orv Silver badge

      Re: Proofpoint are doing it wrong

      Then Proofpoint has to get involved in how the organization's DNS is run. This way they can get a contract to do testing without ever having to deal with on-site IT.

    2. Chiefpotter

      Re: Proofpoint are doing it wrong

      Maybe that would have worked about 5-10 years ago but with the rise of home working you can't guarantee that your users are actually using your internal dns servers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like