Proofpoint sues Facebook to get permission to use lookalike domains for phishing tests

Facebook's crackdown on lookalike domains last year has touched some of the domains security firm Proofpoint was using for security awareness training exercises.
Written by Catalin Cimpanu, Contributor
lawsuit legal
Image: Tingey Injury Law Firm

Cyber-security powerhouse Proofpoint has filed a lawsuit this week against Facebook in relation to the social network's attempt to confiscate domain names the security firm was using for phishing awareness training.

The case is a countersuit to a Facebook filing from November 30, 2020, when the social network used a UDRP (Uniform Domain-Name Dispute-Resolution) request to force domain name registrar Namecheap to hand over several domain names that were mimicking Facebook and Instagram brands.

Among the listed domain names were the likes of facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net, and instagrarn.org.

Proofpoint says lookalike domains are fair game

In court documents filed on Tuesday, Proofpoint said the UDRP should not apply to these domains, which it should be allowed to keep and continue using.

Proofpoint argues that UDRP requests should only be used for domains registered in bad faith. The security firm instead says its use of the Facebook and Instagram lookalike domains "has been in good faith and for a legitimate purpose."

Proofpoint claims its phishing awareness tests are crucial for the security of its customers, but also for the security of Facebook itself, as the phishing awareness tests teach users to recognize Facebook and Instagram lookalike domains and phishing attacks —something that Facebook also benefits from, although indirectly.

The security firm also argues that while other lookalike domains are used for criminal activity, the Facebook lookalike domains it owns are not weaponized and do no harm to users.

Users who click on links found inside Proofpoint phishing tests are always notified that they performed an unwanted action, no Facebook account credentials are collected, or harm is done to the user, the security firm said.

Image: Proofpoint

Furthermore, users who access the domains directly are also warned that these are not official Facebook sites.

"Consumer confusion is unlikely because Proofpoint clearly states on the websites to which the Domain Names are pointed: 'Hi! This web site belongs to Proofpoint Security Awareness Training. This domain is used to teach employees how to recognize and avoid phishing attacks.'"

Image: ZDNet

Now, Proofpoint wants a judge to issue a ruling allowing its use of these domain names is "in connection with a bona fide offering of goods or services" and in good faith; hence they should not be subject to a classic UDRP seizure request.

A copy of the court documents are available here and here. The legal case was discovered by Seamus Hughes, deputy director of the program on extremism at George Washington University.

Facebook and Proofpoint have not responded to requests for comment.

Over the past year, Facebook's legal department has been very active and has filed multiple lawsuits against developers of rogue browser extensions and Facebook apps who have collected Facebook user data without authorization.

Among its tens of lawsuits last year was one the social network filed against Namecheap, seeking to unmask cybercrime groups who registered malicious Facebook lookalike domains.

Editorial standards