Chapter 3

Social Engineering

Abstract

In this chapter, we learn how to get more information directly (or indirectly) from other sources through human interaction. This chapter will essentially round out the remaining information needed to conduct an investigation on a user, group, or entity.

Keywords

Backtrack
Social Engineering
Investigations
Shoulder Surfing
Dumpster Diving
Eavesdropping
Phishing
Bugging
Tracking
Spear-Phishing
Infectious Media Generator
Mass Mailer Attack
SMS Spoofing
Wireless Access Point Attack Vector
Reverse Social Engineering
Advanced Persistence Threat (APT)

Social engineering

Security is built on the foundation of trust. You can secure your identity, computer, or access to your home, but you do give this information and access to those you trust. As an example, you hold the door for someone because you practice chivalry. Your kindness just thwarted the electronic badge system used to ensure that unauthorized users do not enter a facility. Attackers, hackers, and stalkers all hope that you let your guard down for this exact reason so that they can gain access to a trusted location. The main reason social engineering takes place is because it is easier to gain access to a trusted source by simply manipulating someone who can give you access instead of breaking in through technological means. This is the basic foundation of social engineering.
There are many definitions of social engineering. As we just discussed, manipulating a human control in order to gain unauthorized access is one of them. Another could be using a human to provide needed information to gain access to trusted resources. When considering technology specifically, it can sometimes be defined as malware used to trick a user into providing trusted data. In all of these examples, manipulation and trickery are key words used to define the basic underlying principles of social engineering.
In relation to information gathering, social engineering can be used to gain technical data such as passwords, physical and logical access to resources, and many other pieces of information that could be used to conduct a larger attack. Another example is that you trick someone through simple conversation to produce answers you need. For example, I place a call to you from a spoofed phone number that appears to you to be from a trusted source. I then tell you things that relate to you, us, or our conversation so that I can gain your trust. By asking specific questions and getting answers, I may be able to ascertain information from you needed to do another task, such as gather your account information to get into a personal website or bank account. This can then be leveraged into the digital world by exploiting the gathered information.

Am I Being Spied On?

In regard to social engineering, it’s possible that you have been manipulated at points through your entire life and do not know that it happened to you. For example, someone you trusted could have gotten a phone number from you without your knowledge. Likely because you left the information out in the open and did not know it was being stolen. You could have been tricked on the playground at school in second grade. While growing up you may have manipulated your parents for information. It’s very likely you yourself may be good at manipulating people for your own gain.
That being said, in regard to digital surveillance and reconnaissance, when considering your target, you may need to perform social engineering to gain access to trusted resources in hopes to attack your target directly or to gain more information about the target. Another example of a social engineering attack to gain information would be dialing a target by phone in hopes to trick them to release information you request. This provides cover and secrecy for the attack because you cannot see them. They can mask their voice as well as spoof their number providing even more cover for evasion purposes.
In Figure 3.1, we can see why social engineering is an attack that many malicious attackers find so desirable. Here, we have a corporate network accessible over the Internet and protected by a firewall. For an attacker to gain access to the trusted secure data, they would need to construct an attack over the Internet that may or may not penetrate the firewall. Firewalls are built to secure not only a network but also to log and alert the administrator to malicious activity such as a penetration attempt. An attacker would have to be very careful not to get caught. An easier path would be for them to place a call to a user inside the protected network and get information from them directly.
image
Figure 3.1 Protected and unprotected networks.
It is much easier to place a call and get the data directly. Most times, these attacks go completely undetected giving the attacker the ability to covertly gather information without getting caught. Many times, these attacks go undetected until the data is used in a way that draws attention, such as using a bank account number gathered over a phone or a social security number that is used to empty a bank account.

Scam Example

Gathering information leads to attacks. In the technical world, this can be done in many ways. An attacker can dial you on the phone. They can put software on your machine when you visit a website. They can e-mail you a uniform resource locator that looks similar to a legitimate website and take you to a malware site. Technically, anything is possible although the attack is the same – it is based on trickery.
Phone scams take place everyday, thousands of times per day. An example of a phone scam used to gather information is as follows:
Attacker – “[dials victim from a spoofed familiar phone number] Hello, we are running a survey today via the US Government to take a poll of who you may vote for in the next election, do you have a few minutes to answer a few brief questions?
Victim – “[as victim looks up spoofed number and considers it safe] Yes, thank you. I have a lot of concerns about this nation’s financial health and would love to answer a few questions.
Attacker – “Good, thank you. Before we continue, I would like to verify your identify for our records so we do not get duplicate responses that may taint the survey, can you verify the last 4 digits of your social security number?
Victim – “Absolutely, it is 3928.
Attacker – “Thank you, and can you verify your current address?
For brevity’s sake, we will stop here and review the issue with this transaction. While an attacker may be able to get some of this information online, in the cases where they cannot, you just provided them with what they may need to get into your personal bank account online.
In the following list, you will find the most common questions asked of someone that may be enough for a helpdesk to change the password for a personal account, such as a bank account.
 Last four digits of your social security number
 Your mother’s maiden name
 Favorite pet
 One of the schools you attended
 Your zip code
 The street you grew-up on
 The last car you owned
What you can see from this list of examples is that there are data points that can be easily gathered without much effort. With this information, an attacker can easily thwart the controls put in place to protect your bank account and commit fraud. This is also a prime example of a social engineering attack. This is an information gathering technique that can be used very easily to gain access into your trusted resources.
Attackers can use this type of surveillance technique to build on information needed for a larger attack as well. For example, an attacker may be planning a larger attack and needs this type of information to track you. They may be interested in your patterns and habits, and finding out what your interests are and so on can all be obtained through casual conversation. This attack does not need to happen remotely either. Information can be obtained by overhearing someone talk at a party, an event, or a tradeshow.

How to Gather Information

As we discussed, social engineering is a way to gain unauthorized access to trusted resources. This intrusive behavior is done to penetrate defenses to gain information, data, or line of sight into a target. It’s done to commit fraud or espionage. Another common attack is to gain access to commit identity theft. Other malicious behavior could be to cause harm or disruption. That being said, it is important that you learn to protect yourself and your interests carefully.
Before we learn how to mitigate this threat, we should discuss how attackers use social engineering to gather data. Earlier, we used a brief example of how an attacker may use a simple phone call to trick someone into providing trusted information. In the following examples, we will look at other ways attackers violate the sanctity of trust through social engineering and trickery.

Dumpster Diving

Dumpster diving is an interesting attack that produces an immense amount of information on an organization, firm, individual, or entity. You can learn a lot about a person or company from the trash they throw away. It’s also extremely surprising how much personal and private information is thrown out for those to find. Generally, most dumpsters and trash receptacles do not come with locks, this would make it nearly impossible for regular trash collection services to dispose of it properly; however, other solutions are available to secure your trash.
For one, you should never throw anything out that has information contained on or within it without considering how it can be used against you. If you throw out bill statements and other paperwork that contain private information, you should consider burning it, shredding it, or any other way of destroying the information it contains.
In Figure 3.2, we can see an attacker digging through trash to locate useful information.
image
Figure 3.2 Dumpster diving.
Cross cut shredders were created because it was proven that a bag of shredded paper that came from a normal straight cut shredder could be reassembled given enough time. Kevin Mitnick, president of Defensive Thinking, was originally a hacker who once caught, turned to good. He claims that social engineering is one of the biggest links and dumpster diving is a huge hole in security controls. A large amount of data can be assembled quickly by using paper shredders and enough time that can be used against you and/or an entity.
We tend to throw things away without considering the impact of them being recovered. We gleefully assume that because we put something in the trash, it is dutifully removed from the premise and destroyed adequately. If only that was the truth. Your trash can easily be recovered and used to gather information. Disk drives can be thrown out, and even if you attempted to destroy them, can be reassembled and/or fixed enough to get data off them. There are many secrets that can be uncovered in the trash; you should consider that next time before you throw something away.

Shoulder Surfing

Shoulder surfing is a seemingly harmless attack; however, your phone password, system password, or private and personal information can be gleaned quickly and easily most times without your knowledge. The quickest and the easiest surveillance attack that can be performed is glancing over someone’s shoulder without their knowledge.
Unfortunately, this happens more than we would like to admit or believe. Many times just out of curiosity, people eavesdrop on others to learn about them, gather information, or just to be a part of what may be going on with them. Sitting on an airplane may be the best example of harmless curiosity that turns into an annoyance for a victim. You are sitting so close together that even if you wanted to maintain privacy, it’s nearly impossible.
Eavesdropping seems harmless; however, it is also an information gathering technique used by those conducting surveillance and reconnaissance. In its worst form, shoulder surfing is useful in supplying an attacker with a lot of valuable information.
Sitting in a café, sitting in your cubicle at work, or on a bus or train in transit, you may be immersed in your work, reading, typing on your laptop or mobile, and not noticing someone looking inconspicuously at what you are doing, recording this information and transferring it for later use. They could even be secretly recording you without your knowledge. In Figure 3.3, we can see an example of someone shoulder surfing a victim without their knowledge, memorizing their keystrokes for a password, validating websites they are using, or reading the names and salaries off a payroll document.
image
Figure 3.3 Shoulder surfing.
A far more devastating attack comes from gleaning information that can be used quickly such as a bank ATM pin number. In Figure 3.4, we can see someone covering their pin as they enter it; however, someone who is trained well to match your finger position to the 9 digits found on most commonly used keypads can quickly memorize what you typed. If they are successful at gaining access to your wallet or pocketbook without your knowledge, they can use this information as part of a larger attack.
image
Figure 3.4 Pin theft.
Although banks are generally protected by cameras, someone trying to conceal their identity may not get caught. These pieces of information can be used for online access as well, as many re-use passwords and pins, gaining access to one may provide access to them all.
So, we have covered physical attacks that transcribe into digital attacks or larger attacks through simply spying on others, what they do and how they do. Sometimes what you don’t know can hurt you. Take note that logical attacks that follow the same social engineering behaviors, but are leveraged in digital form.

Phishing

Phishing is an attack that falls along the lines of social engineering – thus, evading controls through trust. How is it done specifically? Well, if we followed the attacks listed earlier in this chapter where a phone call was used to glean valuable information, we can follow the same premise here within the digital domain. In recent years, phishing attacks have grown in number significantly. Why, you ask? Because of the simplicity in launching them and the successful information they produce.
In Figure 3.5, we can see an example of a common phishing scam. An attacker creates a form e-mail that looks professional. They may even make a copy of one used with company letterhead, images pulled from the site, and official-looking logos. They craft this e-mail with a malicious call to action and a payload. The call to action is based on fear.
image
Figure 3.5 Phishing example.
The attacker tries to get you to produce information by clicking on a link (for example) that takes you to a malicious and fraudulent website. This website too contains official-looking information and, at times, is an exact replica of the site that you believe is legitimate. You may even enter your credentials that are recorded and used on the real site you thought you were visiting. This is one example of how phishing can be used to gather information.

Social Engineering Toolkit

The social engineering toolkit (SET), which is an open-source tool that comes by default with the Kali Linux distribution, can be found when you launch Backtrack. As mentioned in a previous chapter, this tool can be used to gather information, conduct social engineering attacks, such as to send spoofed phishing texts to a victim’s phone, as well as many other attacks such as spear-phishing attacks.
Spear-phishing requires an attacker to know a little bit about you. This is where phishing evolves into a larger attack. As we discussed earlier with our explanation and example on phishing, we use a “dear bank member” salutation, whereas when spear-phishing, the attack is less generalized and more formalized. For example, if your name is Sally, the e-mail or text sent may directly call you out by name. This allows the attacker to pinpoint who they are attacking and use information gathered from other sources to trick you into trusting them as a legitimate source.
When using the toolkit, you will also find the infectious media generator as one of the options. This tool allows you to create a payload that can be placed and then activated off removable media such as a USB drive or a DVD-ROM. In Figure 3.6, we can see an example of using a SET to generate a payload.
image
Figure 3.6 Using the SET with Backtrack to generate a payload.
As you continue to make selections (such as creating a fire-format exploit) as seen in Figure 3.7, we can see just how easy it is to create an attack with Backtrack.
image
Figure 3.7 Using the SET with Backtrack to create an attack.
As you walk through the tool, you can then select specific attack formats such as creating an Adobe PDF file, a Zip file, and other formats. In Figure 3.8, we can see an example of the many different files you can create to launch your exploit.
image
Figure 3.8 Using the SET with Backtrack to launch your exploit.
In Figure 3.9, we can see how the payload can be deployed. In this example, we use a Windows meterpreter shell that can allow for a backdoor attack by using Internet protocol addresses and ports to make connections.
image
Figure 3.9 Using the SET with Backtrack to deploy the payload.
Finally, in Figure 3.10, we generate the payload by configuring the payload listener. You can find a copy of your payload in the path provided off the root directory. Once you have configured the attack, created the payload, and are ready, you can plot your attack.
image
Figure 3.10 Using the SET with Backtrack to generate the payload by configuring the payload listener.
This is but one example of one feature found on one tool of the hundreds of examples that can be provided when using this toolkit and Backtrack. Mass mailer attacks, SMS spoofing, and other attacks (such as those launched against wireless systems) can all be conducted with the SET. All of these (and more) are attacks that can be conducted with one toolkit. Other tools such as Maltego that we covered in Chapter 2 can be used in conjunction with the SET to build profiles on individuals and organizations you wish to attack.
The SET tool can also be downloaded online separately from Kali Linux and Backtrack by going to:
https://www.trustedsec.com/downloads/social-engineer-toolkit/

Bugging and Recording

Last on our list of attacks is bugging and recording. This is mentioned within social engineering because you can be manipulated in ways to incriminate yourself easily by an attacker. You can give up valuable information. Although not directly mapped to social engineering, many times your conversations are recorded and can be used against you. An attacker can easily conduct a conversation and record your voice, manipulate the audio, and use your own words to incriminate you. This is often done by the news media, taking clips of information and leaving out portions of it so that you do not get the entire context of what is being said to socially engineer a response from the public.
At a personal level, surveillance can be conducted to gather information on a victim. This can be done quickly and with ease using tools such as the one seen in Figure 3.11, where we can see an audio surveillance listening device that can be fitted with a SIM card and hidden without someone knowing it. It can be configured to call you directly (so you can listen) when someone triggers it above a certain decibel level.
image
Figure 3.11 Surveillance tool.
We will drill down into this type of surveillance activity in upcoming chapters; however, for now, know that you can be manipulated by someone bugging, recording, tracking, and tricking you that all evade your trust and privacy. Does this mean trust no-one? No, but it does mean you should consider that these types of attacks “could” very well happen and by being aware, you may just limit your attack surface.
As you have learned, there are many ways to gather information without ever touching a computer terminal, a keyboard, or a device. There are many ways to conduct an attack or gather information without the need for a computer.

Mitigation of social engineering

As we progress through this book, we learn not only how attacks are used and why but also what you can do to protect yourself and your privacy. Digital reconnaissance and surveillance techniques vary widely and, as you are learning, can be used in conjunction with other attacks to conduct larger more malicious attacks. In this section, we will highlight some of the most important things you should consider to limit your exposure to social engineering attacks, discuss privacy, and cover case law that shows how social engineering attacks are treated in the United States.

Mitigate Attack

It is difficult to mitigate social engineering attacks. It strikes at the very root of how human beings treat each other; defending against social engineering means that you need to be aware of your surroundings, who you are dealing with, and no, you cannot trust everyone you meet or know. In fact, social engineers scout for this overly trusting, gullible behavior in people in order to know who to manipulate and how to manipulate them. They are considered easy targets.
If you could openly trust everyone and everything, there would be no reason for security. No locks on doors and banks would leave their vaults wide open. The fact is that historically, this is not the case and security grows as an industry exponentially every year. As we have covered, there is a thin line between being overly safe and being paranoid. That does not mean you should not have faith in people and believe that you can trust them; it just means precautions are in order for your benefit and the benefit of your finances, your loved ones, and your safety.
You can remain safe by being aware. Be aware of your surroundings. Who are you talking to, who can be listening?
Are you typing something? Are you being recorded? If you remain aware and vigilant about your own personal security, you will understand how to mitigate social engineering attacks. Do not openly trust those you do not know and think about the actions of those you do.
When at work, take the security policies enforced in your organization seriously. No, do not hold the door open for someone you do not know to let them into your office suite. Yes, it’s great manners; however, there have been dozens if not hundreds of penetration attacks conducted by allowing someone into an office suite by simply holding the door for someone to be nice, they do not need to use the biometrics or card reader and you have just been hacked.
Be aware of your actions. Do not allow someone to dig through your trash. Do not allow someone to watch over your shoulder. Shred or burn important papers you decide to trash and do not leave anything for the wolves. Do not sit somewhere with your back facing an open crowd; do not do personal or private work on your laptop or phone, mobile device, or pad if you cannot safeguard it from being overseen.
When you are talking to someone on the phone, be aware of your audience. Could you be on conference? Could the phone be tapped? Can the room you’re in be bugged? Don’t believe it can happen? Hopefully, by reading this book and others like it, you can start to realize that yes it does happen and it happens often.
When opening e-mails or receiving texts, take the extra time to perform a seconds worth of due diligence. Check the entire e-mail header, review the domain name in which the e-mail was sent, and validate with a phone call to the originator based on a trusted source (not from the e-mail itself) that this was in fact sent on purpose and not a scam.
Do not openly trust. Since this is tough to do, it’s no question as to why this is one of the biggest attacks performed today and why it’s the most difficult to mitigate. As you can see, there are many ways to mitigate this form of attack but it comes down to not trusting everything you see and hear and trusting everyone you do or do not know. It simply comes down to verifying and validating things and, if possible, ensuring that they are safe.

Information Privacy

Now that we have learned about the many ways that an attacker can socially engineer a situation to gather information and ways to attempt to prevent it, we should briefly discuss the importance of information privacy. If you want something to remain safe, it’s best not to talk about it, record it, or write it down.
An old saying, “If you want to keep a secret, never tell anyone.”
This is incredibly difficult to do. There are things that we must simply record and write. Since the digital domain grows everyday, it’s almost impossible to record it. You’re on video camera, your actions are logged, you work on a laptop for 8 h a day … how do you keep your information private?
To keep your information private, you need to secure it the best way possible. Although this book does not go deep into the realm of encryption, it’s mentioned here so that you can further research it if needed. Today, there are literally dozens of encryption methods, algorithms, and security features that attempt to keep your transmissions, data, and privacy encrypted. As encryption grows in strength, so does the ability for hackers to crack it. For example, wireless communications were originally thought to be safe using wired equivalent privacy and it was thwarted. It led the way for Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2). What this means is although you believe encryption can save your privacy, it does not guarantee it.
Reverse Social engineering
Are there times when you find yourself manipulated and want to counterattack? Should or shouldn’t you just try to get out of the situation? Reverse social engineering (RSE) is considered a counterattack to social engineering. An example could be, let’s say someone called your place of business and had been asking questions and you immediately knew you were being tricked. What if you played into it and fed false information back? What would happen if you countered the move by getting the authorities involved real time and they conducted a trace of the phone call, manipulating the attacker to stay on the line to close the trace?
For sake of argument, we should disclose here that unless you are a trained professional, you should not counterattack. You do not know the stability of those you are dealing with and you do not want to antagonize them.

Legal and ethical concerns

There are many legal and ethical concerns revolving around social engineering attacks. For one, they are used for tricking good people into divulging useful information to be used against them and/or the entities they work for. One of the most commonly known social engineering attacks took place in the 1990s that allowed Kevin Mitnick to perform an advanced persistence threat against a target.
WEDNESDAY, FEBRUARY 15, 1995 (202) 514-2008
TDD (202) 514-1888
FUGITIVE COMPUTER HACKER ARRESTED
IN NORTH CAROLINA
WASHINGTON, D.C. – FBI agents and the Raleigh-Durham Fugitive Task Force today arrested Kevin Mitnick, a well-known computer hacker and federal fugitive on charges he violated probation, the Department of Justice announced.
The arrest occurred at 1:30 a.m. after an intensive two-week electronic manhunt, which led law enforcement agents to Mitnick’s apartment in Raleigh, North Carolina.
Mitnick, 31, was convicted by federal authorities in 1988 in Los Angeles for stealing computer programs and breaking into corporate networks. He received a one-year sentence in that case, and a federal warrant was later issued following Mitnick’s violation of probation.
In this most recent incident, Mitnick is alleged to have electronically attacked numerous corporate and communications carriers located in California, Colorado, and North Carolina where he caused damage and stole proprietary information.
Mitnick’s capture represents a coordinated effort by law enforcement and private industry, including system administrators and security representatives from companies allegedly attacked by Mitnick. One of these sites, the San Diego Supercomputer Center (SDSC), and Tsutomu Shimomura, a Senior Fellow at SDSC, provided significant assistance to law enforcement personnel during the investigation.
Mitnick also is under investigation by state law enforcement authorities in California and Washington State for separate activities there.
As is typical in such interstate computer cases, many FBI offices, U.S. Attorneys’ offices, and other law enforcement agencies have coordinated their efforts. These offices include the FBI’s National Computer Crime Squad at the Washington Metropolitan Field Office, as well as FBI and U.S. Attorneys” Offices in Raleigh and Greensboro, North Carolina; San Diego, Los Angeles and San Francisco, California; and Denver, Colorado.
Members of the Raleigh-Durham Task Force which made the arrest included the U.S. Marshals Service, the North Carolina State Bureau of Investigation, and the local sheriffs’ offices.
Legal and technical assistance is also being provided by the Criminal Division’s Computer Crime Unit in Washington, D.C.
Retrieved from:
http://www.justice.gov/opa/pr/Pre_96/February95/89.txt.html
As we learned, Mitnick was under investigation by state law enforcement and once caught, was held accountable for his acts. This opened the door for legal issues to be better understood by those practicing cyberlaw.

More Legal Issues

In the next example, we discuss the legal (and ethical issues) revolving around world of spying, surveillance, reconnaissance, and cybercrime. In the next case that we will review, we have a potential victim and an attacker disputing charges of cybercrime.
Although the Gioconda Law Group PLLC and Arthur Wesley Kenzie settled the dispute that had been pending before the New York federal district court, involving the misspelled domain name GIOCONDOLAW.COM, there is still a disagreement about the methods used where interception, social engineering, and cybersquatting were involved. In this case, other issues such as reconnaissance tactics, social engineering, and other attacks are mentioned and should be reviewed so that you are aware that these attacks can and will be held accountable in a court of law if you are found guilty.
Plaintiff Gioconda Law Group PLLC alleges cybersquatting, trademark infringement unlawful interception and disclosure of electronic communications, and related state law claims against Defendant Arthur Wesley Kenzie. The Plaintiff filed a partial motion for judgment on the pleadings with respect to Defendant’s alleged violation of the Anti-cybersquatting Consumer Protection Act (ACPA).
As an information security researcher, Kenzie believes that he conferred numerous benefits on Plaintiff and on the public by drawing attention to a significant vulnerability. He noted there was no evidence that he gained economic profit from his actions, made any other commercial use of the infringing domain name (IDN), or attempted to sell the IDN back to the Plaintiff.
The reasons listed above are why the court cannot find that Arthur Wesley Kenzie acted in “bad faith intent to profit” (which is a prerequisite to an ACPA violation), therefore denying the motion for judgment on the pleadings of Gioconda Law Group PLLC.
UNITED STATES DISTRICT COURT
SOUTHERN DISTRICT OF NEW YORK
GIOCONDA LAW GROUP PLLC,
Plaintiff,
-against-
ARTHUR WESLEY KENZIE,
Defendant.
12 Civ. 4919 (JPO)
MEMORANDUM AND
ORDER
J. PAUL OETKEN, District Judge:
Plaintiff Gioconda Law Group PLLC alleges cybersquatting, trademark infringement, unlawful interception and disclosure of electronic communications, and related state law claims against Defendant Arthur Wesley Kenzie. Plaintiff has filed a partial motion for judgment on the pleadings with respect to Defendant’s alleged violation of the Anticybersquatting Consumer Protection Act (ACPA). For the reasons that follow, Plaintiff’s motion is denied.

I. Standard of Review

Federal Rule of Civil Procedure 12(c) provides that “[a]fter the pleadings are closed – but early enough not to delay trial – a party may move for judgment on the pleadings.” Under Rule 12(c), “a party is entitled to judgment on the pleadings only if it has established that no material issue of fact remains to be resolved and that [it] is entitled to judgment as a matter of law.” Bailey v. Pataki, No. 08 Civ. 8563, 2010 WL 234995, at *1 (S.D.N.Y. Jan. 19, 2010) (quotation marks and citations omitted). “The standard for granting a Rule 12(c) motion for judgment on the pleadings is identical to that of a Rule 12(b)(6) motion for failure to state a claim.” Patel v. Contemporary Classics of Beverly Hills, 259 F.3d 123, 126 (2d Cir. 2001) (citations omitted). “In both postures, the district court must accept all allegations in the [non-movant’s pleadings] as true and draw all inferences in the non-moving party’s favor.” Id. (citation omitted). As a leading treatise explains:

[A] Rule 12(c) motion is designed to provide a means of disposing of cases when the material facts are not in dispute between the parties and a judgment on the merits can be achieved by focusing on the content of the competing pleadings, exhibits thereto, matters incorporated by reference in the pleadings, whatever is central or integral to the claim for relief or defense, and any facts of which the district court will take judicial notice. The motion for a judgment on the pleadings only has utility when all material allegations of fact are admitted or not controverted in the pleadings and only questions of law remain to be decided by the district court.

5C Charles Alan Wright & Arthur R. Miller, et al., Federal Practice and Procedure, § 1367 (3d ed. 1998) (footnotes omitted); accord Juster Associates v. City of Rutland, Vt., 901 F.2d 266, 269 (2d Cir. 1990). Thus, “[i]n considering motions under Federal Rule 12(c), district courts frequently indicate that a party moving for a judgment on the pleadings impliedly admits the truth of its adversary’s allegations and the falsity of its own assertions that have been denied by that adversary.” Fed. Prac. & Proc. § 1370. Because “hasty or imprudent use of this summary procedure by the courts violates the policy in favor of ensuring to each litigant a full and fair hearing on the merits of his or her claim or defense,” federal courts are “unwilling to grant a motion under Rule 12(c) unless the movant clearly establishes that no material issue of fact remains to be resolved and that he is entitled to judgment as a matter of law.” Fed. Prac. & Proc. § 1368. In considering Rule 12(c) motions, district courts may take notice of “the facts alleged in the complaint, documents attached to the complaint as exhibits, and documents incorporated by reference in the complaint.” Piazza v. Florida Union Free Sch. Dist., 777 F. Supp. 2d 669, 677 (S.D.N.Y. 2011) (quotation marks and citations omitted).

II. Background1

A. Facts Taken as True For Purposes of this Motion

Plaintiff is a professional limited liability company duly organized under the laws of the State of New York. It is engaged in the authorized practice of law with a particular focus on brand protection and intellectual property, and has focused significant energies in recent years on combating piracy and counterfeiting on the Internet. Defendant is a sophisticated computer programmer with multiple advanced degrees in computer programming, including a Bachelor of Technology Degree in Computer Systems from BCiT with majors in Network Security Administration and Network Security Development. His principal place of business is in Vancouver, British Columbia, Canada, and he identifies himself on LinkedIn as a “Cyber Security and Mobile App Developer.”
Plaintiff’s general allegation is that “[t]his case presents the Court with an identifiable Internet domain name cybersquatter and hacker who has intentionally intercepted e-mail traffic intended for the plaintiff, a New York law firm which focuses on anti-counterfeiting and brand protection litigation.” Defendant denies this particular allegation. Plaintiff alleges that “[d]omain name typosquatting is a well-known form of cybersquatting that is usually used to capture web traffic when an Internet user accidentally misspells a legitimate domain name in his web browser.” Defendant agrees that this description is “essentially correct,” though he emphasizes that the purpose of typosquatting can be either malevolent or benevolent.
Defendant registered GIOCONDOLAW.COM (“the Infringing Domain Name” or “IDN”) and explains that he did so “within the broader context of his responsible, good faith information security research into a significant e-mail vulnerability that is not currently well understood.” Defendant registered the IDN from third-party Internet Registrar GoDaddy, Inc. on January 19, 2012. When Plaintiff discovered Defendant’s conduct, it sent e-mails to the addresses [email protected] and [email protected]; it used a registered receipt e-mail system to conclude that both of these e-mail messages were received by active mailboxes capable of receiving misdirected messages. When he registered the IDN, Defendant used the Domains by Proxy domain privacy service, “but not for the alleged sole purpose of concealing his identity.” Defendant then intentionally redirected Internet web browser users to Plaintiff’s legitimate web site – the Gioconda Law Group PLLC Website“ – but not for the alleged sole purpose of avoiding detection.” After Plaintiff contacted Defendant and informed him of the Complaint, Defendant replied, in part, as follows:

As for starting litigation against me, I am not clear what has caused you to assume that I would not be amenable to resolving your concerns and claims. My intentions with the domain name you are concerned about are transparent and above board, as they are part of my research into an email vulnerability that I have been studying since September 2011 and which I have been publicly discussing on my website. … I am doing nothing to cause any injury to your firm or any trademark rights you have, and would be glad to discuss those issues with you. … I have no objections to facilitating a transfer of the domain to you.”2

Defendant has also registered the following eight domain names: rnastercard.com, rndonalds.com, nevvscorp.com, rncafee.com, rnacvvorld.com, rnonster.com, pcvvorld.com, andqvvest.com.3 He admits that he directed that each of these Internet domain names redirect to the legitimate third parties’ websites, “but not for the alleged sole purpose of avoiding detection.”
Defendant was recently the subject of a Uniform Domain Name Resolution Policy (“UDRP”) proceeding in a Complaint brought by Complainant Lockheed Martin, for the Defendant’s similar registration of the confusingly similar Internet domain names LockheedMarton.com and LockheedMartun.com. The UDRP Panel concluded that “no one could provide unsolicited service or subject a third party to a research programme without its consent and by using typos variation of a protected trademark.”4 The Panel added that “[i]t is obvious that the Respondent intentionally created the possibility to receive the so-called ‘Black Hole’ correspondence of the Complainant. … the Respondent itself [] created the alleged vulnerability of the Complainant’s trademark, and his purpose was to offer services to the Complainant, looking for financial gain.”
On April 17, 2012, Plaintiff received from the U.S. Patent and Trademark Office a registration number, indicating federal registration of the Service Mark “Gioconda Law Group PLLC” in International Class 45 for “providing information in the field of intellectual property.”
Plaintiff’s First Claim for Relief invokes the ACPA and alleges that “[t]he Infringing Domain Name that the Defendant has registered is virtually identifiable to, and/or confusingly similar to the Gioconda Law Service Mark, which was distinctive at the time that the Defendant registered the Infringing Domain Name.” Defendant admits this allegation. Plaintiff further alleges that “[t]he Defendant registered and is using the Infringing Domain Name with bad-faith intent to profit from the Gioconda Law Service Mark,” that “[t]he Defendant has no bona fide noncommercial or fair use of the Gioconda Law Service Mark,” and that “on information and belief, the Defendant intends to divert consumers away from the Plaintiff for unlawful commercial gain, by creating a likelihood of confusion as to the source, sponsorship, affiliation or endorsement of the Infringing Domain Name, and related e-mail addresses.” Defendant expressly denies these allegations. Plaintiff adds, and Defendant denies, that Defendant’s “acts have caused and will continue to cause irreparable injury to the Plaintiff and to the public.”
In his Answer, Defendant asserts a number of “Defenses.” Many of these “Defenses” are not affirmative defenses in the technical sense of the term. Rather, they are statements of fact that deny specific allegations set forth in the Complaint (all of which are denied by Defendant in the responsive section of his Answer). Defendant also elaborates on the nature of his conduct. He states that his actions “have been only for good faith, non-commercial, legitimate purposes, solely for the Plaintiff’s benefit,” adding that “[t]here have been no actual damages suffered by the Plaintiff, nor any damages intended, and only good faith, non-commercial, legitimate purposes intended by the Defendant.” He explains that his good faith purposes “have been for information security research into an e-mail vulnerability the Defendant initially called the ‘Black Hole’ e-mail vulnerability. … there appears to be very little awareness of this vulnerability, which is the primary reason the Defendant was motivated to undertake this research.” Because “this vulnerability can be almost trivially exploited to covertly and passively undertake reconnaissance on a vulnerable organization,” it opens entities like Plaintiff to “social engineering attacks.” The benefit Defendant confers, in his view, is that he prevents a malevolent entity from exploiting this gap in e-mail security and informs companies about the need for protection by posting about how to defend against the vulnerability on his blog. Defendant states that if he does receive e-mails intended for an entity like Plaintiff, he “ensure[s] that the contents of vulnerable e-mails [are] never read or disclosed to third parties.” He adds that he has “arranged for vulnerable domain names to be transferred to subject organizations so that they could take their own responsibility for protecting themselves.” Defendant states that he concealed his activities so that other members of the public would not learn which companies are vulnerable and then target those entities.5

III. Discussion

A. Legal Standard

“To successfully assert a claim under the ACPA, a plaintiff must demonstrate that (1) its marks were distinctive at the time the domain name was registered; (2) the infringing domain names complained of are identical to or confusingly similar to plaintiff’s mark; and (3) the infringer has a bad faith intent to profit from that mark.” Webadviso v. Bank of Am. Corp., 448 F. App’x 95, 97 (2d Cir. 2011) (citing 15 U.S.C. § 1125(d)(1)(a)). Because Defendant expressly admits Plaintiff’s allegation that the IDN registered by Defendant “is virtually identical to, and/or confusingly similar to the Gioconda Law Service Mark, which was distinctive at the time that the Defendant registered the Infringing Domain Name,” the only issue is whether Defendant acted with “bad faith intent to profit from that mark.” 15 U.S.C. § 1125(d)(1)(A)(i).6 At this stage in the case, accepting as true only facts admitted by Defendant in the pleadings, a determination of “bad faith intent to profit” raises important questions about the ACPA’s scope. An overview of the statute’s purpose and the doctrine designed to implement it reveals the potential difficulties of applying traditional bad faith analysis to a case like this one.

1. The ACPA

“Cybersquatting involves the registration as domain names of well-known trademarks by non-trademark holders who then try to sell the names back to the trademark owners. Since domain name registrars do not check to see whether a domain name request is related to existing trademarks, it has been simple and inexpensive for any person to register as domain names the marks of established companies. This prevents use of the domain name by the mark owners, who not infrequently have been willing to pay ‘ransom’ in order to get ‘their names’ back.” Sporty’s Farm L.L.C. v. Sportsman’s Mkt., Inc., 202 F.3d 489, 493 (2d Cir. 2000). In other words, “[c]ybersquatting is the Internet version of a land grab. Cybersquatters register well-known brand names as Internet domain names in order to force the rightful owners of the marks to pay for the right to engage in electronic commerce under their own name.” Interstellar Starship Services, Ltd. v. Epix, Inc., 304 F.3d 936, 946 (9th Cir. 2002). This practice “is considered wrong because a person can reap windfall profits by laying claim to a domain name that he has no legitimate interest in or relationship to.” Harrods Ltd. v. Sixty Internet Domain Names, 302 F.3d 214, 238 (4th Cir. 2002).
Alarmed by a rising wave of cybersquatting in the 1990s, and concerned by the apparent inadequacy of preexisting laws, Congress enacted the ACPA in 1999. This law was passed “to protect consumers and holders of distinctive trademarks from ‘cybersquatting.’ Webadviso, 448 F. App’x at 97 (quoting Sporty’s Farm, 202 F.3d at 493). As the Senate Judiciary Committee explained, the ACPA was designed to “protect consumers and American businesses, to promote the growth of online commerce, and to provide clarity in the law for trademark owners by prohibiting the bad-faith and abusive registration of distinctive marks as Internet domain names with the intent to profit from the goodwill associated with such marks… .” S. Rep. No. 106-140, at 4 (1999); see also id. at 9 (noting that the law aims squarely at “intent to trade on the goodwill of another’s mark”).

2. The ACPA’s Requirement of “Bad Faith Intent to Profit”

A key element of any ACPA violation is “bad faith intent to profit.” See Interstellar Starship Services, 304 F.3d at 946 (“A finding of ‘bad faith’ is an essential prerequisite to finding an ACPA violation.”). The Second Circuit has “expressly note[d] that ‘bad faith intent to profit’ are terms of art in the ACPA and hence should not necessarily be equated with ‘bad faith’ in other contexts.” Sporty’s Farm, 202 F.3d at 499 n.13. To that end, the ACPA enumerates nine factors relevant to the bad faith inquiry:
(I) the trademark or other intellectual property rights of the person, if any, in the domain name;
(II) the extent to which the domain name consists of the legal name of the person or a name that is otherwise commonly used to identify that person;
(III) the person’s prior use, if any, of the domain name in connection with the bona fide offering of any goods or services;
(IV) the person’s bona fide noncommercial or fair use of the mark in a site accessible under the domain name;
(V) the person’s intent to divert consumers from the mark owner’s online location to a site accessible under the domain name that could harm the goodwill represented by the mark, either for commercial gain or with the intent to tarnish or disparage the mark, by creating a likelihood of confusion as to the source, sponsorship, affiliation, or endorsement of the site;
(VI) the person’s offer to transfer, sell, or otherwise assign the domain name to the mark owner or any third party for financial gain without having used, or having an intent to use, the domain name in the bona fide offering of any goods or services, or the person’s prior conduct indicating a pattern of such conduct;
(VII) the person’s provision of material and misleading false contact information when applying for the registration of the domain name, the person’s intentional failure to maintain accurate contact information, or the person’s prior conduct indicating a pattern of such conduct;
(VIII) the person’s registration or acquisition of multiple domain names which the person knows are identical or confusingly similar to marks of others that are distinctive at the time of registration of such domain names, or dilutive of famous marks of others that are famous at the time of registration of such domain names, without regard to the goods or services of the parties; and
(IX) the extent to which the mark incorporated in the person’s domain name registration is or is not distinctive and famous within the meaning of subsection (c) of this section.
15 U.S.C. § 1125(d)(1)(B)(i). A leading treatise on the law of trademarks notes that “[t]he first four factors suggest circumstances tending to indicate an absence of bad faith intent to profit from the goodwill of the mark, the next four tend to indicate that such bad faith does exist and the last factor points in either direction, depending on the degree of distinctiveness and fame of the mark.” 4 McCarthy on Trademarks and Unfair Competition § 25:78 (4th ed.).

3. The Scope of “Bad Faith Intent to Profit”

Because the ACPA has the potential to encompass a broad array of online conduct, courts are “reluctant to interpret the ACPA’s liability provisions in an overly aggressive manner.” Virtual Works, Inc. v. Volkswagen of Am., Inc., 238 F.3d 264, 270 (4th Cir. 2001); see also id. (“The ACPA was not enacted to put an end to the sale of all domain names.”).7 This is particularly true of the bad faith intent to profit requirement.
Courts have struggled to define the boundaries of “bad faith intent to profit” because the ACPA expressly allows consideration of factors beyond the nine enumerated indicia. See 15 U.S.C. § 1125(d)(1)(B)(i) (noting that courts “may consider factors such as, but not limited to” the nine enumerated indicia). Courts have taken that grant of discretion to heart. See Sporty’s Farm, 202 F.3d at 498 (“[W]e are not limited to considering just the listed factors when making our determination of whether the statutory criterion has been met. The factors are, instead, expressly described as indicia that ‘may’ be considered along with other facts.”). As the Fourth Circuit has explained, “[w]e need not… march through the nine factors seriatim because the ACPA itself notes that use of the listed criteria is permissive.” Virtual Works, 238 F.3d at 269.
Thus, a number of courts – including the Second Circuit – have departed from strict adherence to the statutory indicia and relied expressly on a more case-specific approach to bad faith. See Sporty’s Farm, 202 F.3d at 499 (“The most important grounds for our holding that Sporty’s Farm acted with a bad faith intent… are the unique circumstances of this case, which do not fit neatly into the specific factors enumerated by Congress but may nevertheless be considered under the statute.” (emphasis added)); see also Interstellar Starship Services, 304 F.3d at 946-47. As part of that analysis, courts look to a defendant’s whole course of conduct, including conduct during ACPA litigation. See, e.g., Storey v. Cello Holdings, L.L.C., 347 F.3d 370, 385 (2d Cir. 2003) (“Congress intended the cybersquatting statute to make rights to a domain-name registration contingent on ongoing conduct rather than to make them fixed at the time of registration.”).
This “unique circumstances” approach to the bad faith inquiry is logical and in accord with the plain language of the ACPA. See Sporty’s Farm, 202 F.3d at 499. It allows courts to secure the ACPA’s core purpose even where a defendant has sidestepped the nine indicia. See Newport News Holdings Corp. v. Virtual City Vision, Inc., 650 F.3d 423, 436 (4th Cir. 2011) cert. denied, 132 S. Ct. 575 (2011) (refusing to apply a “formalistic approach” to application of the enumerated factors and noting that doing so could “undermine the purpose of the ACPA, which seeks to prevent the bad-faith and abusive registration of distinctive marks as Internet domain names with the intent to profit from the goodwill associated with such marks” (quotation marks and citations omitted)). But this “unique circumstances” analysis must be undertaken with caution. As the House Report explained with respect to the nine indicia, “[t]hese factors are designed to balance the property interests of trademark owners with the legitimate interests of Internet users and others who seek to make lawful uses of others’ marks, including for purposes such as comparative advertising, comment, criticism, parody, news reporting, fair use, etc.” Quoted in 2 Federal Unfair Competition: Lanham Act 43(a) Appendix H. Given that the ACPA reflects a careful assessment of the dangers presented by unduly broad application of the ACPA’s liability provisions, courts are well served to tread carefully in identifying additional “unique circumstances” that reveal bad faith intent to profit.8
That inquiry must be guided by an assessment of how close a defendant’s conduct falls to the ACPA’s heartland. The clearest case for a finding of bad faith intent to profit typically arises when a defendant “register[s] a domain name of an established entity in bad faith” and then “offer[s] to sell the domain name to the entity at an exorbitant price.” Target Adver., Inc. v. Miller, No. 01 Civ. 7614, 2002 WL 999280, at *10 (S.D.N.Y. May 15, 2002); see also TCPIP Holding, 2004 WL 1620950, at *5 (finding bad faith intent to profit where a defendant “submitted no less than three offers to sell back various packages of domain names (the vast majority of which [he] acquired after he received Plaintiff’s cease and desist letter) for exorbitant demands of approximately half a million dollars”). Thus, courts have identified two “quintessential example[s]” of bad faith: where a defendant “purchases a domain name very similar to the trademark and then offers to sell the name to the trademark owner at an extortionate price,” and where a defendant “intend[s] to profit by diverting customers from the website of the trademark owner to the defendant’s own website, where those consumers would purchase the defendant’s products or services instead of the trademark owner’s.” Utah Lighthouse Ministry v. Found. for Apologetic Info. & Research, 527 F.3d 1045, 1058 (10th Cir. 2008); see also Ford Motor Co. v. Catalanotte, 342 F.3d 543, 549 (6th Cir. 2003) (“Registering a famous trademark as a domain name and then offering it for sale to the trademark owner is exactly the wrong Congress intended to remedy when it passed the ACPA.”). In those situations, the case for bad faith is at its peak.
In cases that vary too much from the specific evil contemplated by the ACPA, however, some courts have looked skeptically at claims of bad faith. On occasion, they have even refused to find an ACPA violation. As the Sixth Circuit noted in a 2004 decision:

The paradigmatic harm that the ACPA was enacted to eradicate – the practice of cybersquatters registering several hundred domain names in an effort to sell them to the legitimate owners of the mark – is simply not present in any of [Defendant’s] actions. In its report on the ACPA, the Senate Judiciary Committee distilled the crucial elements of bad faith to mean an “intent to trade on the goodwill of another’s mark.” S.Rep. No. 106-140, at 9. See also Ford Motor Co. v. Catalanotte, 342 F.3d 543, 549 (6th Cir. 2003) (“Registering a famous trademark as a domain name and then offering it for sale to the trademark owner is exactly the wrong Congress intended to remedy when it passed the ACPA.”). There is no evidence that this was [Defendant’s] intention when she registered the Lucas Nursery domain name and created her web site. It would therefore stretch the ACPA beyond the letter of the law and Congress’s intention to declare anything to the contrary.

Lucas Nursery & Landscaping, Inc. v. Grosse, 359 F.3d 806, 810 (6th Cir. 2004). One year later, the Fifth Circuit adopted a similar approach while assessing an ACPA claim aimed at a site designed to “inform potential customers about a negative experience with [a] company.” TMI, Inc. v. Maxwell, 368 F.3d 433, 439 (5th Cir. 2004). That court examined the nine statutory indicia of bad faith, then added that “we particularly note that Maxwell’s conduct is not the kind of harm that ACPA was designed to prevent.” Id. at 440; see also id. (noting the absence of bad faith after “analyzing the statutory factors and ACPA’s purpose”).
The Eleventh Circuit joined this line of precedent in 2009. Emphasizing that “‘bad faith’ is not enough” and that “[a] defendant is liable only where a plaintiff can establish that the defendant had a ‘bad faith intent to profit,’ the Eleventh Circuit saw no bad faith intent to profit under the ACPA where a plaintiff accused the defendant “not of a design to sell a domain name for profit but of a refusal to sell one.” S. Grouts & Mortars, Inc. v. 3M Co., 575 F.3d 1235, 1246-47 (11th Cir. 2009) (citations omitted) (emphasis in original). It added that:

The Senate Report accompanying the Anticybersquatting Consumer Protection Act bolsters our understanding that a “bad faith intent to profit” is the essence of the wrong that the Act seeks to combat. That report defines cybersquatters as those who: (1) register well-known brand names as Internet domain names in order to extract payment from the rightful owners of the marks; (2) register wellknown marks as domain names and warehouse those marks with the hope of selling them to the highest bidder; (3) register well-known marks to prey on consumer confusion by misusing the domain name to divert customers from the mark owner’s site to the cybersquatter’s own site; (4) target distinctive marks to defraud consumers, including to engage in counterfeiting activities. The report says nothing about those who hold onto a domain name to prevent a competitor from using it.

Id. at 1246 (quotation marks and citations omitted) (emphasis in original).
Although cases arising from attempts to suppress consumer commentary sites have afforded many of the occasions for courts to warn against over-broad application of the ACPA’s bad faith inquiry, see Lamparello v. Falwell, 420 F.3d 309, 320 (4th Cir. 2005); Mayflower Transit, L.L.C. v. Prince, 314 F. Supp. 2d 362, 370-71 (D.N.J. 2004), the core insight of these rulings remains generally applicable in other ACPA contexts, see Lewittes v. Cohen, No. 03 Civ. 189, 2004 WL 1171261, at *8 (S.D.N.Y. May 26, 2004) (“[O]n the whole, the allegations set forth in the Complaint do not even remotely suggest that defendants perpetrated the core activities that threaten to result in the paradigmatic harm that the ACPA was enacted to eradicate.” (quotation marks and citations omitted)).
Of course, this logic does not entail the conclusion that an extortionate demand, or use of the improperly registered domain name in commerce, is always necessary to a violation of the ACPA, which sets out a more expansive list of indicia that may support a finding of bad faith intent to profit. See, e.g., Bosley Med. Inst., Inc. v. Kremer, 403 F.3d 672, 681 (9th Cir. 2005) (“[O]ne of the nine factors listed in the statute that courts must consider is the registrant’s “bona fide noncommercial or fair use of the mark in a site accessible under the domain name.” This factor would be meaningless if the statute exempted all noncommercial uses of a trademark within a domain name. We try to avoid, where possible, an interpretation of a statute that renders any part of it superfluous and does not give effect to all of the words used by Congress.” (quotation marks and citations omitted)); Hamptons Locations, Inc. v. Rubens, 640 F. Supp. 2d 208, 221 (E.D.N.Y. 2009) (“[A] review of the case law from other jurisdictions indicates that the prevailing view is that the ACPA does not require a plaintiff to demonstrate defendant’s use in commerce.”). Rather, these cases caution that where extortionate demands and use in commerce are absent, and the other indicia do not point toward bad faith, courts must step carefully in relying on a more general bad faith inquiry to conclude that a defendant violated the ACPA.

B. Application

The only issue at this stage in the litigation is whether, on the pleadings and materials of which the Court may take notice, Plaintiff can prove enough facts to show that Defendant acted with “bad faith intent to profit” as that term is defined by the ACPA. Where Defendant has not admitted a fact and Plaintiff has not proven it through other means, the Court reads the absence of that information in the light most favorable to Defendant. In other words, for purposes of this motion for judgment on the pleadings, the Court will not assume that facts favor Plaintiff where there is simply no undisputed evidence about those facts based on the pleadings.
This analysis begins with the nine indicia of “bad faith intent to profit” enumerated in the statute. See 15 U.S.C. § 1125(d)(1)(B)(i). There is no evidence either way concerning Defendant’s rights in the domain name (Factor I), whether the domain name consists of a name that is commonly used to identify Defendant (Factor II), Defendant’s prior use of the domain name in connection with the bona fide offering of any goods or services (Factor III), Defendant’s bona fide noncommercial or fair use of the mark in a site accessible under the domain name (Factor IV), and Defendant’s provision of true contact information (Factor VII). The absence of any admitted facts in the pleadings regarding five of the nine indicia strongly augurs at this preliminary stage against a finding of bad faith intent to profit.
Factor V fits the facts awkwardly. On the one hand, Defendant did intend to demonstrate his ability to lure consumers away from Plaintiff’s site and e-mail system, thereby exposing a potential vulnerability in Plaintiff’s online presence. On the other hand, there is no evidence that Plaintiff did so in a manner that could harm the goodwill represented by Plaintiff’s mark or otherwise damage the mark. To the contrary, anybody who visited the site maintained by Defendant would be immediately redirected to Plaintiff’s site. It is possible that the diversion of e-mails from Plaintiff to Defendant has caused problems of a sort that would trigger the application of Factor V, particularly if Defendant replied to those e-mails in a manner that could have damaged Plaintiff’s mark, but at this stage in the case there are not enough facts for the Court to conclude that Factor V indicates bad faith intent to profit.
Factor VI cuts against a finding of bad faith intent to profit, at least for purposes of this Rule 12(c) motion. Although it appears that Defendant has not, and does not intend to, use the IDN in the bona fide offering of any goods or services, there is no evidence in the pleadings that Defendant has offered to sell the disputed IDN to a third party. Nor is there evidence that he has attempted to sell it to Plaintiff, the mark owner. Rather, in his e-mail to Plaintiff, Defendant said that “I am doing nothing to cause any injury to your firm or any trademark rights you have, and would be glad to discuss those issues with you… I have no objections to facilitating a transfer of the domain to you.” The Court’s analysis of this factor might look different on a summary judgment record, depending on the evidence presented, but at this stage in the litigation it cuts in Defendant’s favor.9
Factors VIII and IX support a finding of bad faith. Defendant admits that he has acquired at least eight other domain names with an intent similar to that which motivated his acquisition of the IDN. He also admits that Plaintiff’s mark is famous and distinctive. Reviewing the factors set forth in the ACPA, the Court concludes that only two of the nine weigh in favor of a finding of bad faith intent to profit. That is not enough. Accordingly, Plaintiff can prevail on this motion for judgment on the pleadings only if a more general assessment of the “unique circumstances” of this case demands a finding of bad faith. See Sporty’s Farm, 202 F.3d at 499. That inquiry is guided by the analysis set forth above, which concluded that courts stand on firmer ground when they use “unique circumstances” analysis to enforce the core purpose of the ACPA, and that courts are more skeptical of such reasoning when a defendant’s conduct falls outside the heartland of conduct contemplated by Congress in promulgating the ACPA.
Defendant alleges that his conduct is part of a security-focused research agenda into a vulnerability in e-mail systems of the sort used by Plaintiff. He states that he undertook this activity for good faith, noncommercial reasons, and that he has arranged for domain names and e-mails to be transferred back to other entities situated similarly to Plaintiff.10 As an information security researcher, he believes that he is conferring numerous benefits on Plaintiff and on the public by drawing attention to a significant vulnerability. He notes that there is no evidence that he has gained economic profit from his actions, made any other commercial use of the IDN, or attempted to sell the IDN back to Plaintiff. Although a UDRP panel has condemned his behavior, it does not follow that Defendant’s conduct therefore runs afoul of the ACPA.
The ACPA is designed principally for cases where a defendant either forces a markholder to purchase a domain name at an extortionate price or diverts customers from the markholder’s website to the defendant’s own website. See Utah Lighthouse, 527 F.3d at 1058. On the factual record that the Court must adopt for purposes of a Rule 12(c) motion, this case is not within those “core” ACPA scenarios. Defendant’s alleged ideological, scholarly, and personal motives for squatting on the IDN, while perhaps idiosyncratic, do not fall within the sphere of conduct targeted by the ACPA’s bad faith requirement. If anything, given that Defendant aims both to influence Plaintiff’s behavior and shape public understanding of what he perceives to be an important vulnerability in cyber security systems, this case arguably falls closer to cases involving parody and consumer complaint sites designed to draw public attention to various social, political, or economic issues. Cf. Lamparello, 420 F.3d at 320; TMI, 368 F.3d at 439.
The ACPA is not an all-purpose tool designed to allow the holders of distinctive marks the opportunity to acquire any domain name confusingly similar to their marks. See Schmidheiny v. Weber, 319 F.3d 581, 582 (3d Cir. 2003) (“The purpose of the [ACPA] is to curtail one form of cybersquatting – the act of registering someone else’s name as a domain name for the purpose of demanding remuneration from the person in exchange for the domain name.” (quotation marks and citations omitted) (emphasis added)). The requirement of bad faith intent to profit imposes an important limit that cabins the statute’s scope and ensures that the ACPA targets only the specific evils that Congress sought to prevent. This third element thus leaves untouched conduct that might annoy or frustrate mark holders, but that Congress shielded from liability by enumerating indicia of the sort of bad faith it had in mind. See, e.g., S. Grouts & Mortars, 575 F.3d at 1246-47; TMI, 368 F.3d at 439; Lewittes, 2004 WL 1171261, at *8. Thus, on the facts taken as true for purposes of this motion, the Court cannot find that Defendant acted with the “bad faith intent to profit” prerequisite to an ACPA violation.

IV. Conclusion

For the foregoing reasons, Plaintiff’s motion for judgment on the pleadings is DENIED. The Clerk of Court is directed to close the motion at Dkt. No. 26.
SO ORDERED.
Dated: New York, New York
April 23, 2012
Retrieved from:
http://law.justia.com/cases/federal/district-courts/new-york/nysdce/1:2012cv04919/398351/47
As we have learned from this case, the court of law will review specifics of the attack and make decisions based on the fact and evidence. In this case, we can also see that some attacks also lead to others depending on the target and what is to be gained. Remember, all crimes have the potential to leave a trace and these digital bread crumbs could be used as evidence in the court of law.

1 This background reflects application of the Rule 12(c) standard of review to the pleadings.

2 This text is taken from Pl. Ex. 3, the authenticity of which is acknowledged in Defendant’s Answer at 12.

3 Plaintiff alleges, though Defendant denies, that these domain names are meant to mimic, respectively, mastercard.com, mcdonalds.com, newscorp.com, mcafee.com, macworld.com, monster.com, and pcworld.com, qwest.com.

4 This opinion is incorporated by reference in the Complaint and, in any event, would be a proper subject of judicial notice under Federal Rule of Evidence 201.

5 In the “Defenses” section of his Answer, Defendant critiques the UDRP, invokes Professor Orin Kerr’s scholarship on the Wiretap Act to illuminate the nature of his security research agenda, raises a number of defenses and arguments applicable to Plaintiff’s unlawful interception and disclosure of electronic communications claim, and critiques American privacy law. He also raises a Rule 11 “defense” and a “defense” based on the New York Rules of Professional Conduct, which the Court interprets as motions for sanctions and denies as meritless.

6 Because these allegations are admitted in the Answer, the Court does not conduct an independent examination of whether they would withstand more careful scrutiny. It is settled, however, that registrations with the U.S. Patent Trademark Office can support a finding that a mark is distinctive and famous. See TCPIP Holding Co. v. Haar Communications Inc., No. 99 Civ. 1825, 2004 WL 1620950, at *5 (S.D.N.Y. July 19, 2004). By the same token, registration of domain names that constitute slight variations of a registered mark, including domain names that differ by one or two characters, often satisfies the requirement of confusing similarity. See, e.g., Sporty’s Farm L.L.C. v. Sportsman’s Mkt., Inc., 202 F.3d 489, 497-98 (2d Cir. 2000); TCPIP Holding, 2004 WL 1620950, at *5; Spear, Leeds, & Kellogg v. Rosado, 122 F. Supp. 2d 403, 406 (S.D.N.Y. 2000) aff’d sub nom. Spear, Leeds & Kellogg v. Rosado, 242 F.3d 368 (2d Cir. 2000). Indeed, courts have expressly held that the ACPA covers typosquatting. See, e.g., S. Co. v. Dauben Inc., 324 F. App’x 309, 312 n.2 (5th Cir. 2009); Green v. Fornario, 486 F.3d 100, 103 n.5 (3d Cir. 2007); Shields v. Zuccarini, 254 F.3d 476, 483 (3d Cir. 2001) (“Zuccarini argues that registering domain names that are intentional misspellings of distinctive or famous names (or ‘typosquatting,’ his term for this kind of conduct) is not actionable under the ACPA… . This argument ignores the plain language of the statute and its stated purpose....”); Verizon California Inc. v. Navigation Catalyst Sys., Inc., 568 F. Supp. 2d 1088, 1094 (C.D. Cal. 2008).

7 This point also extends to some of the indicia of bad faith, which are just that: indicia. See, e.g., 4 McCarthy on Trademarks and Unfair Competition § 25:78 (4th ed.) (“[C]aution must be exercised, for the mere registration of multiple domain names for resale does not per se mark one as a cybersquatter. One may be in a justifiable business of reserving many domain names. For example, in one case defendant legitimately registered thousands of domain names for resale as ‘vanity’ e-mail addresses which consisted of common surnames, names of hobbies, careers, pets, sports interests, and music. The fact that some of these resembled prominent trademarks did not make defendant a cybersquatter.” (footnote omitted)).

8 The ACPA expressly creates another safe haven from unduly broad application of the bad faith inquiry by providing that “[b]ad faith intent… shall not be found in any case in which the court determines that the person believed and had reasonable grounds to believe that the use of the domain name was a fair use or otherwise lawful.” 15 U.S.C. § 1125(d)(1)(B)(ii).

9 For example, Defendant denies in his Answer that a proposed transfer of the IDN to Plaintiff contemplates any payment by Plaintiff, a fact taken as true for purposes of this motion.

10 Defendant does not explain why he has not yet transferred the IDN to Plaintiff. That bare omission, however, does not suffice to justify a finding of commercial intent or extortionate demands.

Summary

As we have learned, the use of social engineering seems to trick or fool a trusted party into providing information to get around security controls that are in place to protect data, privacy, and so on. Social engineering can be used for tricking an individual into divulging information about information systems, networks, or other operational details that may contribute to the reconnaissance phase of a cyberwarfare attack. They can be used to influence an individual to bypass physical security controls, granting an attacker access to a physical facility where he or she might undertake offensive cyberwarfare operations. They can also be used to convince an individual to disable electronic security controls, such as bypassing a firewall or allowing a Virtual Private Network (VPN) connection from an unauthorized source.
Tricking an insider into installing software on a computer within the organization’s protected network, secretly creates a back door that allows the attacker to gain access to the network.
These types of threats often leverage social engineering as part of a comprehensive attack on an organization or a person. Attackers may use these techniques to perform intelligence gathering, influence user behavior to facilitate an attack, or cover their tracks after an attack takes place.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.77.4