Case number | CAC-ADREU-008620 |
---|---|
Time of filing | 2024-06-02 19:47:39 |
Domain names | pretlx.eu |
Case administrator
Olga Dvořáková (Case admin) |
---|
Complainant
Organization | Martin Gross (rami.io GmbH) |
---|
Respondent
Name | Julien Lerouge |
---|
The Panel is not aware of any other pending or decided legal proceedings which relate to the disputed domain name
The Complainant is the German company rami.io GmbH, providing event ticketing services, using the domain "pretix.eu" and other auxiliary services through other sub-domains, among which <marketplace.pretix.eu>, which is used to provide a repository with plugins that can be used with the PRETIX software.
The CEO and owner of the Complainant is the owner of the trademark PRETIX, EU registration No. 017878059, registered on 4 July 2018 in relation to goods and services in classes 9, 41 and 42.
The Respondent is a French individual. The disputed domain name was registered on 24 March 2024. At the time of the filing of the Complaint, the disputed domain name redirected to the Complainant’s main website at www.pretix.eu.
In its initial Complaint, the Complainant maintains that disputed domain name is a typosquatting. It further maintains that the Respondent registered the disputed domain name maliciously and that multiple bad faith actions have been taken in connection with the disputed domain name. In particular:
(i) the disputed domain name redirects to the Complainant's official website at "www.pretix.eu";
(ii) the marketplace.pretlx.eu is employing a Man-in-the-middle proxying (MITM-proxy) on IP 91.203.144.50, mirroring the Complainant's subdomain <marketplace.pretix.eu> and recording the users' passwords.
The Complainant requested the Registrar and ISP of the disputed domain name to inhibit futher operations of the offending services. Furthermore, the IP-address of the offending MITM-system has been blocklisted on the Complainant's firewall systems, which has impeded the operation of the Respondent's website immediately.
On ... after filing the Complaint but before its notification to the Respondent, the Complainant filed additional voluntarily submission stating that after blocklisting the disputed domain name, the Complainant noticed that the Respondent cloned the Complainant's website at "www.marketplace.pretix.eu" and sent a phishing email to the Complainant's marketplace operations team, mimicking an administrative message requesting review and approval of a new piece of content for the PRETIX marketplace. This email was sent as an authenticated message by the person in control of the disputed domain name. Thus, according to the Complainant, the registration and use of the disputed domain name <pretlx.eu> is posing an immediate danger to the legitmate users of the Complainant's website at "www.pretix.eu" and infringes the Complainant's trademark.
On 28 May 2024, the Panel sent a nonstandard communication to both parties asking the Complainant to provide more clarifications on its statement "the marketplace.pretlx.eu is employing a Man-in-the-middle proxying (MITM-proxy) on IP 91.203.144.50, mirroring marketplace.pretix.eu and recording the entered passwords", and to provide supporting evidence thereof.
On the same day, the Complainant provided the following clarifications:
"The IP-address 91.203.144.50 is assigned to a server owned by Ukranian webhoster goodnet.ua and was and still is used by the
respondent. At the time of the original complaint, the webserver hosted the phishing website "pretlx.eu", "marketplace.pretlx.eu" as well
as "microsoft-mailing.biz.ua", which the respondent also used to reply to the ADR case administrator's message (logged as "E-mail from
the Respondent´s e-mail address", 2024-04-17 16:01).
At the current point in time, the server, while still online and active, does not provide any hosting services for the disputed domain name
"pretlx.eu", as the respondent chose to remove all DNS-entries following our complaint.
During the course of the phishing attack, respondent set up the DNS-records of "pretlx.eu" and "marketplace.pretlx.eu" to point to the
popular DDOS-prevention and anonymizer service cloudflare.com. It was only through observation of our server-logs that we were able
to deduce the IP-address in question, 91.203.144.50, was indeed the server the hosted the phising attack by crafting specific access
patterns to retrieve the servers MITM-proxied requests on our own server (marketplace.pretix.eu/92.60.39.232/2a03:4000:33:467::1).
Despite respondents attempts at obscuring their involvement, it is quite clear that they are linked to this phishing attack and the server
IP of 91.203.144.50:
- The original phishing message (attached as an .eml-file to the original complaint) includes a "Received"-line from amun.goodnet.ua
[91.203.144.50].
- It also includes a "Received"-line from IP-address 91.203.144.7, another server within the Goodnet.ua webhoster's network.
- The message also contains an "X-AntiAbuse"-header added by goodnet.ua indicating the originating Host and caller UID/GID: 47 12.
- In its one and only response, respondent answered from pretlx@microsoft-mailing.biz.ua. This domain's MX DNS-entry is also
pointing to the same SMTP-server: 91.203.144.7.
As a last note, I would to note, that in the respondent's email, they claim that the issue was cleared with NameCheap as the result of a
misconfigured Wordpress plugin. To which we respond by pointing out that nowhere on pretlx.eu nor microsoft-mailing.biz.ua was a
Wordpress system configured. And since all the webhosting for the respondent's domains is happening over at Goodnet.ua,
Namecheap could have not have been involved any cleanup, since they only provided the registration services for the domain, but no
web-order email-hosting services.
Proof of the attribution of marketplace.pretlx.eu to the IP-address(es) in question is visible through the headers included in the phishing emails
(.eml-files attached to the original complaint, 2024-03-28 15:05; as well as the "Further information on malicious activity by the
respondent", 2024-04-03 15:07). The presence of digital signatures such as DKIM in the email further prove the connection.
Official complaints/abuse-reports have been also filed under penality of perjury with:
- Eurid: #10184
- Namecheap: #FTR-704-98414
- Cloudflare: a27c06ce2c367b45
- Goodneet: #742525
- ISMS report: 2024-03-28 Phishingangriff"
- German BKA (Federal Criminal Police): 2024-05-14"
The e-mail to which the Complainant refers is the one reported in paragraph B below.
The Respondent did not file a formal Response.
However, on 17 April 2024, afer receving notification of this ADR Complaint, the Respondent sent an email to the Czech Arbitration Court, stating as follows: "Hello, Not having access, I will respond to you by this email. This dispute has already been resolved with the Namecheap registrar, after analysis, all this is linked to a Wordpress extension, we immediately stopped it, and especially cleaned the vulnerable codes. Since this intervention and proof of our good faith, Namecheap has given us access to our account again, and closed the ticket".
According to Article 4 (4) of the Regulation (EU) 2019/ 517 (hereinafter the "Regulation") and Paragraph B 11(d)(1) of the ADR Rules, the Complainant bears the burden of proving the following:
- the disputed domain name is identical with or confusingly similar to a name in respect of which a right is established by the national law of a Member State and/or European Union law; and either
- the domain name has been registered by the Respondent without rights or legitimate interest in the name; or
- the domain name has been registered or is being used in bad faith.
The Complaint is exceptionally brief but, in the Panel's opinion, still meets the minimum requirements for the Panel to evaluate the Regulation requirements without breaching the Panel's duty to comply with the principles of good faith, fairness, due diligence and impartiality set forth by Paragraph B (5)(a) and (b) of the ADR Rules.
1. Identity or confusingly similarity
With respect to the first requirement under Article 4 (4) of the Regulation, namely the identity or confusing similarity of the disputed domain name with a name in respect of which the Complainant has a right, the Complainant has based its Complainant on the trademark PRETIX, European registration No. 017878059, registered some years before the date of registration of the disputed domain name. However, the owner of this trademark is not the Complainant. Therefore, before examining whether there is identity or confusing similarity between the disputed domain name and the earlier mark on which the Complaint is based, it is necessary to evaluate whether the Complainant has standing to file this ADR Complaint. The Complainant has omitted to indicate and to provide evidence of its rights on the cited mark. In particular, the Complainant has not provided the Panel with a copy of a license agreement, or of any other written authorization from the trademark owner to make use of the cited mark and to file this ADR Complaint. However, the Complainant has indicated that the trademark owner is the Complainant's CEO and owner, albeit without providing supporting evidence. Pursuant to Paragraph B 7(a) of the ADR Rules the Panel is not obliged but is permitted at its sole discretion, to conduct its own investigations on the circumstances of the case. Taking into consideration the fact that the Complainant is a small entity and is self-represented, the Panel has decided to avail itself of the powers granted in Paragraph B 7(a) of the ADR Rules. Accordingly, the Panel has made some limited searches on the Complainant's website at "www.rami.io" and has ascertained that the owner of the PRETIX mark is the founder and Managing Director of the Complainant. In light of the above the Panel finds that it is likely that the owner of the PRETIX mark granted the the Complainamt with the right to use the PRETIX mark and to file this ADR Complaint.
In light of the above, it is now necessary to evaluate whether the disputed domain name is identical or confusingly similar to the PRETIX mark. According to Paragraph B 11(10) A of the ADR Rules, the Complaint shall "describe why the disputed domain name is identical or confusingly similar to the name or names in respect of which a right or rights are recognised or established by national and/or European Union law". The Complainant's reasoning on this point is quite limited. The Complainant merely states that the disputed domain name is a "typosquatting". Despite the Complainant's explanation on why the disputed domain name is identical or confusingly similar to the PRETIX mark is limited to a single word, the Panel considers it sufficient to support a finding that the disputed domain name is confusingly similar to the PRETIX mark. Typosquatting is an obvious or intentional misspelling of a trademark. Examples of such typos include the substitution of similar-appearing characters, such as, for instance, upper vs. lower-case letters, like in the case at issue, where the upper-case letter "i" of the PRETIX mark has been replaced by the lower-case letter "l" in the disputed domain name. As a result, the PRETIX mark is very well recognizable within the disputed domain name. As such, the Panel finds that the Complainant has discharged its burden of proof that the disputed domain name is confusingly similar to a name in which the Complainant has rights.
2. The Respondent's lack of rights or legitimate interests / The Respondent's bad faith in the registration and use of the disputed domain name
(a) Lack of rights or legitimate interests
The Complainant has not discussed the requirements of Article 4.4 (a) and (b) separately and has focused, in particular on the Respondent's use of the disputed domain name. The explanation provided by the Complainant is often very technical and the evidence goes beyond the Panel's technical knowledge. It is important for the Complainant to understand, that the ADR proceeding is a legal proceeding and that, consequently, the Panel's background, is a legal background. To facilitate the Panel, the evidence provided should be of a legal nature and should be self-explanatory. Moreover, the ADR is of an expedited nature and the Panel's duties of impartiality and independence require the Panel to use its powers under Paragraph B 7(a) of the ADR Rules only exceptionally. Conclusory statements unsupported by evidence are normally insufficient to prove a party’s case, although panels have been prepared to draw certain inferences in light of the particular facts and circumstances of the case e.g., where a particular conclusion is prima facie obvious, where an explanation by the respondent is called for but is not forthcoming, or where no other plausible conclusion is apparent.
Bearing in mind the above, the Panel shall now evaluate the Complainant's arguments and evidence in support of: (i) the Respondent's lack of rights or legitimate interests and/or (ii) the Respondent's bad faith in the registration or use of the disputed domain name. In order to ensure an equal treatment of the parties involved in this ADR proceeding, the Panel will not conduct additional personal investigations pursuant to Paragraph B 7(a) of the ADR Rules. The Panel has already issued a non-standard communication asking the Complainant to clarify some of its technical arguments and provide supporting evidence, and the Complainant replied to the Panelist's communication. On the other hand, the Respondent had the opportunity to reply to the Complainant's further contentions but has decided not to do so.
The Complainant maintains that at the time of the filing of the Complaint, the disputed domain name redirected to the Complainant's website at "www.pretix.com" and operated by means of proxying the contents of "marketplace.pretix.eu" on the fraudulent "marketplace.pretlx.eu". The Complainant further contends that it blocklisted the IP addresses of the offending shared hosting system, to eliminate the functioning of the phishing attack. As a result, the disputed domain name only returned a blank or error page. The Panel notes that the Complainant did not provide any evidence of the alleged Respondent's activity, or at least did not provide convincing and clear evidence to that effect for the Panel. The Complainant cites an email enclosed to the Complaint; however, the Panel could not retrieve this email on the case file. The email was also not attached to the Complainant's reply to the Panelist's non-standard communication of 28 May 2024.
A few days after filing its Complaint, before the Complaint was notified to the Respondent, the Complainant filed additional arguments and supporting evidence, by way of a non-standard communication. On that occasion, the Complainant stated that "(...) on April, 1st 2024, the respondent chose to clone the enterity of marketplace.pretix.eu by means of downloading the website and its content using the tool wget, as our serverlogs reveal". The Complainant further adds that "[t]his is also witnessed by the fact that the now served marketplace.pretlx.eu shows a path of "html/static/CACHE/css/" - the untampered website is not using "html/" as part of the local folder structure." The Complainant adds a screenshot of the source code of "marketplace.pretix.eu" to support its statement, including the "html/static/CACHE/css/" path cited by the Complainant. However, the Panel is not in the position to understand the meaning and the consequences of having this path included in the souce code of "marketplace.pretix.eu". However, the Panel notes that the source code of "marketplace.pretix.eu" includes the following references: "<html><head><title> pretix Market place <title>" and "<head><body> (...) INDEX" >pretix Marketplace</a". These two references to the PRETIX mark on the source code of "marketplace.pretix.eu" suggest to the Panel the possibility that "marketplace.pretix.eu" led to a webpage referring to the Complainant's mark. As no screenshot of the relevant webpage was added to the Complaint, the Panel does not have a precise idea of what this page looked like. However, the Panel finds it is more likely than not that the Respondent's website contained unauthorised references to the Complainant's PRETIX mark.
The Complainant further stated that the "Respondent then proceeded on April, 3rd 2024 to send a spear-phishing email to the marketplace operations team, mimicking an administrative message requesting review and approval of a new piece of content for the pretix Marketplace. This email was sent - as witnessed by the email-headers included by the web- and mailhoster - as an authenticated message by the person in control of pretlx.eu". The Complainant provided a copy of this email, which has been sent from the address "marketplace@pretix.eu" and addressed to the same address "marketplace@pretix.eu"; the subject of the email is "New product on pretix Marketplace" and the contents states: "Please review http://marketplace.pretlx.eu/admin/core/product/122/change/". Unfortunately, the Complainant did not provide a screenshot of the webpage at http://marketplace.pretlx.eu/admin/core/product/122/change/ and the Panel's attempt led to an error ("not found") page. Although the Panel cannot see the "email-headers included by the web and mailhoster" and cannot confirm that the email was "authenticated by the person in control of pretlx.eu" as mentioned by the Complainant, the Panel can infer that the disputed domain name was used to send a phishing email to the Complainant from a fake email address identical to one of the Complainant's email addresses. The scope of this email is unknown but is most probably aimed at achieving some unlawful effect.
A confirmation of the illegitimate behaviour of the Respondent comes from the Respondent itself and in particular from the Respondent's email of 17 April 2024 addressed to the Czech Arbitration Court one day after the notification of the Complaint to the Respondent. Firstly, the Panel notes that this email is sent from the address "pretlx@microsoft-mailing.biz.ua". Therefore, the Respondent is using the disputed domain name as part of an email address. Moreover, the Respondent affirms that the pending "dispute has already been resolved with the Namecheap registrar and that, after analysis, all this is linked to a Wordpress extension". Accordingly, the Respondent has "immediately stopped it, and especially cleaned the vulnerable codes". In the Panel's view, the Respondent's reply entails its recognition that the disputed domain name was used improperly. Although the Respondent explains that the improper use of the disputed domain name is not the result of the Respondent's activity, but is "linked to a Wordpress extension" (of which the Complainant denies the existence, and the Respondent fails to provide evidence), the Panel notes that the Respondent cannot disclaim responsability for the illegitimate use of the disputed domain name simply because it was allegedly linked to a Wordpress extension. The Respondent is fully responsible for any use of the disputed domain name, including of its malfunctioning due to a third party's activity.
The additional arguments provided by the Complainant in reply to the Panelist's solicitation are way too technical and miss supporting evidence. Therefore, the Panel does not feel necessary to take them into consideration.
In view of the above, to assess this case, the Panel shall take into consideration the following circumstances:
- the disputed domain name is a typosquatting of the PRETIX mark on which the Complainant has rights;
- the disputed domain name was used to send at least one email to the Complainant, at the email address "marketplace@pretix.eu", from an identical fake email address, asking to click on a link displaying the almost identical subdomain name "marketplace.pretlx.eu", which the Respondent had created imitating the Complainant's official subdomain name "marketplace.pretix.eu";
- the Respondent has implicitly admitted that the disputed domain name was improperly used, although it has affirmed that this occurred because the disputed domain name was linked to a Wordpress extension, which the Complainant has denied to exist, and the Respondent has failed to substantiate through adequate evidence;
- the Respondent is using the disputed domain name as part of its email address.
Pursuant to Paragraph B11(e) of the ADR Rules, the following circumstances, if found by the Panel to be proved based on its evaluation of all evidence presented, shall demonstrate the Respondent’s rights to or legitimate interests in the domain name:
(1) prior to any notice of the dispute, the Respondent has used the domain name or a name corresponding to the domain name in connection with the offering of goods or services or has made demonstrable preparation to do so;
(2) the Respondent, being an undertaking, organisation or natural person, has been commonly known by the domain name, even in the absence of a right recognised or established by national and/or European Union law;
(3) the Respondent is making legitimate and non-commercial or fair use of the domain name, without intent to mislead consumers or harm the reputation of a name in respect of which a right is recognised or established by national law and/or European Union law.
In the case at hand, the Respondent does not appear to be commonly known by the disputed domain name. The Respondent's name does not coincide with the disputed domain name and there is no other evidence in the case file that could lead to this conclusion. Moreover, for the reasons mentioned above, it is clear that the Respondent has not used the disputed domain name in connection with a bona fide offering of goods or services. The registration of a disputed domain name almost identical to the PRETIX mark, and the use of it as part of an email address or to send phishing emails cannot be considered a bona fide offering of goods or services, or a legitimate and non-commercial or fair use of the disputed domain name without intent to mislead consumers or harm the reputation of the PRETIX mark. On the contrary, through the disputed domain name the Respondent is impersonating the Complainant to mislead its consumers for some illegitimate purpose.
Accordingly, the Panel finds that the Complainant has established a prima facie case that the Respondent lacks rights or legitimate interests in the disputed domain name. The onus now shifts to the Respondent to rebut the assertion that the Respondent lacks rights or legitimate interests (see ”CAC .EU Overview 2.0”). The Respondent has failed to file a Response. Its email of 17 April 2024, which is the only document received from the Respondent, merely affirms that it has "cleaned the vulnerable codes", thus implicitly admitting that there was an improper use of the disputed domain name (see above). The email does not clarify why the Respondent should be deemed to have rights or legitimate interests in the disputed domain name. Hence, the Panel considers that the Respondent failed to rebut the Complainant's arguments.
In light of the foregoing, the Panel is satisfied that the Complainant has discharged its burden of proof that the Complainant lack rights or legitimate interests in the disputed domain name.
(b) Registration and use of the disputed domain name in bad faith
In view of the fact that the Complainant has successfully proved that the Respondent lacks rights or legitimate interests in the disputed domain name, it is not strictly necessary for the Panel to assess the Respondent's bad faith. However, the Panel has decided to briefly address also this matter.
Firstly, in consideration of the Respondent's behaviour, the Panel is convinced that the Respondent was aware of the Complainant's trademark and business at the time of the registration of the disputed domain name. The composition of the disputed domain name, which consists of a mispelling of the Complainant's mark, being aware of this trademark, is evidence of bad faith registration. Furthermore, most of the circumstances listed under point 2. above, show a malicious intention of the Respondent in the use of the disputed domain name. In particular, the use of the disputed domain name to send a fake email for phishing purposes from an email address identical to one of the email addresses of the Complainant, and as part of a sub-domain almost identical to one of the Complainant's sub-domains, are evidence of use of the disputed domain name in bad faith.
Accordingly, the Panel finds that the Complainant has successfully proved that the disputed domain name has been registered and is being used in bad faith.
For all the foregoing reasons, in accordance with Paragraphs B12 (b) and (c) of the Rules, the Panel orders that the domain name pretlx.eu be transferred to the Complainant.
PANELISTS
Name | Angelica Lodigiani |
---|