A couple of weeks ago a fake UK web site called Zavvi Direct garnered thousands of orders for the elusive Wii Fit. Its success was based on several factors:
- Ads on eBay and Google made it easy for potential customers to find
- The Wii Fit shortage meant that customers were looking beyond their usual suppliers – hence eBay and Google – and perhaps taking less care than usual
- Anyone selling Wii Fit at normal retail price is guaranteed a ready market, since it sells on eBay and Amazon marketplace at a premium of around 80%
- Crucially, customers thought the site was run by Zavvi, formerly Virgin Megastores.
In fact it was nothing to do with Zavvi; as far as I’m aware nobody has received their goods and it is under investigation by police.
I wrote this up for today’s Guardian. It was interesting to me because of the number of customers – known to be in the thousands – and as an example of Internet insecurity. As far as I know, none of the phishing filters built into browsers like IE7 or Firefox picked this one up – it’s not exactly a phishing site of course, but nevertheless was not what it appeared to be.
Now put this together with ICANN’s decision to expand the number of top-level domains – the bit after the last dot or couple of dots. It is already near-impossible to register all the possible, plausible variations of a domain name. In the Zavvi Direct case, the fakers got zavvidirect.co.uk, zavvidirect.com and zavvisports.co.uk. They could have used hyphens; they could have used .net or .org; they could have combined zavvi with other words such as games, gadgets, electronics, fast, quick, online, web. Now companies like Zavvi face the possibility of zavvi.gadgets, zavvi.direct, zavvi.electronics, zavvi.directsales, zavvi.shop or even shop.zavvi.
I am not sure that ICANN’s decision is wise. Currently its possible at least to pre-register the most obvious names; now even that will be harder to achieve.
Still, it’s arguably not that much worse than the current situation. Further, the key players in this are not the domain registrars but the search engines. Nobody would have typed zavvidirect.co.uk into their address bar; they all went to Google or eBay. If these companies made more stringent checks, fewer people would be caught out. Note that all the customers I spoke clicked on paid ads, not pure search results.
In mitigation, while the Internet has caused this kind of problem, it also helps to solve it. Zavvi Direct customers soon found help on online forums – again through Google – such as Rpoints and MoneySavingExpert. These communities quickly waved red flags, their users received good advice about the best way to attempt to recover their money, and banks will be under pressure to act consistently.
In this particular case, it looks likely that most or all customers will get their money returned. Too late for the Guardian article, a spokesperson for Royal Bank of Scotland, which also owns NatWest, told me this:
In this specific case we can confirm that all RBS group card holders who are affected will be receiving refunds and that’s going to show on their accounts in a matter of days from now.
I was told that this will be automatic; so if you were a would-be Zavvi Direct customer and paid with an RBS card, sit tight for a week or so before complaining further.
Update: there’s more background on Zavvi Direct in this ComputerActive article.
- Apple accused of security blunder; highlights cloud risks
- Why are web sites still storing passwords? Monster, USAJobs blunder highlights the risks
- Mixing Hyper-V, Domain Controller and DHCP server
- Apple, Google: risks of third–party platforms for developers
- Cenzic web app report highlights security problems