Nearly everyone shops online nowadays, for products ranging from clothes and accessories, to electronics and appliances, to food and medicines. The internet has made it so that consumers don’t need to leave their house and go to a store in order to buy the items they want or need—but it has also made it so that manufacturers don’t need to get their products onto the shelves of stores in order to have them sold. In fact, they don’t need a store at all—all they need is a domain name. And for those selling counterfeit versions of luxury brand name goods, their dream counterfeit domain name is just a few clicks away.

Cyber threat intelligence companies DomainTools and Farsight Security recently published a report delving into the misuse of domain names related to four luxury fashion brands—Burberry, Cartier, Gucci and Prada. This week I spoke with the director of product management at DomainTools, Tim Helming, to talk about the results of the research and its implications.

Helming said the two main takeaways from this research were that “there’s a very high level of use of brand names by people who aren’t the brand owners” and “it’s not as easy a problem to solve as people might assume.”

In its scan for domain names related to each of the four luxury brands, the DomainTools and Farsight team found at least 1,000 domains for each brand that weren’t owned by the company itself and which didn’t appear to be incidental (ex. was excluded despite containing the word “prada”). The scan for “gucci” alone brought up over 3,000 non-Gucci-owned domain names. These domain names were found and analyzed using public WHOIS records – records containing information about the owners of domains and their contact information.

A more in-depth analysis of the thousands of domain names began to unveil a landscape of potential criminal activity. A total of 350 domains were determined by the DomainTools Reputation Engine to be at “high risk” of containing malware or being engaged in phishing or spam. And in addition to hundreds of domains registered privately to hide the owner’s identifying information, several were registered using clearly phone names such as “Ano Nymous.” According to the report, there isn’t much enforcement to ensure that information provided by registrants is genuine—and as long as they have a working email address and the means to pay, the domain is theirs. Even if it contains a trademarked brand name.

“When you register a domain name, there are very few guardrails around what you do, so if I registered a domain name that has ‘Microsoft’ in it, there is no check as to whether I have anything to do with Microsoft,” Helming said. “There’s also no check really as to what my identity is, so I can put a fictitious identity in there.”

Not only is the process for verifying the validity of domain registrants flimsy (or nonexistent)—tracking down fraudsters when they are discovered can be incredibly difficult, or nearly impossible. While companies can report a counterfeit domain name through a process called the uniform domain-name dispute-resolution policy (UDRP), Helming described the process as “a little bit burdensome” and explained there’s a burden of proof on the company to show that the domain name in question is abusing their trademark. Prosecuting those who are behind these counterfeiting schemes can rarely be accomplished due to registrants’ abilities to shield their identity and origin through fake names and IP-hiding services like VPNs and the Tor browser. And one oft-suggested method for popular brands to protect their trademarks online is essentially a lost cause.

“When I talk to people about this, a lot of times they go, well why doesn’t Microsoft (for example) just register all the ‘Microsoft’ domains? It’s not nearly that simple,” Helming said, explaining that Microsoft would have to buy the “Microsoft” URL for every existing domain extension – .com, .net, .me and even more obscure ones like .coffee or .ninja.

“Suppose you have even just one or two important names for your company and you want to possess the domains that are related to them. Well, you have to multiply that by all of the different domain extensions there are (…) which is well over 1,000,” Helming explained. “So right there there’s 1,000, but then if you think about adding words onto those names, it grows dramatically.”

The mere existence of fake trademarked domain names might not seem like a big deal—and those “what they ordered vs. what they received” articles can be pretty funny—but what isn’t funny is the possibility of criminals using these trademarked URLs to trick customers into buying counterfeit versions of medical products, pharmaceuticals and vehicle parts that can lead to serious injury or accidents. Fortunately, Helming says, regulation in these particularly industries is being taken more seriously, and though the picture may seem bleak for other brands, there are still ways the approximately $460 billion a year counterfeit trade can be combatted.

“What it comes down to is for the end users, for the public to become more and more informed about red flags that might indicate that you’re looking at something sketchy, and to be careful about where you go,” he said. “If it stops working then the criminals are going to stop doing it (…) Every person who uses the internet can play a role in this, but it involves doing a little bit of homework to be able to spot these things.”