5 May, 2026

WIPO Panel Transfers reportsequifax.info After Discovery of Credential Harvesting Site

UDRP Cases

Equifax Inc. filed a UDRP complaint against the domain reportsequifax.info, which was registered in October 2025 and utilized for a phishing scheme targeting user credentials. The WIPO panelist found the respondent acted in bad faith by impersonating the well-known credit reporting firm and ordered a full transfer of the domain.

Case Snapshot

Case Number D2025-4522
Complainant Equifax Inc.
Respondent AFP HABITAT
Disputed Domain
reportsequifax.info
Threat Tactic Phishing and Email Fraud
Decision Date 2025-12-18
Panelist Marilena Comanescu
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-4522

Credential Harvesting and the Deceptive Use of Brand-Plus-Keyword Portals

The registration and deployment of reportsequifax.info represent a direct threat to customer trust through a calculated phishing scheme. By hosting a ‘White Label QR Platfom’ that featured a prominent login form for usernames and passwords, the respondent created a functional facsimile of a corporate authentication gateway. This tactic targets the specific expectation of privacy and security that consumers associate with financial data services. For Equifax, the risk extends beyond simple trademark infringement to the potential exposure of sensitive user credentials, which can be leveraged for identity theft or broader financial fraud. The absence of any disclaimer or identity information on the respondent’s site further confirms a deceptive intent to harvest data by exploiting the brand’s 50-year history of trademark use.

The use of the ‘brand plus keyword’ tactic—specifically appending the term ‘reports’ to the EQUIFAX mark—is a refined method of traffic diversion that targets high-intent users. In the financial services sector, consumers frequently seek ‘reports,’ making this domain name appear as a legitimate, logical extension of the complainant’s digital infrastructure. This naming convention is designed to neutralize user skepticism, leading individuals to believe they are accessing an official reporting portal. Such mimicry not only threatens the integrity of the complainant’s customer service channels but also forces the brand owner to bear the significant evidentiary and financial burden of monitoring high-volume trademark registrations across various top-level domains like .info.

The procedural behavior of the respondent highlights the operational challenges brand owners face in modern enforcement. By utilizing a privacy service and failing to provide a substantive response to the UDRP complaint, the respondent attempted to shield their identity while maintaining a deceptive digital asset. Although the domain resolved to an error page by the time of the filing, the prior evidence of credential harvesting established a clear record of bad faith. This transient use of domains—activating a phishing site and then allowing it to go dark—demonstrates a strategy of evasion that requires brands to act with extreme speed between the detection of a threat and the initiation of legal proceedings to secure the transfer of the asset.

Strategic Application of Trademark Longevity and Phishing Documentation

Equifax Inc. secured a favorable outcome by leveraging the historical weight of its global trademark portfolio, which includes over 221 registrations across 56 jurisdictions. By highlighting a U.S. registration dating back to 1975—exactly 50 years prior to the registration of the disputed domain—the Complainant established a prior right that precluded any plausible claim of good faith registration by the Respondent. The strategy successfully characterized the ‘brand plus keyword’ tactic not as a generic use, but as a deliberate attempt to impersonate official financial data portals. This established that the domain reportsequifax.info was inherently misleading and designed to capitalize on the EQUIFAX mark’s well-documented reputation and distinctiveness, as recognized in previous UDRP proceedings.

The core of the evidentiary success rested on the Complainant’s documentation of the domain’s active involvement in a phishing scheme. By submitting evidence of a ‘White Label QR Platfom’ page featuring a login form for credential harvesting, Equifax provided the Panel with concrete proof of bad faith use that moved beyond mere registration similarity. The collection of sensitive usernames and passwords effectively disqualified the Respondent from claiming any bona fide offering of goods or services. Furthermore, the absence of any disclaimer or accurate identification of the operator on the site supported the legal finding of deceptive intent. Even though the domain resolved to an error page at the time of the filing, the Complainant’s prior capture of the fraudulent landing page was the decisive factor in overcoming the Respondent’s use of a privacy service and subsequent default.

Practical Recommendations

  • Implement automated monitoring for ‘Brand + High-Risk Keyword’ combinations (e.g., [Brand] + ‘reports’, ‘login’, or ‘secure’) to detect impersonation portals before they are widely distributed in phishing campaigns.
  • Prioritize immediate forensic preservation of phishing content, such as screenshots of login forms or credential harvesting fields, as threat actors often transition sites to error pages once they detect enforcement activity.
  • Utilize evidence of ‘White Label’ or generic platform templates used by respondents to demonstrate a lack of rights or legitimate interests, especially when no prominent disclaimer of non-affiliation is present.
  • Establish a rapid-response enforcement timeline (targeting filing within 30 days of registration) to minimize the window for credential theft, as demonstrated by the Complainant’s swift action following the October 9 registration.
  • Incorporate the historical longevity of trademarks (e.g., Equifax’s 50-year-old registration) in UDRP filings to establish that any subsequent registration of a confusingly similar domain is an opportunistic attempt to exploit brand fame.

Frequently Asked Questions (FAQ)

Why did the WIPO panel rule that ‘reportsequifax.info’ is confusingly similar to the Complainant’s brand?

The panel determined that the domain incorporated the well-known ‘EQUIFAX’ trademark in its entirety. The addition of the descriptive word ‘reports’ was insufficient to distinguish the domain from the Complainant’s brand or reduce the potential for consumer confusion.

What evidence proved the Respondent lacked a legitimate interest in the disputed domain?

The Respondent used the domain to host a ‘White Label QR Platform’ featuring a deceptive login form designed to harvest usernames and passwords. The panel ruled that using a domain for credential phishing does not constitute a bona fide offering of goods or services.

How did the Complainant establish that the domain was registered and used in bad faith?

Bad faith was evidenced by the fame of the EQUIFAX mark, which has been registered for over 50 years, and the Respondent’s use of the site to impersonate Equifax for phishing. The lack of any disclaimer or clear identification of the site’s owner further confirmed an intent to mislead users.

What was the tactical outcome of this case despite the domain resolving to an error page by the time of filing?

Although the site resolved to an error page by November 1, 2025, the Complainant provided historical evidence of the site’s prior fraudulent use. The panel found this sufficient to order a full transfer of the domain, successfully neutralizing the threat to customer data and brand integrity.

Concerned about fake email or credential harvesting fraud?

Protect your brand from unauthorized login portals and credential theft. Learn how UDRP actions can effectively reclaim domains being used for fraudulent impersonation schemes.

Request phishing analysis

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.