5 May, 2026

Scammers Mimic Six Continents’ IT Support Portal to Broadcast Deceptive Virus Warnings

UDRP Cases

Six Continents Hotels, Inc. and Six Continents Limited successfully secured the transfer of the disputed domain remoteihg.com through a WIPO UDRP proceeding. The respondent registered the domain to mimic the hotel group’s legitimate IT support subdomain and diverted visitors to deceptive pages displaying fake security alerts. Panelist Ganna Prokhorova ruled that the deceptive setup constituted clear bad faith and trademark infringement.

Case Snapshot

Case Number D2026-0591
Complainant Six Continents Hotels, Inc.Six Continents Limited
Respondent Domain Admin, TotalDomain Privacy Ltd
Disputed Domain
remoteihg.com
Threat Tactic Brand Plus Keyword
Decision Date 2026-03-27
Panelist Ganna Prokhorova
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2026-0591

Compromising Infrastructure Trust: The Strategic Mimicry of Internal Support Channels

The exploitation of internal enterprise infrastructure represents a highly targeted tactic where bad actors look beyond consumer-facing domains to compromise corporate trust. By registering the domain ‘remoteihg.com’, the respondent directly mimicked a critical administrative endpoint. The Complainants utilize the official subdomain ‘remote.ihg.com’ for remote support sessions and device troubleshooting. Intercepting this specific brand-plus-keyword combination creates immediate operational risk, as users seeking legitimate technical assistance are highly vulnerable to deceptive positioning that mirrors official corporate channels.

The commercial and reputational hazard is further amplified by the deceptive content hosted on the diverted site. Rather than hosting passive content, the respondent redirected traffic to pages broadcasting false virus warnings and prompting unauthorized scans, including prompts like ‘Safety warning!’ and ‘run an antivirus scan immediately’. Although there is no evidence confirming that users actually downloaded malicious software or suffered breaches, the association of the IHG mark with scareware-style tactics severely erodes brand authority. For global enterprises, the weaponization of IT-related keywords presents a critical security vulnerability, as it compromises the integrity of legitimate technical support channels.

Strategic Alignment of Brand Infrastructure and Exploitative Use Evidence

The Complainants’ legal strategy succeeded by linking the structure of the disputed domain name directly to their official operational infrastructure. Rather than merely claiming generic trademark infringement, Six Continents established that the Respondent’s inclusion of the descriptive term "remote" was a deliberate attempt to mimic the official "remote.ihg.com" portal, which is utilized for IT support and machine troubleshooting. By providing evidence of this specific IT channel alongside their registrations for the IHG trademark dating back to 2006, the Complainants demonstrated to Panelist Ganna Prokhorova that the addition of "remote" exacerbated, rather than mitigated, confusing similarity.

Furthermore, the Complainants secured the transfer by presenting clear evidence of the domain’s deceptive deployment. Documenting that the domain redirected visitors to pages displaying fraudulent "Safety warning!" messages and prompts to run unauthorized antivirus scans provided the Panel with objective proof of bad faith and a lack of legitimate interests. By demonstrating that the Respondent capitalized on the IHG brand to mislead users, the Complainants successfully established an actionable UDRP violation based on the deceptive redirect itself, without needing to prove that any users downloaded malware or suffered database compromises.

Practical Recommendations

  • Proactively register high-risk ‘brand + IT’ keyword combinations—such as ‘remote’, ‘support’, ‘vpn’, and ‘portal’—to protect corporate IT infrastructure and prevent bad actors from securing lookalike domains.
  • Establish dedicated domain monitoring that specifically targets defensive variations of existing, legitimate subdomains (e.g., monitoring for ‘remotebrand.com’ when the official site is ‘remote.brand.com’) to identify technical impersonation attempts early.
  • Capture and preserve forensic evidence of deceptive redirects immediately, such as screenshots of fake virus scans, safety warnings, or unauthorized software prompts, as WIPO panels consistently treat these as conclusive proof of bad faith and lack of legitimate interest.
  • Develop a rapid-response UDRP strategy for domains that redirect users to deceptive security alerts, utilizing established precedents to bypass lengthy negotiations and secure domain transfers quickly.
  • Block suspicious lookalike domains at the enterprise DNS or gateway level as soon as they are identified to protect employees and customers from potential social engineering threats while legal recovery actions are being prepared.

Frequently Asked Questions (FAQ)

Why did the Panel consider ‘remoteihg.com’ to be confusingly similar to the IHG brand?

The Panel determined that the domain was confusingly similar because it incorporated the well-known IHG trademark in its entirety. Furthermore, the inclusion of the word ‘remote’ significantly increased the risk of confusion, as it specifically mimicked the Complainant’s legitimate IT support portal, ‘remote.ihg.com’.

What evidence established the Respondent’s lack of legitimate rights to the domain?

The Respondent failed to provide any evidence of rights or legitimate interests. The Panel noted that the Respondent was not affiliated with Six Continents, held no authorization or license to use the IHG mark, and was not commonly known by the name ‘remoteihg’.

How was bad faith proven in the case of ‘remoteihg.com’?

Bad faith was demonstrated by the Respondent’s use of the domain to host deceptive content, specifically fake security alerts and malware warnings designed to trick users into running unauthorized antivirus scans. The Panel concluded that this conduct was a clear attempt to attract users by creating a misleading association with the Complainant for commercial gain.

What is the primary takeaway for business regarding this specific tactic?

This case highlights the danger of ‘brand-plus-keyword’ domains that mimic internal business subdomains. The successful transfer of the domain underscores that WIPO panels view the use of such infrastructure to facilitate social engineering or deceptive traffic diversion as conclusive evidence of bad faith and grounds for immediate domain transfer.

Found a brand-plus-keyword impersonation domain?

Bad actors often combine your brand with functional keywords like ‘remote’ or ‘support’ to create deceptive portals that mimic official IT infrastructure. Protect your employees and customers from malicious redirects by assessing your brand’s vulnerability to domain-based impersonation.

Assess brand threat

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.