Skyscanner Limited successfully secured the transfer of four domain names, including flightbooksky.com, that resolved to identical phishing login portals mimicking the official platform. Although a settlement was reached with a domain reseller on one of the domains, registrar inaction by Cosmotown, Inc. forced the dispute to a full UDRP panel decision. Panelist William Lobelson ordered all four domains transferred due to clear evidence of bad faith targeting.
Case Snapshot
| Case Number | D2025-2663 |
|---|---|
| Complainant | Skyscanner Limited |
| Respondent | Jubayer Hossain, Cyber Planet BDMamun Sardar, Web PlusRakibul Hasan |
| Disputed Domain | flightbooksky.comskyscanner-flightbook.comskyscannerflightbook.comskyscanner-flightbooking.com |
| Threat Tactic | Brand Plus Keyword |
| Decision Date | 2025-10-10 |
| Panelist | William Lobelson |
| Outcome | Transfer |
| Official Source | https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-2663 |
Customer Trust and Operational Exposure: Brand Abuse and Registrar Bottlenecks
Skyscanner’s massive market presence, highlighted by 41.6 million unique visits in March 2025 alone, makes it a highly attractive target for digital impersonation and traffic diversion. The registration of descriptive brand-plus-keyword variations—such as skyscanner-flightbooking.com, skyscannerflightbook.com, and flightbooksky.com—directly leverages this high volume of consumer traffic. By routing users to identical, highly deceptive login portals to harvest sensitive personal data, bad actors exploit the consumer trust established by Skyscanner’s longstanding trademark registrations, including United Kingdom Registration No. UK00002313916. This form of credential theft poses severe reputational risks, as users rarely distinguish between a brand’s official platform and a sophisticated phishing replication.
The dispute also demonstrates the limits of the ‘reseller defense’ in UDRP proceedings. The recorded owner of skyscanner-flightbook.com attempted to avoid liability by asserting he was simply a domain reseller acting in good faith on behalf of a downstream customer whom he identified, subsequently offering to return the domain. However, the actual identity and motives of this downstream client were never verified or proven. For brand protection professionals, this underscores how bad actors utilize administrative layers and intermediaries to mask malicious activity. The panelist, William Lobelson, disregarded this defense because the domain hosted an identical phishing template targeting the complainant’s famous mark. This confirms that resellers remain legally and operationally accountable for the deceptive content published under their registered domains.
Finally, this case highlights a critical operational vulnerability during the settlement phase of domain recovery. Although Skyscanner and the respondent signed a formal settlement agreement on July 24, 2025, to transfer the disputed domain, the registrar, Cosmotown, Inc., failed to execute the transfer. This administrative failure forced Skyscanner to proceed to a full panel decision on October 10, 2025. This delay demonstrates that even when a brand owner successfully negotiates a voluntary transfer, registrar inaction can create unexpected legal costs and prolong the window of exposure, necessitating fallback strategies in corporate brand enforcement.
Panelist Analysis of Confusing Similarity, the Failed Reseller Defense, and Registrar Administrative Failure
To satisfy the first element of the UDRP, Complainant Skyscanner Limited established its rights in the SKYSCANNER trademark, supported by historical registrations such as United Kingdom Registration No. UK00002313916, registered on April 30, 2004. Panelist William Lobelson found the disputed domains—flightbooksky.com, skyscanner-flightbook.com, skyscannerflightbook.com, and skyscanner-flightbooking.com—confusingly similar to the Complainant’s mark. These domains incorporate the SKYSCANNER mark in its entirety combined with descriptive, travel-related terms like ‘flightbook’ and ‘flightbooking’, or employ ‘sky’ alongside ‘flightbook’. The panel affirmed that the addition of generic travel terms does not prevent confusing similarity, particularly when the underlying websites prominently displayed the mark in a deceptive fashion designed to induce user confusion.
Under the second element, the Panel evaluated the rights or legitimate interests of the Respondents, focusing closely on a failed reseller defense. The recorded owner of skyscanner-flightbook.com claimed to be a domain reseller acting in good faith on behalf of an identified downstream customer. Although this reseller suspended the hosting account and signed a settlement agreement on July 24, 2025, to return the domain, the Panel maintained that such administrative intermediaries cannot escape liability when the domain is used for deceptive practices. Because the disputed domains resolved to identical phishing login pages designed to intercept and collect users’ sensitive personal data, the Panel ruled that hosting malicious credential-harvesting portals cannot constitute a bona fide offering of goods or services under UDRP standards.
The bad faith analysis under paragraph 4(a)(iii) of the Policy was heavily supported by the fame of the SKYSCANNER mark and the coordinated nature of the phishing scheme. With Skyscanner’s official website drawing 41.6 million unique visits in March 2025 alone, the Respondents clearly targeted the Complainant’s established reputation. The construction of identical replica login interfaces across multiple consolidated domains demonstrated an active, intentional attempt to divert users and harvest personal data. Even though a settlement was reached with the reseller of one domain, the registrar, Cosmotown, Inc., failed to execute the transfer, forcing the dispute to a full UDRP panel decision. The Panel ultimately held that registering and using highly targeted domain-plus-keyword variations for data harvesting constitutes clear registration and use in bad faith, mandating the transfer of all four disputed domains.
Deceptive Phishing Portals and the Limits of the Domain Reseller Defense
Skyscanner Limited’s enforcement strategy succeeded by combining clear evidence of its long-established trademark rights with proof of active credential harvesting. By documenting its United Kingdom Registration No. UK00002313916 from April 30, 2004, and showcasing its massive digital footprint—including 41.6 million unique visits in March 2025 alone—the Complainant established that the trademark SKYSCANNER was highly recognizable. This strong brand equity made the unauthorized registration of the disputed domains, which incorporated the trademark alongside travel-related terms, a clear case of confusing similarity. Skyscanner further solidified its bad faith argument by demonstrating that the domains resolved to identical web pages containing deceptive login screens designed to collect sensitive personal data.
The case highlights the limitations of a passive reseller defense and the operational risks associated with registrar inaction. One of the recorded owners tried to deflect liability by claiming to be a domain reseller acting on behalf of an unnamed customer, offering to return the domain ‘skyscanner-flightbook.com’ and signing a settlement agreement on July 24, 2025. However, because the registrar, Cosmotown, Inc., failed to execute the agreed-upon transfer, the case was forced to proceed to a full decision. Skyscanner’s decision to file a comprehensive consolidated complaint ensured that despite the registrar’s failure to process the voluntary settlement, the Panelist William Lobelson could still order a complete transfer of all four disputed domains based on the undeniable bad faith usage.
Practical Recommendations
- Closely monitor registrar compliance during settlement windows; if a registrar (such as Cosmotown) fails to execute a signed settlement transfer, immediately request the UDRP provider to reinstate the suspended proceedings to secure an enforceable panel decision.
- Defeat the ‘innocent reseller’ defense by reminding the panel that a reseller remains legally responsible for the bad-faith registration and use of a domain, and cannot escape liability for hosting deceptive phishing portals by blaming an unnamed downstream customer.
- Consolidate multiple domain disputes into a single UDRP complaint when they utilize identical phishing templates or credential-harvesting structures, establishing a clear pattern of coordinated, bad-faith targeting.
- Expand proactive domain monitoring programs to flag high-risk brand-plus-keyword combinations (such as ‘brand + flight’ or ‘brand + booking’) to intercept deceptive travel-portal impersonations before they can compromise customer credentials.
Frequently Asked Questions (FAQ)
Why did the Panel find the domains confusingly similar to the Skyscanner brand?
The Panel determined that the disputed domains—such as skyscanner-flightbook.com—directly incorporated the SKYSCANNER trademark in its entirety. By appending descriptive terms like ‘flightbook’ or ‘flightbooking,’ the domains created a false association with the Complainant’s well-known global travel service.
Did the reseller’s claim of ‘good faith’ on behalf of a client successfully defend the case?
No. While the respondent claimed to be a reseller acting for a third party and offered to return the domain, the Panel rejected this as a valid defense. The active use of the domains to host deceptive phishing login portals to harvest user credentials clearly negated any claims of legitimate interest or good faith.
How did registrar inaction impact the recovery of the domain names?
Despite a signed settlement agreement reached on July 24, 2025, between Skyscanner and the respondent, the registrar, Cosmotown, Inc., failed to execute the transfer. This administrative failure left the dispute unresolved, forcing the Complainant to proceed to a full UDRP panel decision to secure the forced transfer of all four domains.
What evidence established the bad faith registration and use of these domains?
Bad faith was proven by the respondent’s decision to resolve all four domains to identical replica login pages. These portals were specifically designed to mimic the official Skyscanner platform, demonstrating an intent to target the Complainant’s brand to intercept and harvest sensitive personal user credentials.
Found a brand-plus-keyword impersonation domain?
Protect your brand from deceptive domains using your trademarks alongside descriptive terms. Learn how to mitigate risks when settlements fail and registrars become a bottleneck in your enforcement strategy.
This case note is for informational purposes only and is not legal advice.



