[starfox64_]

I think it's a good initiative, it's obviously there for CAs to make a buck but it's finally a way to arguably curb phishing emails that rely on similar domain names or IDN characters all the while making your brand identity more prominent.

It seems to also have learned from one of Extended Certificate's shortcomings by relying on trademark instead of company name. I actually wish something similar was created to replace EV certificates as it's easier than ever to perform phishing attacks now that everyone and their grandmas has a DV certificate on their site (which is a good thing).

[crote]

Trademarks still aren't 100% unique, though. For example, Apple Records is easily confused with Apple Music - both have a similar name, and both use an apple as logo. It is better, but not foolproof.

[torgard]

Yes, but Apple Records aren't going to be phishing Apple Music customers.

Phishers won't be applying for trademarks to impersonate Apple.

[crote]

Maybe not intentionally, but a basically-dormant company like Apple Records could very well provide a really attractive attack vector. Their security is probably going to be orders of magnitudes worse than Apple Music, so why not just hack Apple Records instead?

[pnpnp]

Why not?

[Avamander]

Expensive, you'll leave a paper trail, get shut down rather quickly. There's little to no profit that can be made like that.

[hashstring]

Registering a domain and hosting a phishing website usually comes at a small price (around 10$) which is just 1% of the VMC (I just learned that).

“Expensive” is very subjective, I think it highly depends on the financial standard of the actor and the expected value.

In the case of Apple: if it is expected to aid in phishing an interesting iCloud user, or scamming 100 users for 10$, then I expect that there will be actors that will pay this initial cost to make more later on.

I agree that the classic mass-mail LQ phish actors would probably not go here, but the same holds for smaller organizations. With the current price-tag, end users then still have to trust non-BIMI and BIMI verified e-mails daily.

That seems to leave plenty room for phishing. Also, if VMC prices drop, it will also attract more phish actors.

Though I see your point, I do not think that a financial bar is effectively combatting phishing.

I do not know how valid the paper trail concern is; I haven’t gone through the VMC procedure(s).

[Avamander]

You don't just need the VMC itself, you have to get a registered trademark, which is also probably up there in the thousands.

> I do not know how valid the paper trail concern is; I haven’t gone through the VMC procedure(s).

You can currently steal a credit card, lie to a registrar and start your phishing campaign. Having to have a legal entity for a phish paints a nice target on your back.