Brand Monitoring: Catching Lookalike Domains Before Your Customers Do
Attackers register domains that impersonate yours, then use them to phish your customers. Continuous brand monitoring generates the likely lookalikes, watches Certificate Transparency logs for the rest, and surfaces the ones worth acting on.
Watch
How lookalike and typosquat domains impersonate you, and how continuous monitoring catches them.
TL;DR
- 1 Attackers register lookalike and typosquat domains to impersonate your brand and phish your customers.
- 2 Continuous monitoring catches them two ways: by generating the likely permutations of your domain, and by watching Certificate Transparency logs for new certificates on names that resemble yours.
- 3 Both feeds are risk-scored and surfaced so you act on the dangerous handful, not the thousands of theoretical variants.
What it does
Brand monitoring is the practice of continuously watching for domains that impersonate yours before they are used against your customers. An attacker who wants to phish your users does not break into your systems; they register <code>your-brand-login.com</code> or <code>yourbrand.co</code>, clone your login page, and send a convincing email. The domain costs under ten dollars and goes live in minutes. The only way to get ahead of it is to be watching for it.
The challenge is that the space of plausible lookalikes is enormous, far too large to register defensively or to eyeball by hand. A single brand has thousands of credible permutations: typos, dropped letters, swapped TLDs, hyphenated splits, homoglyphs, and contextual combosquats. Monitoring has to generate that space, watch for which variants actually exist, and then narrow thousands of possibilities down to the few that matter.
It does that with two complementary feeds. The first <strong>generates the likely permutations</strong> of your domain and checks which are registered and live. The second <strong>watches Certificate Transparency logs</strong>, the public record of every TLS certificate issued, for new certificates on names that resemble yours, which catches lookalikes the moment an attacker provisions HTTPS, often before the phishing campaign even launches. Both feeds are risk-scored so you spend attention on the dangerous handful, not the theoretical thousands.
How it works
-
1
<strong>Generate the likely permutations.</strong> Monitoring starts by expanding your domain into a deduplicated list of lookalike variants, emitted in priority order so the highest-signal squats come first. The families include TLD swaps (<code>yourbrand.co</code> for <code>yourbrand.com</code>), subdomain-style prefix spoofs (<code>secure-yourbrand.com</code>, <code>mail-yourbrand.com</code>), keyboard typos, dropped and transposed and doubled letters, hyphen insertions, and ASCII homoglyphs. Priority mirrors real phishing prevalence, so a caller capping the list at N gets the most dangerous variants first.
-
2
<strong>Watch Certificate Transparency logs.</strong> Every publicly trusted TLS certificate is logged to Certificate Transparency. Querying those logs (via crt.sh) for certificates issued on names similar to yours surfaces lookalikes as they come online. This catches variants the permutation generator never thought of, and it catches them early: attackers provision a certificate before they serve a convincing HTTPS phishing page, so the certificate is often the first observable signal.
-
3
<strong>Filter the CT feed to genuine lookalikes.</strong> CT logs are noisy. A shared-hosting certificate can list dozens of unrelated names on one certificate, and your own legitimate subdomains show up constantly. The feed drops your real subdomains and keeps only names whose base resembles your brand, so an unrelated domain that happened to share a certificate with yours does not become a false alert.
-
4
<strong>Risk-score and surface.</strong> Each candidate from either feed is scored from a weighted set of signals (DNS, certificate, web, and mail presence) into a risk level, then deduplicated against existing alerts so you are notified once per new threat, not repeatedly for the same domain. The output is a ranked list of the lookalikes worth your attention.
Common pitfalls
-
<strong>Trying to register every variant defensively.</strong> The permutation space runs to thousands of names per brand. Buying them all is neither affordable nor effective. Register the highest-risk handful yourself and <em>monitor</em> the rest, which is what continuous monitoring is for.
-
<strong>Relying on permutations alone.</strong> A generated list catches the predictable squats but misses creative lookalikes an algorithm would not produce. Certificate Transparency catches those because it observes what attackers actually register, not what you predicted they might.
-
<strong>Treating every CT hit as a threat.</strong> CT logs are full of shared-certificate noise and your own subdomains. Without similarity filtering, the feed drowns the real signals in false positives, which trains people to ignore the alerts entirely.
-
<strong>Running it once and stopping.</strong> Attackers register new domains continuously. A quarterly scan finds today's lookalikes and none of next week's. The whole value is in the word "continuous."