Domain Monitoring
Detect lookalike domains hours after registration
Certificate Transparency logs publish every new SSL cert within minutes of issuance. Brandefense queries these logs against your brand keyword list and cross-references WHOIS delta feeds to surface typosquats before they reach victims.
How detection works
Three data sources, one converging alert
Brandefense runs three parallel scrapers against your brand keywords every 24 hours:
CT Log Monitor — queries crt.sh and Google Argon for new certificates containing your brand terms. Lookalike domains almost always register SSL certs within hours of DNS creation.
WHOIS Delta Feed — monitors newly registered domain zones for keyword patterns using ICANN-sourced zone file deltas. Cross-referenced with RDAP for registration metadata.
Keyword Scoring — each candidate domain is scored using a weighted mix of Levenshtein distance, homograph detection, brand-name prefix/suffix patterns, and TLD risk scoring.
Alert types
Four lookalike domain patterns we catch
Typosquat
Character substitution, transposition, and omission — e.g. "yourbnk.com" for "yourbank.com". Most common attack vector for keyboard-error phishing.
IDN Homograph
Internationalized domain names using visually similar Unicode characters — e.g. Cyrillic 'а' replacing ASCII 'a'. Invisible to most users in browser URL bars.
Brand-Name Prefix/Suffix
Legitimate brand name combined with phishing-signal words — e.g. "secure-yourbank.com", "yourbank-verify.net", "login.yourbank-auth.com".
Phishing Kit Fingerprint
Domains serving known phishing kit HTML signatures (16Shop, xBalti variants) detected via page hash matching against our kit signature database.
Domain monitoring
Stop lookalike domains before the first phish lands
Brandefense monitors your brand keywords daily across CT logs, WHOIS delta feeds, and passive DNS. The demo includes a live scan of your brand namespace — lookalike domains already registered against you will appear.