Domain & Brand Look-alikes

The Domain & Brand Look-alikes covers surface websites and domains that imitate official brands to enable phishing, fraud, or traffic hijacking. It focuses on domain variations, deceptive registrations, and cloned pages that resemble legitimate assets closely enough to confuse users.

What We Monitor

• Domain permutations and IDNs: variations created via typosquatting, homograph/Unicode swaps, bitsquatting, TLD swaps, and subdomain tricks that resemble official domains.

• New certificates & subdomains: certificate issuance that mentions brand domains (via Certificate Transparency) and subdomain discoveries.

• Live site clones: pages that copy branding, layouts, or flows from the official site to collect credentials or payments. Similarity is checked against the legitimate site.

• Registration & DNS signals: WHOIS data, name servers, and DNS records that indicate newly activated or misconfigured look-alike infrastructure.

How We Detect

Candidates are generated with multiple domain-fuzzing strategies. They’re then compared to monitored brands using weighted similarity measures to highlight the closest matches. To catch active infrastructure early, the system watches CT logs for certificates that include monitored names and extracts SAN entries to reveal new hostnames; subdomains are also enumerated via search engines and CT sources. Each candidate is validated with DNS/WHOIS checks and content analysis. Pages are fingerprinted (screenshots, perceptual hashes and fuzzy hashing) and compared to the official site to spot clones even when HTML differs.

Why This Matters

Look-alike domains are a common foundation for phishing, credential theft, brand abuse, and malware delivery. Detecting them at the moment of appearance when a certificate is issued, DNS goes live, or a clone is first published gives security teams time to block, takedown, or warn users before large-scale impact. Continuous coverage of permutations, certificates, subdomains, and page similarity reduces blind spots and strengthens brand and user protection within the DRP program.