Lookalike Domains
The anatomy of a lookalike domain attack
Attackers register a domain that looks like yours — one letter off, a homograph character swap, or "yourbank-secure" — then deploy a phishing kit within hours. The race is against victim arrival, not registrar response.
Domain anatomy
How attackers construct a lookalike
Typosquat
Single-character changes: substitution (o→0), transposition (ba→ab), omission (ban→bn), addition (bank→bankk). Automated tools generate hundreds of variants per brand in seconds. Levenshtein distance ≤ 2 from target = high risk.
IDN Homograph
Unicode characters visually identical to ASCII — Cyrillic 'а' (U+0430) vs ASCII 'a' (U+0061). Renders identically in most browser URL bars. Particularly effective against brands with a/e/o characters in the name.
Brand Prefix/Suffix
Appends trust-signaling words to the brand name: secure-, verify-, login-, -support, -official, -help. Passes casual URL inspection because the brand name itself is spelled correctly.
TLD Substitution
Registers the brand name under a different TLD: .net instead of .com, country-code TLDs (.cc, .co, .uk), or new gTLDs (.shop, .online, .store). Often used for regional targeting campaigns.
Detection methodology
Hours-early detection via Certificate Transparency
Most lookalike domains register an SSL certificate within hours of DNS creation — because modern browsers display security warnings on HTTP sites. CT logs record every issued certificate within minutes.
Brandefense continuously queries CT logs (crt.sh, Google Argon, Cloudflare Nimbus) for certificates containing your brand keywords. Each match is scored using Levenshtein distance, homograph pattern matching, and phishing-signal suffix/prefix lists.
Median time from domain registration to Brandefense alert: 2–4 hours. Median time from domain registration to first victim phish: ~4 hours (DRP industry benchmark).
Get started
Lookalike domains are being registered now
Brandefense will find them in the next scrape cycle.