Sign in Get a demo

Lookalike and impersonation domains, caught the day they're registered.

Phishing campaigns start with a domain registration. The window between registration and use is short (typically days) and the most damaging campaigns weaponize the domain within hours. Fraudulent Domain Monitoring catches lookalike registrations across every TLD continuously, with eight confusable match types covering the homoglyph attacks simple typo detection misses entirely.

Request a demo Get a free threat exposure report
WHAT THIS DOES

Detection across every TLD, every confusable variant.

Provide your protected brand domains. Deepinfo monitors new domain registrations continuously across the full TLD space, matching new registrations against eight categories of confusable variants. Detection happens within hours of the new registration appearing in zone files.

Each detection includes the registered domain, the variant type that matched, the registration date, the registrar, the resolution status (live, parked, registered-not-resolving), and any infrastructure indicators that suggest planned use (NS pointing to known phishing infrastructure, SSL certificate already issued, MX records configured).

HOW IT WORKS

Eight confusable match types, one detection engine.

Typo and homoglyph variants. Brand-keyword combinations. TLD variants and IDN. Eight categories total, all monitored in parallel against new registrations across the full TLD space.

Typo and homoglyph.

Character substitutions (deepinfo → deeplnfo with lowercase L), character omissions, character additions, keyboard-adjacent typos. Plus homoglyph attacks using visually-similar Unicode characters from non-Latin alphabets (the most-missed phishing vector).

Brand-keyword combinations.

Your brand combined with security-related keywords: brand-secure, brand-login, brand-support, brand-verify. Any registration combining your brand with a phishing-suggestive prefix or suffix gets flagged.

TLD variants and IDN.

Your brand registered under different TLDs (.com vs .co vs .org vs ccTLDs). Internationalized domain names (IDN) using non-Latin character sets that render identically to your brand in some browsers.

WHAT IT SURFACES

Examples of what each domain alert contains.

Registered domain

The new lookalike registration plus the variant type that matched (typo, homoglyph, brand-keyword, TLD variant, or IDN).

Registration date and registrar

When the domain was registered and which registrar accepted the registration.

Resolution status

Live, parked, or registered-not-resolving, helping triage the urgency of the alert.

NS pointing

Name servers pointing to known phishing infrastructure, a high-confidence threat indicator.

SSL certificate already issued

Certificate transparency surfaced a cert for the lookalike domain, indicating planning for active use.

MX records configured

Email-routing records configured, suggesting planned email-impersonation use.

Confidence score

Combined score blending variant similarity, infrastructure signals, and known-pattern matching for triage.

PART OF BRP

Domain detection feeds takedown action.

Fraudulent Domain Monitoring detects; Managed Takedown acts. When a fraudulent domain is detected with high-confidence threat indicators, Deepinfo's takedown service can pursue removal directly with registrars, hosting providers, and CDNs. Detection without action is half the workflow; the integration with takedown closes the loop.

BRP · MANAGED TAKEDOWN

Managed Takedown

Learn more BRP · SOCIAL MEDIA MONITORING

Social Media Monitoring

Learn more BRP · APP STORE MONITORING

App Store Monitoring

Learn more
← Back to BRP

“Catching lookalike domains the day they're registered, before the phishing campaign goes live, fundamentally changed what we can prevent. We removed entire phishing waves before any customer received a single message.”

— Head of Brand Protection, Major Retailer
CONTINUE EXPLORING

Explore the full platform.

EASM · EXTERNAL ATTACK SURFACE MANAGEMENT

See your entire attack surface. Act on what matters.

Continuous discovery and monitoring of every internet-facing asset, including subsidiaries and acquired companies.

See module CTI · CYBER THREAT INTELLIGENCE

See what’s exposed. Act before it’s exploited.

Dark-web monitoring, breach corpora, infostealer logs, and threat-actor activity tied to your organization.

See module BRP · BRAND RISK PROTECTION

Keep an eye on the internet. Protect your brand.

Lookalike domains, fake apps, fraudulent listings, and brand abuse caught in hours, not weeks.

See module TPRM · THIRD-PARTY RISK MANAGEMENT

Every third party carries risk. See all of it.

Continuous external monitoring of every approved vendor with the same depth as your own surface.

See module DSI · DEEP SEARCH AND INSIGHTS

Explore the entire internet. See every layer.

400M domains, 2B subdomains, 200B DNS records, 30B SSL certificates. All queryable directly.

See module
PROTECT YOUR BRAND

See lookalike domains currently registered against you.

Run Deepinfo against your brand domains. The free threat exposure report includes a lookalike-domain scan; continuous monitoring picks up from there.

Request a demo