Look-alike Domains

look alike domains are a primary vector for phishing and brand impersonation flare provides automated monitoring to detect these domains when they are registered or issued an ssl certificate detection methodology flare utilizes two distinct engines to ensure comprehensive coverage across the web 1\ real time certificate transparency (live) flare monitors certificate transparency (ct) logs in real time whenever a new ssl certificate is issued by a public https //certificate transparency dev/ , our system analyzes the domain name against your protected identifiers strength detects malicious sites the moment they are prepared for https traffic limitation this is a "live" stream only; it does not provide historical data for certificates issued before your identifier was created 2\ algorithmic domain fuzzing (historical & active) using an advanced implementation of domain fuzzing, flare proactively generates thousands of permutations of your domain and checks for active dns records strength identifies domains that were registered months or years before you joined flare frequency checks are performed on a rolling basis (daily or weekly depending on the permutation strategy) important considerations identifier exclusions if you own example com and example ca and have added both as identifiers, flare will not alert you on one being a look alike of the other combination limits to ensure high performance and low false positive rates, flare does not typically detect "double permutations" (e g , a domain that uses both a character deletion and a dictionary addition) supported tlds flare monitors over 80 of the most common and high risk top level domains, including com , net , io , app , and various country codes like ca , uk , and ru be aware ph domains behave differently to other tlds to learn more https //docs flare io/respond to ph domain alerts#why ph domains behave differently to confirm if your tlds of interest are supported please reach out to flare's support team permutation strategies flare utilizes many different techniques to try to find possible look alike domains details of the permutation strategies we employ can be found https //docs flare io/permutation strategies identifier matching if you have two domain identifiers abc ca and aabc ca , we will not create lookalike domain events for abc ca or aabc ca , even though they are both lookalikes of each other note that if the aabc ca domain identifier is added after a lookalike event has already been added to the feed of abc ca , we will not remove the event from the feed certstream only detects newly registered domains in real time, and we do not have historical data from this source we also cannot backfill matches from certstream on new domains dnstwist will detect domains that are currently registered, no matter how long ago it was first registered however, if a domain was registered in the past, then expired and is no longer registered, dnstwist will not pick it up scoring the default severity score for most ssl certificates registration found is low however, multiple factors enter in our risk classification algorithm, possibly pushing the risk score either way; factors leading to lower scores are whether flare suspects the domain registered to belong to you, looking among other things, at the domain and tld in the case of a subdomain registration various trustworthy cloud and hosting services automatically register domains that follow a specific pattern factors leading to higher severity score include the registration authority, the similarity between domains and how many domains were registered at once related articles