Search for domains impersonating your own
    • 23 May 2023
    • 2 Minutes to read
    • Dark
      Light

    Search for domains impersonating your own

    • Dark
      Light

    Article summary

    The Silent Push Brand Impersonation query checks for domains that are spelt similarly to your own (e.g micorsoft[.]com] instead of microsoft[.]com), allowing you to target malicious domains that exist solely to capture traffic intended for your company or supply chain websites.

    Brand Impersonation searches are more effective when run on domains containing 5 or more characters, or domains that aren't an acronym (e.g. LSEG[.]com). When scanning a domain name that contains up to 4 characters, a swapped character is of markedly less use as an indicator of malicious activity.

    Searching for brand impersonation domains

    1. Click Digital Threat Management > Brand Impersonation > +

    2. Enter the Domain you'd like to search for typosquats of

    3. (Optional) Click Auto-fill Data to populate the query with your own infrastructure, and exclude it from the results

    4. (Optional) Enter a Regex (see below explanation)

    5. Use the buttons next to the Network, Nameserver and AS fields to include or exclude specific infrastructure. Add up to 15 IPs, nameservers, ASNs and AS names.

    6. Use the First Seen slider to adjust results depending on when the domain was first seen

    7. Use the Last Seen slider to adjust results depending on when the domain was first seen

    8. Specify a Sorting order, that dictates how results will be sorted

    9. Click Search

    Monitoring brand impersonation data

    You can monitor results populated on the Explore screen for any changes, saving you time and resources by automating key queries across a range of internal workflows.

    Monitors run once every 24 hours. You'll be alerted when Silent Push detects new results via email (filtering/sorting options are not applied)

    1. Once you've received a set of results, click the Monitor button on the top right

    2. Specify a Monitor name

    3. Enter a Description

    4. Click Save

    5. Your monitored query is now visible in Monitors > Monitored Queries

    6. Read this article for information on how to share a monitor

    Additional information

    1. Excluding your own infrastructre

    When you run a typosquatting query, it makes sense to exclude your own infrastructure - or any other trusted infrastructure - to obtain a more manageable set of results.

    The Auto-fill Data button automatically populates network address, nameserver and AS information for your chosen domain, saving you the trouble of running a separate query to gather the necessary data and exclude it from your typosquatting search.

    2. Regex searches

    A regular expression (regex) is a form of advanced searching that looks for specific naming patterns, instead of using whole domain or nameserver names.

    Silent Push allows users to put together strings of text that produce granular results based on custom parameters entered as a regular expression, facilitating highly-focused domain searches.

    Example:

    Regex pattern: ^g[^\.o]ogle[a-z]{1,}\.[a-z]{1,}$

    The above query returns results for 'google', followed by any characters (before the top-level domain), and also any single characters that replace the first o.

    3. Wildcard searches

    Silent Push domain-only typosquatting searches feature a series of algorithms that scan the Internet's entire IPv4 range for logically relevant typosquats.

    To improve the quality of search results and reduce noise, our typosquatting query omtis the option to include wildcards.

    Wildcard searches are a valuable threat-hunting tool, but when used with typosquatting searches, they become problematic and often return highly erroneous results.


    Was this article helpful?