- 10 Jul 2024
- 2 Minutes to read
- Print
- DarkLight
Search for domains impersonating your own
- Updated on 10 Jul 2024
- 2 Minutes to read
- Print
- DarkLight
The Silent Push Domain Impersonation query checks for domains that are spelt similarly to your own (e.g micorsoft[.]com] instead of microsoft[.]com), allowing you to target malicious domains that exist solely to capture traffic intended for your company or supply chain websites.
Domain Impersonation searches are more effective when run on domains containing 5 or more characters, or domains that aren't an acronym (e.g. LSEG[.]com). When scanning a domain name that contains up to 4 characters, a swapped character is of markedly less use as an indicator of malicious activity.
Searching for impersonation domains
Click
Brand Impersonation > Domain Impersonation > +
Enter the
Domain
you'd like to search for typosquats of(Optional) Click
Auto-fill Data
to populate the query with your own infrastructure, and exclude it from the results(Optional) Enter a
Regex
(see below explanation)Use the buttons next to the
Network
,Nameserver
andAS
fields to include or exclude specific infrastructure. Add up to 15 IPs, nameservers, ASNs and AS names.Use the
First Seen
slider to adjust results depending on when the domain was first seenUse the
Last Seen
slider to adjust results depending on when the domain was first seenSpecify a
Sorting
order, that dictates how results will be sortedClick
Search
Monitoring brand impersonation data
You can monitor results populated on the Explore
screen for any changes, saving you time and resources by automating key queries across a range of internal workflows.
Monitors run once every 24 hours. You'll be alerted when Silent Push detects new results via email (filtering/sorting options are not applied)
Once you've received a set of results, click the
Monitor
button on the top rightSpecify a
Monitor name
Enter a
Description
Click
Save
Your monitored query is now visible in
Monitors > Monitored Queries
Read this article for information on how to share a monitor
Additional information
1. Excluding your own infrastructre
When you run a typosquatting query, it makes sense to exclude your own infrastructure - or any other trusted infrastructure - to obtain a more manageable set of results.
The Auto-fill Data
button automatically populates network address, nameserver and AS information for your chosen domain, saving you the trouble of running a separate query to gather the necessary data and exclude it from your typosquatting search.
2. Regex searches
A regular expression (regex) is a form of advanced searching that looks for specific naming patterns, instead of using whole domain or nameserver names.
Silent Push allows users to put together strings of text that produce granular results based on custom parameters entered as a regular expression, facilitating highly-focused domain searches.
Example:
Regex pattern: ^g[^\.o]ogle[a-z]{1,}\.[a-z]{1,}$
The above query returns results for 'google', followed by any characters (before the top-level domain), and also any single characters that replace the first o
.
3. Wildcard searches
Silent Push domain-only typosquatting searches feature a series of algorithms that scan the Internet's entire IPv4 range for logically relevant typosquats.
To improve the quality of search results and reduce noise, our typosquatting query omtis the option to include wildcards.
Wildcard searches are a valuable threat-hunting tool, but when used with typosquatting searches, they become problematic and often return highly erroneous results.