Lookalike / Typosquat Domain Scan
Under maintenancePricing
$500.00 / 1,000 domain scans
Lookalike / Typosquat Domain Scan
Under maintenanceScan for registered lookalike and typosquatted domains impersonating a brand. Generates homoglyph, typo, TLD-swap and bitsquat permutations, verifies live registration via DNS and RDAP, checks liveness, and scores phishing risk. Allowlist-aware. JSON output for CI, monitoring and threat intel.
Pricing
$500.00 / 1,000 domain scans
Rating
0.0
(0)
Developer
Sevastian Z
Maintained by CommunityActor stats
0
Bookmarked
1
Total users
0
Monthly active users
3 days ago
Last modified
Categories
Share
Lookalike & Typosquat Domain Scanner
Find domains that impersonate your brand before they are used for phishing. Give it one brand domain; the Actor generates lookalike permutations, keeps the ones that are actually registered, enriches them, scores the phishing risk, and suppresses your own and allowlisted domains.
What it does
- Permutations: homoglyph, typo, transposition, omission, insertion,
repetition, bitsquatting, hyphenation, TLD swap and addition. Multi-label
TLDs (
co.uk,com.au, ...) are handled. - Registration check: live DNS (NS, A, MX) plus RDAP for registrar and registration date.
- Liveness: whether the lookalike actually serves content.
- Risk score (0-100, low / medium / high) weighting registration, live status, mail records, certificate presence, recency and permutation confidence.
- Allowlist: suppresses your own infrastructure and any domains you trust, so the results stay actionable.
Input
| Field | Type | Description |
|---|---|---|
domain | string, required | Brand domain to protect, e.g. example.com |
depth | shallow | medium | shallow (default) does DNS + RDAP. medium also probes HTTP, TLS certificate and favicon to surface active phishing. |
allowlist | string[] | Known-legitimate domains to never flag (CDNs, partners) |
checkCerts | boolean | Also query Certificate Transparency per candidate (slower) |
Depth levels
- Shallow (default): is it registered, does it resolve, who is the registrar, when was it registered, does it answer HTTP at all. Fast.
- Medium: shallow plus full HTTP response (status, Server header, final redirect target), TLS certificate (issuer, SAN count, expiry, valid yes/no) and favicon SHA-256 compared against your brand's favicon. A favicon match is the single strongest brand-impersonation signal and weights heavily in the risk score.
Pricing is the same per run for both depths during this iteration.
Output
One dataset item per registered lookalike, highest risk first:
| Field | Description |
|---|---|
lookalike | the impersonating domain |
permutation_type | how it was derived |
score / band | risk 0-100 and low / medium / high |
registered / live | registration and liveness |
mx / ips | mail and address records |
registrar / created | RDAP registrar and registration date |
has_cert | a TLS certificate was seen for it |
When depth=medium the dataset gains: http_status, http_server,
http_final_url, tls_issuer, tls_san_count, tls_not_after,
favicon_sha256, favicon_matches_brand.
Pricing
Pay per event: $0.50 per scan run. One run scans a brand across all permutations and returns every registered lookalike found, regardless of how many domains were checked.
Use cases
- Brand and anti-phishing monitoring for security teams.
- Pre-launch checks before a product or marketing campaign.
- Feeding a SIEM or threat-intel pipeline with candidate phishing domains.
Development
