Do you monitor for typo-squat / lookalike domains targeting your brand?
Demonstrate that the organization actively monitors for and responds to typo-squat and lookalike domain registrations that could be used to impersonate its brand, services, or personnel in phishing and social engineering attacks.
Description
What this control does
Typo-squat and lookalike domain monitoring is a defensive control that continuously scans domain registrations, SSL certificate transparency logs, and DNS zones for domains resembling the organization's legitimate brand names, trademarks, or critical service domains. These malicious domains exploit user typos (e.g., 'micros0ft.com'), homoglyphs (e.g., Cyrillic 'а' instead of Latin 'a'), and adjacent-key misspellings to enable phishing attacks, credential harvesting, and brand impersonation. Effective monitoring combines automated detection services, threat intelligence feeds, and legal/technical remediation workflows to identify and neutralize threats before they impact customers or employees.
Control objective
What auditing this proves
Demonstrate that the organization actively monitors for and responds to typo-squat and lookalike domain registrations that could be used to impersonate its brand, services, or personnel in phishing and social engineering attacks.
Associated risks
Risks this control addresses
- Attackers register visually similar domains to conduct phishing campaigns targeting employees, customers, or partners, resulting in credential theft or malware distribution
- Brand impersonation through lookalike domains damages organizational reputation and customer trust when fraudulent sites appear legitimate
- Business email compromise (BEC) attacks leverage lookalike domains to impersonate executives or vendors, leading to fraudulent wire transfers or data exfiltration
- Users inadvertently navigate to typo-squat domains and encounter drive-by malware downloads or exploit kits that compromise endpoints
- Absence of monitoring allows malicious domains to remain operational for extended periods, amplifying the scale and impact of targeted attacks
- Regulatory and legal liability arises when customers fall victim to undetected impersonation domains that exploit the organization's brand
- Supply chain partners and third-party integrations become confused by lookalike domains, potentially establishing trust relationships with malicious actors
Testing procedure
How an auditor verifies this control
- Request and review the organization's documented procedure for typo-squat and lookalike domain monitoring, including scope definition (protected brands, domains, keywords) and monitoring frequency
- Identify the technical solution or service provider used for domain monitoring (e.g., commercial threat intelligence platform, certificate transparency monitoring service, in-house tooling)
- Obtain configuration screenshots or exports showing monitored keywords, domain variations, homoglyph detection rules, and alert thresholds from the monitoring platform
- Review a sample of detection alerts from the past 90 days, verifying that suspected lookalike domains were identified, triaged, and documented
- Examine evidence of at least two remediation actions taken in the past year (e.g., UDRP complaints, registrar abuse reports, DNS takedown requests, cease-and-desist letters)
- Interview the responsible security or brand protection team to confirm escalation procedures when high-risk lookalike domains are discovered
- Cross-reference monitoring coverage against the organization's registered trademarks, primary web properties, and executive email domains to identify any gaps
- Verify that monitoring includes certificate transparency logs, newly registered domains (NRDs), and WHOIS changes, not solely reactive user reports