Skip to main content
← All controls
DE.CM-1 / PR.DS-5 NIST Cybersecurity Framework v1.1

Do you monitor for lookalike (typosquat / homoglyph) domains that could impersonate your brand?

Demonstrate that the organization maintains an active monitoring capability to detect and respond to fraudulent domain registrations that impersonate organizational brands through typographical variations and character substitutions.

Description

What this control does

This control requires continuous monitoring of domain registrations for lookalike domains that leverage typosquatting (common spelling mistakes), homoglyph substitution (visually similar characters from different alphabets), and combosquatting (brand name combined with common terms) to impersonate the organization's legitimate domains. Monitoring typically employs automated tools that generate permutations of organizational domains and check registration databases, SSL certificate transparency logs, and DNS records for suspicious activity. Effective monitoring enables rapid detection and takedown of phishing infrastructure, fraudulent websites, and brand abuse campaigns before they cause reputational damage or successful credential harvesting attacks.

Control objective

What auditing this proves

Demonstrate that the organization maintains an active monitoring capability to detect and respond to fraudulent domain registrations that impersonate organizational brands through typographical variations and character substitutions.

Associated risks

Risks this control addresses

  • Attackers register typosquatted domains to host phishing pages that harvest employee or customer credentials by impersonating legitimate login portals
  • Homoglyph domains using Cyrillic, Greek, or other Unicode characters bypass visual inspection and enable convincing executive impersonation in business email compromise attacks
  • Combosquat domains combining brand names with terms like 'support', 'login', or 'secure' deceive users into trusting malicious sites
  • Undetected lookalike domains distribute malware disguised as legitimate software downloads or updates from the organization
  • Fraudulent domains damage brand reputation by conducting scams, selling counterfeit products, or making false representations
  • Delayed detection of lookalike domains allows attackers to establish persistent phishing infrastructure with established domain reputation
  • Lack of monitoring prevents timely legal or technical takedown actions, extending the window of opportunity for successful attacks

Testing procedure

How an auditor verifies this control

  1. Obtain and review the organization's documented policy or procedure for monitoring lookalike domains, including scope of monitored brand assets (primary domains, product names, executive names).
  2. Identify the monitoring solution(s) in use, whether commercial threat intelligence platforms, dedicated domain monitoring services, or custom scripts, and review service subscriptions or tool configurations.
  3. Request evidence of monitoring coverage by reviewing the complete list of seed terms and domains fed into the monitoring system, verifying inclusion of all primary organizational domains and key brand elements.
  4. Examine the permutation algorithms or rule sets used to generate lookalike variants, confirming coverage of typosquatting patterns, homoglyph substitutions, and combosquatting techniques.
  5. Review a sample of monitoring alerts or reports from the past 90 days, verifying that the system actively detects new registrations, SSL certificate issuances, and DNS changes for lookalike domains.
  6. Trace the workflow from detection through investigation and response for at least two identified lookalike domains, examining escalation procedures, threat assessment documentation, and takedown requests submitted.
  7. Verify integration with incident response processes by reviewing cases where lookalike domain detections triggered security investigations, customer notifications, or legal actions.
  8. Test monitoring effectiveness by checking whether known recently-registered lookalike domains (identified through independent research or public threat feeds) were detected by the organization's system and documented appropriately.
Evidence required Auditors shall collect the domain monitoring policy document, tool configuration exports showing monitored seed domains and alert settings, screenshots from the monitoring platform dashboard showing active coverage, and alert reports from the past 90 days demonstrating detection activity. Additionally, collect incident tickets or takedown request records for at least two lookalike domains, showing the complete lifecycle from detection through response. Obtain the permutation rule configuration or vendor documentation describing typosquatting and homoglyph detection capabilities.
Pass criteria The control passes if the organization employs an active automated monitoring capability covering all primary organizational domains with documented detection of lookalike domain registrations within the audit period, evidence of investigation and response workflows for identified threats, and verification that monitoring rules include typosquatting, homoglyph, and combosquatting techniques.