Domain Name Monitoring with Analysis
By Nameshield
Detect and block fraudulent domain names that imitate your brand: continuous monitoring, human analysis and real-time alerts from Nameshield.
Overview
The solution from Nameshield Extended Monitoring automatically identifies, on a daily basis, newly registered domain names that resemble your brand, your products or your key names — before they can be used against you.
360° detection powered by AI
Our proprietary engine, based on artificial intelligence and natural language processing (NLP), analyses your brand as an extended entity: spelling variations, typographical variations, homographs, internationalised domain names (IDNs), words from the same lexical field… No cybersquatting strategy goes unnoticed.
Comprehensive data sources
- Generic and country zone files (CZDS, Afnic OpenData)
- Real-time Certificate Transparency Logs
- Active DNS data across all gTLDs, ngTLDs and ccTLDs
A daily human analysis
Each detection is assessed by our specialist analysts: threat level, observed usage (phishing, redirection, active mail server, etc.), WHOIS/RDAP information, and a screenshot of the website. Critical threats trigger urgent real-time alerts, supplemented by a comprehensive weekly report.
Centralised monitoring via a SaaS platform and API
Access all the results from your dashboard or integrate the data directly into your tools via our REST API.
How to use
- Sign up for the offer via the Cloud Temple marketplace.
- Please provide Nameshield with the trade marks and names to be monitored.
- Nameshield sets up your monitoring area within 48 hours.
- Receive your urgent alerts in real time and your weekly report.
- In the event of a confirmed threat, initiate a remediation procedure (option available).
Support
As part of a monitoring programme involving analysis, our tools automatically detect the newly observed domain names featuring a strong orthographic and lexical similarity containing a trademark, a term or a surname that is subject to monitoring. The full set of results is analysed daily by our team, identifying true positives, classifying them and ranking them according to their threat level. Domain names classified as high-risk are the subject of urgent alerts sent by email as and when they are detected, and all domain names analysed during the week are included in a weekly report.
Our solution is based on input data: a brand name or name specific to the client (name of the organisation, name of a product, name of a project, surname of a senior executive, etc.). Based on this brand or name, all misleading and fraudulent domain names exploiting this term are identified, with no limit on the number of results.
Sources of data collected
We monitor the registration of domain names:
- As and when they are published, in the zone files provided by generic registries (CZDS) and country registries that share their data; ;
- Within the daily list of names registered by Afnic (OpenData); ;
- In real time, in the certificate generation logs (Certificate Transparency Logs).
What’s more, we analyse live DNS data to round off our exploration of country code top-level domains (ccTLDs). We therefore monitor domain name registrations on the generic extensions (gTLD), the new extensions (ngTLD) as well as all country codes (ccTLD), i.e. all top-level and second-level domains.
This data is collected continuously and form the basis for identifying domain names that bear a resemblance to the trade mark or protected name. This identification is carried out once a day, and can be several times a day, if desired.
Detection of misleading domain names
This service is based on a a search engine based on in-house developed cognitive Artificial Intelligence (AI) algorithms. This proprietary technology was developed by our research and development team following a series of analyses and by drawing on our business expertise.
Our methodology for detecting fraudulent domain names is based on a 360° approach, based on three main areas:
1. Each monitored term is treated as an extended entity : we generate its contextual keywords, so it is no longer treated as a simple string of characters. By analysing the context of each term, extracting its specific lexical field (using proprietary Natural Language Processing – NLP technology) and by identifying relevant thematic fields, our solution identifies a set of keywords or concepts that could be used in misleading domain names, combined with the term being monitored or its variants.
2. Algorithms for generating spelling and typographical variants based on the target term and the previously identified keywords and concepts. Our engine offers a wide range of generators to cover the main strategies observed, in particular:
- Universal alterations : duplication or deletion of characters, transposition of characters, substitution of vowels, insertion of typos by adding neighbouring characters on the keyboard, insertion of random characters, substitution of characters with Latin homographs; ;
- Linguistic changes : substituting letters or syllables with their homophones; applying inflected forms according to gender and number for common nouns; converting numbers into words and vice versa; ;
- The search for'homoglyphs, based on the correspondences between certain special or non-ASCII characters; ;
- The search for internationalised domain names (IDN – Internationalised Domain Name); ;
- For domain names consisting of several words separated by a separator, search for each word or for the entire domain name.
3. A relevance scoring algorithm characterising the degree of credibility of a potentially fraudulent domain name based on its similarity to the monitored term and its keywords and concepts, enabling analysts to assess more quickly the level of threat posed by a domain name based on the form of cybersquatting involved.
This search engine also supports natively, using ad hoc weighting criteria, the most complex searches — involving short terms (three or four characters), compound terms (two or more words) or generic terms (e.g. common nouns). It highlights the most relevant results, ensuring quality and timeliness of alerts. These detections are carried out using queries devised by our team of analysts who specialise in monitoring and analysing new domain names.
Qualification and analysis
Every working day, our team of analysts processes the domain names detected by our tools. Each detection – representing a new domain name found to be similar to the name under surveillance – is analysed from several angles:
- The forms that cybersquatting takes : repetition of the term exactly as it is or with a variation; insertions such as hyphens or the addition of letters or words; reinforcement of the term with words from its lexical field, etc.; ;
- The associated threat, often linked to the domain name’s presence on the web and its use: a website that is inaccessible, under construction or inactive; a page hosting fraudulent content; a «pay-per-click» links page, whether or not related to the business; a «registrar» page; a parked page, an address not found, etc.; ;
- WHOIS / RDAP status, including all the information that can be collected, although it is becoming increasingly common for the data subject’s identifying details no longer to be provided under the GDPR; ;
- Specifying an MX email server and the existence of redirects.
We cross-reference several sources from external databases to optimise the collection of this data as much as possible. The domain names identified in this way are categorised by list:
- High-criticality list : similarity to the trade mark and proven fraudulent nature; ;
- List of average criticality : strong similarity to the trade mark, with no proven fraudulent intent; ;
- List of low-level criticality : low degree of similarity to the trade mark, with no proven fraudulent intent.
Reporting and governance
Domain names classified as high-risk are subject to urgent reports sent by email as and when detections are made, and all the domain names analysed during the week are sent in a weekly report.
The domain names identified and reported via urgent alerts and weekly reports include three qualifying points : the nature of the cybersquatting, the observed use (dedicated phishing site, redirect links, activation of email servers, etc.) and the mitigation or remedial measures that can be put in place.
For each qualified domain name, the following appear as a minimum the following information:
- Domain name; ;
- Domain creation and expiry dates; ;
- Owner of the estate; ;
- Domain registrar; ;
- Whether a website exists, and a description of it if it does; ;
- Availability of a mail server; ;
- Presence of a redirect; ;
- DNS configuration; ;
- WHOIS / RDAP information; ;
- Screenshot of the website’s content.
The entire monitoring service can be monitoring via a SaaS management platform. Domain names identified as potentially fraudulent and included in urgent alerts and weekly reports can be retrieved via a API.
Terms and conditions
Use of the Nameshield service is subject to the terms and conditions of service available at www.nameshield.net. Data is hosted in France and processed in accordance with the GDPR. Any subscription implies acceptance of the current terms and conditions of service.