Detect Typosquatting, Lookalike Domains & Brand Abuse
WhoisJSON helps security, legal, and growth teams find suspicious domains around a brand: newly registered lookalikes, active MX records, fresh SSL certificates, registrar changes, and DNS activity.
- Newly registered domains matching your brand
- Typosquats with active DNS or MX records
- SSL certificates issued for lookalike domains
- EPP statuses indicating expiry or deletion windows
- WHOIS, DNS, and SSL changes over time
Brand abuse starts before the phishing page goes live
Attackers often register lookalike domains days or weeks before they are used. Waiting for user reports or external blocklists means you are already late.
Suspicious registrations
A domain that looks like your brand and was created this week deserves attention even if it has no website yet.
Email-enabled lookalikes
MX records on typo domains are often more urgent than a parked webpage because they can support impersonation and BEC.
Fresh SSL certificates
A newly issued TLS certificate can indicate a lookalike domain is moving from registration to active infrastructure.
A Practical Brand Protection Pipeline
Generate brand variants
Build permutations: typos, missing letters, doubled letters, TLD changes, hyphen variants, IDN/homoglyph candidates, and campaign-specific terms.
Learn variant generationCheck availability first
Use the Domain Availability API to filter out names that are still unregistered. Spend richer enrichment calls only on registered variants.
Domain Availability APIEnrich registered variants
Query WHOIS for age, registrar, status, expiration, and nameservers. Query DNS for A, MX, TXT, DMARC. Query SSL for certificate validity and issuer.
WHOIS APIScore and monitor
Prioritize variants with new registration dates, active MX, fresh SSL, privacy redaction, risky TLDs, or DNS changes. Monitor high-risk names continuously.
Domain MonitoringSignals to combine
curl "https://whoisjson.com/api/v1/whois?domain=paypaI-login.com" \
-H "Authorization: TOKEN=YOUR_API_KEY"
curl "https://whoisjson.com/api/v1/nslookup?domain=paypaI-login.com" \
-H "Authorization: TOKEN=YOUR_API_KEY"
curl "https://whoisjson.com/api/v1/ssl-cert-check?domain=paypaI-login.com" \
-H "Authorization: TOKEN=YOUR_API_KEY"
What brand protection teams should look for
A good brand protection program does not only search for exact trademark matches. It watches the ways attackers alter a name while keeping it visually or semantically close enough to fool users.
Typosquatting
Attackers register misspellings, omitted letters, swapped characters, or keyboard-adjacent variants. A typo domain with active MX records should be prioritized because it can support email impersonation even without a visible website.
Build a typosquatting detection workflowCombosquatting
Brand terms are combined with words like login, support, billing, secure, verify, app, wallet, or region names. These domains often look plausible in ads, email links, and fake support flows.
Score suspicious domain intentHomoglyph and IDN abuse
Unicode characters can look like Latin letters while resolving to different domains. Use availability checks and WHOIS enrichment on normalized candidate lists, then escalate registered variants with infrastructure activity.
Check variant availabilityExpiring lookalikes
Some risky domains are not new. They may be abandoned, enter redemption, or become available for defensive registration. EPP status and expiration data help identify those windows.
Understand EPP lifecycle signalsBrand risk signal table
| Signal | Why it matters | WhoisJSON source |
|---|---|---|
| Newly registered | Strong early-warning signal for abuse domains and short-lived campaigns. | WHOIS API |
| Active MX | Indicates the lookalike can receive mail and may support impersonation. | DNS Lookup API |
| Fresh SSL | Suggests the domain is being prepared for a live HTTPS page. | SSL API |
| Transfer or hold status | Helps explain domain lifecycle and operational restrictions. | EPP status guide |
| DNS changes | Nameserver, A, MX, and TXT updates can reveal activation. | Domain Monitoring |
When should you monitor instead of scanning?
Use daily availability sweeps for large candidate lists where most domains are unregistered. Use continuous monitoring for high-value registered domains, exact brand matches, executive impersonation targets, campaign names, and anything with active DNS or MX records.
A practical setup is tiered: high-risk domains monitored continuously, medium-risk domains checked weekly, and low-risk candidates checked monthly through the API.
Brand Protection API Questions
Is brand protection only for large companies?
No. Smaller companies are often easier targets because attackers can register confusing domains before a brand has monitoring in place. A lightweight watchlist around your product, company name, and login terms is enough to catch many issues early.
Should every lookalike domain be treated as malicious?
No. Treat lookalike registration as a signal. Prioritize domains that are newly registered, have MX records, present a valid SSL certificate, use suspicious words, or change DNS shortly after registration.
Can WhoisJSON replace a takedown provider?
WhoisJSON provides the domain intelligence layer: detection, enrichment, monitoring, and evidence. Legal notices, registrar abuse reporting, and hosting takedowns remain separate operational workflows.
Which API should I start with?
Start with the Domain Availability API for large variant lists, then enrich registered domains with WHOIS, DNS, and SSL checks. Add Domain Monitoring for the variants that matter most.
Build a complete protection system
Protect your brand with live domain intelligence
Start with 1,000 free monthly requests. No credit card required.