CT Log Monitoring: Detecting Domain Impersonation
CT logs record every SSL certificate issued publicly. ElasticDomain monitors them to detect domains impersonating your brand before attackers can use them.
CT Log Monitoring: Detecting Domain Impersonation
Every public SSL certificate issued by any trusted Certificate Authority is recorded in Certificate Transparency (CT) logs. These are public, append-only audit logs that anyone can query. Attackers setting up phishing sites need SSL certificates — which means their infrastructure appears in CT logs, often hours before they launch an attack.
Credit Cost
A CT Log Scan costs 800 credits.
How CT Logs Work
When a Certificate Authority issues a certificate, it is required to submit it to at least two public CT log servers (per the CA/Browser Forum Baseline Requirements). The logs are immutable and publicly searchable. Tools like crt.sh index these logs in real time.
This creates an opportunity: by monitoring CT logs for certificates that include your brand name or domain name as a substring, you can detect brand impersonation infrastructure as it is being built.
What ElasticDomain Looks For
When you configure a Brand Intelligence profile with your brand name and domain, the CT scanner searches for newly issued certificates whose Common Name (CN) or Subject Alternative Names (SANs) contain:
- Your brand name as a substring (e.g., "mycompany" in "login-mycompany-support.com")
- Your primary domain as a substring (e.g., "example.com" in "secure-example.com-login.net")
- Configured keyword tokens (additional names, abbreviations, product names)
Reading the Results
Detected certificates are shown in the Brand Intelligence dashboard under Impersonation Alerts:
| Field | Description |
|---|---|
| Domain | The suspicious domain name |
| Certificate Issued | When the certificate was logged |
| Issuer | Which CA issued it (Let's Encrypt is common for phishing — it is free) |
| Similarity Score | How similar the domain is to your brand keywords |
| Risk Level | High / Medium / Low based on domain similarity and issuer patterns |
Risk Indicators
Not every certificate match is a phishing attempt. ElasticDomain's risk scoring considers:
- Domain similarity — "my-company-login.com" is higher risk than "mycompanyreviews.com"
- Issuer — Let's Encrypt certificates on brand-lookalike domains are common in phishing kits
- Registration recency — domains registered the same day the certificate was issued are higher risk
- TLD — lookalike domains on unusual TLDs (.xyz, .tk, .ml) are higher risk
Setting Up CT Monitoring
CT monitoring runs automatically for every active Brand Intelligence profile. Set up a profile:
- Go to Tools → Brand Intelligence.
- Click New Brand Profile.
- Enter brand name, primary domain, and optional keyword tokens.
- Set sensitivity level (Balanced is recommended to start).
- Save and activate.
To receive real-time alerts when a suspicious certificate is detected:
- Brand Intelligence → [Profile] → Alerts.
- Enable CT Log Match alert.
- Choose notification channel (Email + Slack recommended for immediate visibility).
What to Do When a Match Is Found
- Investigate — visit the suspicious domain (in a browser sandbox or via a security tool, not directly) to see what it is.
- Check for active phishing — is it serving a login page that mimics yours?
- Report if active — report to the hosting provider and the CA that issued the certificate (request revocation).
- Consider UDRP — for clear cybersquatting, a UDRP (Uniform Domain-Name Dispute-Resolution Policy) complaint can recover the domain.
- Alert your users — if a convincing phishing site is live, notify your users proactively.