Two New Pillars: Brand Monitoring & Social Media Monitor Are Live
AIDE now protects your brand beyond your own infrastructure. The Brand Monitor watches every corner of the internet for lookalike domains impersonating your business. The Social Media Monitor tracks impersonator handles across 25 platforms. Together, they extend AIDE’s risk intelligence from your server room to your public brand surface.
Aideworks Team
hello@aideworks.com
Key takeaways
- Brand Monitor: automated lookalike domain detection across DNS, web presence, phishing feeds, TLS, and HTML content
- Social Media Monitor: algorithmic handle-squatting detection across 25 platforms including Instagram, LinkedIn, TikTok, and YouTube
- Both produce a 0–100 health score with severity-tiered penalty model
- Brand Monitor fires alerts for domains with active MX + no DMARC — a fully abuse-ready mail setup in under 24 hours
- Phishing intelligence cross-referenced against OpenPhish, URLhaus, and PhishTank in real time
- HTML intent classifier distinguishes credential-harvesting forms from parked pages with high confidence thresholds
In this article
Why we built these two pillars
AIDE has always been built around a single question: how risky is this domain’s infrastructure right now?The original five pillars — DNS health, SSL/TLS security, email security, hosting security, and uptime — answer that question from the inside out. They look at your own infrastructure and score its health.
But infrastructure risk has an outside-in dimension too. Attackers don’t just exploit your infrastructure directly. They build parallel infrastructure designed to be mistaken for yours — lookalike domains that harvest your customers’ credentials, social media handles that redirect followers to phishing pages, fake “official” accounts that poison your brand reputation.
These attacks are invisible to every existing AIDE pillar. A phishing domain running on completely separate infrastructure won’t show up in your DNS health score. A fake Instagram account won’t trigger an uptime alert. That’s why we built two new dedicated pillars to close this gap.
Brand Monitor
Continuously generates and probes hundreds of lookalike domain candidates using the same techniques attackers use. Scores each for threat level across DNS, web presence, mail readiness, phishing feeds, TLS data, and HTML content.
Social Media Monitor
Algorithmically generates dozens of impersonation handle variants for each configured brand name and checks for their existence across 25 major social platforms. Scores by similarity and impersonation pattern type.
Brand Monitor — lookalike domain intelligence
The Brand Monitor automatically discovers and evaluates every domain name in the world that could be mistaken for yours. It generates hundreds of lookalike candidates — using the same techniques an attacker would — and then actively probes each one to determine whether it has been registered, activated, and weaponised against your brand.
This matters because typosquat-based phishing is the leading vector for brand-impersonation attacks, and it is completely invisible to standard DNS or uptime monitoring. An attacker can registermy-acme-1ogin.com(note: digit 1, not letter l), stand up a convincing copy of your login page, and harvest customer credentials for weeks before anyone notices.
Each candidate is tested across six dimensions: DNS registration, live web presence, mail server configuration, phishing intelligence feeds, TLS certificate data, and HTML content analysis. The outcome is a real-time threat inventory with a 0–100 Brand Health Score.
Attack vectors detected
- Typosquats:
acm3.com,acmee.com,acme-login.com - Homograph substitutions: digit-for-letter swaps designed to look identical at a glance
- Phishing-ready mail setup: MX records + no DMARC = active email spoofing infrastructure in < 24 hours
- Credential-harvesting pages: login-form clones that mimic your authentication portal
- Known phishing infrastructure: domains already circulating in global threat intelligence databases
Brand Monitor: the six check dimensions
1. Domain Registration Status
For each lookalike candidate, the worker queries authoritative DNS for NS and SOA records. A positive answer means the domain has been claimed. Unregistered lookalikes are harmless — this check is the gate that eliminates the majority of candidates immediately and focuses all subsequent probing on real threats.
Severity: info — registration alone is not a threat, but it enables all downstream checks
2. Active Web Presence & Content Detection
The worker fetches the domain over HTTP and HTTPS, follows redirects up to 5 hops, reads up to 30 KB of HTML, and records the final destination URL. It checks whether the site is actively serving content, where redirects lead, and captures HTML for the intent classifier. A domain that redirects visitors to a competitor or a fake version of your own portal is an active threat.
Severity: medium to high — active site deducts up to 30 pts; active + mail server up to 50 pts
3. HTML Intent Classification
The HTML body of each active lookalike is analysed against four intent profiles: credential-harvesting forms, login-page clones, payment pages, and parked/for-sale placeholder pages. Each profile uses a multi-signal scoring system — a finding is only reported when confidence exceeds 30% and at least two independent signals are present, keeping false positives extremely low.
🎣 Credential Harvesting
Password fields posting to external server, sensitive field names (IBAN, SSN)
🔐 Login Clone
Sign-in page structure mimicking an authentication portal
💳 Payment Page
Credit card inputs, CVV fields, checkout flows
🅿️ Parked / For Sale
Domain-broker links, parking keywords, registrar default pages
Severity: high to critical — adds 5–8 points to the base penalty at ≥ 60% confidence
4. Phishing Intelligence Feed Cross-Reference
Every registered lookalike domain is checked against three real-time threat intelligence databases: OpenPhish, URLhaus (Abuse.ch), and PhishTank. The feeds are cached in Redis and refreshed hourly. A hit means the domain is already circulating in the global threat intelligence ecosystem as a known phishing site — and would have been invisible to your team without this cross-reference.
Severity: critical — any feed hit immediately adds 20 pts to the base penalty
5. Mail Server Readiness Analysis
The worker queries MX records (is there a mail server?), SPF records (is outbound email authorised?), and DMARC records (is there a reject policy?). A domain with an active MX server but missing DMARC is “abuse-ready” — it can send email that passes basic spam filters. The combination of MX + no DMARC + recent registration is one of the strongest phishing signals the platform detects.
Severity: high — active MX without DMARC/SPF adds 2–7 additional risk points
6. TLS Certificate & Registration Age Analysis
Certificate Transparency logs and WHOIS data reveal when a lookalike domain acquired its first TLS certificate and how recently it was registered. A brand-new domain with a TLS certificate issued from a free CA and registered less than 30 days ago is a strong threat signal — it matches the operational profile of an active phishing kit being stood up.
Severity: low to medium — registration age used as a risk multiplier on other signals
Brand Health Score — how it’s calculated
Like every AIDE score, the Brand Health Score starts at 100 and subtracts penalties per finding tier. Caps per severity tier prevent a single noisy category from dominating the score. Findings whereis_own_domain = trueare excluded from scoring entirely — your own verified domains never count as threats.
| Threat level | Severity | Penalty / finding | Max deduction |
|---|---|---|---|
| parked | low | −3 pts | −15 pts |
| active | medium | −10 pts | −30 pts |
| active_mx | high | −25 pts | −50 pts |
| phishing_suspected | critical | −40 pts | −80 pts |
Final score = max(0, 100 − sum of capped penalties). Score change alerts fire when delta ≥ 5 pts.
Social Media Monitor — handle-squatting detection
While the Brand Monitor watches for lookalike domains, the Social Media Monitor watches for handle squatting — attackers or competitors registering social media profiles with names designed to be confused with your official accounts.
The threat is real: an impersonator account named@acme_official or@acm3support can direct customers to phishing pages, spread false information about your company, or damage your brand reputation for weeks before you discover it through a customer complaint. By then, hundreds or thousands of people may have interacted with the fake account.
For each configured brand name and keyword set, the worker algorithmically generates dozens of candidate handle variants using the same playbook an impersonator would: official-sounding suffixes, leet-substituted characters, double-letter typosquats, and missing-letter variants. Each candidate is then scored using similarity algorithms against your official handles.
Monitored across 25 social platforms
Social Monitor: the four check layers
1. Handle Similarity Analysis
For each of your configured official handles on each enabled platform, the worker generates a pool of candidate handles. Similarity is computed using a three-tier algorithm: exact match (100), substring containment (65–90 based on relative length ratio), and Levenshtein distance (0–99 based on edit distance). Candidates identical to your official handle are excluded.
2. Impersonation Pattern Detection
Beyond pure similarity, the worker generates specific high-risk patterns that impersonators systematically use. Each pattern category represents a specific attack strategy that is weighted higher in the scoring model.
🏛 Authority patterns
@acme_official, @official_acme, @acme_real, @acme_verified — designed to appear as the authoritative account
🎧 Support patterns
@acme_support, @acmesupport, @acme_help — designed to intercept customer service mentions
🔤 Leet substitution
a→4/@, e→3, i→1, o→0 — designed to appear identical at a glance
· Dot/dash variants
@acme.official, @acme-official — patterns that look legitimately branded on visual inspection
3. Multi-Platform Coverage
Findings are generated independently per platform. A single impersonator who has claimed the same handle across 5 platforms generates 5 independent findings, each with a direct URL to the suspicious profile. This catches cross-platform impersonation campaigns — where an attacker claims matching handles across multiple platforms to create a convincing fake brand ecosystem that appears authoritative through sheer volume of presence.
Each unresolved finding contributes its per-risk-level penalty to the score regardless of platform.
4. Keyword-Extended Brand Coverage
In addition to the primary brand name, the worker accepts a list of additional brand keywords — product names, trademarks, campaign names — and generates a separate candidate pool for each. This catches product-line targeted impersonation:@acme_cloud_support or@acme_invest_officialtargeting a specific product rather than the corporate brand.
Social Security Score — how it’s calculated
The Social Security Score is computed from all unresolved findings in the database, not just the current scan. This means the score accurately reflects your cumulative exposure: a brand that has accumulated many medium-risk findings across platforms will have a lower score than one that has just one new high-risk finding, even if both were flagged in the same scan run.
| Similarity range | Risk level | Penalty / finding |
|---|---|---|
| 85 – 100 | high | −15 pts |
| 70 – 84 | medium | −8 pts |
| 55 – 69 | low | −3 pts |
Score = max(0, 100 − accumulated penalties). Configurable minimum similarity threshold (default: 55).
Real-world use cases for agencies & MSPs
If you manage domains and brand identity for clients, these pillars change what you can offer them.
Proactive phishing detection before your client’s customers are hit
A lookalike domain with an MX record and a login-form clone is operational phishing infrastructure. With Brand Monitor, you detect it within the next scan cycle — measured in hours — not after the first customer complaint.
BEC email spoofing prevention
Business Email Compromise (BEC) attacks rely on domains that can send email impersonating your client. A new lookalike domain with active MX and no DMARC policy can start spoofing within 24 hours of registration. Brand Monitor flags this the moment it appears.
Fake "support" accounts intercepting customer service
Impersonator accounts named @clientbrand_support can route customer service requests to attackers. Social Monitor detects these before your clients' customers find them in search results.
Cross-platform brand takedown evidence
When a client needs to file a platform abuse report or UDRP complaint, Social Monitor's documented findings with direct profile URLs provide the evidence trail. Each finding is timestamped and stored.
Getting started
Both pillars are available today on all AIDE plans. Brand Monitoring is automatically enabled for every monitored domain — candidate generation and probing begin on the next scheduled scan cycle after you add a domain. Social Media Monitor requires you to configure your official handles per platform and select which platforms to enable.
Alerts for both pillars are delivered through the same notification channels as the rest of AIDE: email, Slack, and webhooks. Score change alerts fire when the delta is ≥ 5 points, with severity escalating at ≥ 10 (high) and ≥ 25 (critical).