Nine Ways We Find a Clone Before Your Customers Do

Most brand-impersonation attacks are caught too late, after a customer has already entered credentials or sent money. The difference between a contained incident and a costly one is usually measured in minutes. That is why we treat detection as a problem of breadth and speed: no single signal is enough, so we watch many at once and act fast.

Clonedown analyzes more than 7 million threats daily and runs end to end, from detection through takedown, automated by default and backed by a 24/7 disruption team. Our median response is under 15 minutes, and the average threat we surface lives only about 2.6 hours. Here are nine of the methods that make that possible.

1. Certificate Transparency monitoring

Every time someone provisions an SSL certificate for a new domain, that issuance is logged in public Certificate Transparency logs. We stream these logs continuously, watching for certificates issued to domains that resemble the brands we protect. An attacker spinning up a convincing lookalike almost always needs HTTPS, which means they leave a record. We often see the certificate before the phishing page is even live.

2. Newly registered and lookalike domain discovery

We continuously discover newly registered domains and score them against the names we protect. This includes typosquats, hyphenated variants, alternate top-level domains, and homoglyph attacks, where a Latin character is swapped for a near-identical character from another script. Catching a lookalike at registration gives us a head start, often before any content is hosted on it at all.

3. Search-engine and SERP monitoring

Clones do not always come to victims directly; sometimes victims find them through search. We monitor search-engine results for brand terms and related queries, looking for impersonating sites that rank against the legitimate brand. A fraudulent page that climbs the results for a brand name can reach a wide audience quickly, so we flag it before it gains traction.

4. Reverse image search

Attackers rarely rebuild a brand from scratch. They reuse logos, product imagery, and even full-page screenshots. We run reverse image searches on these visual assets to find pages that have copied them, even when the surrounding text or domain gives nothing away. Visual reuse is one of the hardest signals for an attacker to avoid, because the clone has to look right.

5. Recursive crawling of suspicious pages

A single suspicious URL is rarely the whole story. We crawl flagged pages recursively, following redirects, embedded links, and chained hops that attackers use to obscure their infrastructure. This often reveals the real landing page behind a redirect, related kits hosted on the same infrastructure, and additional clones that share a common operator.

6. Parasite SEO detection

Not every threat lives on a domain the attacker owns. Parasite SEO abuses the authority of legitimate, high-reputation platforms by hosting fraudulent content on them, such as a forum post, a document host, or a user-generated subpage. Because the host domain is trusted, these pages rank well and bypass naive domain-based filters. We specifically look for brand abuse hosted on high-authority sites that would otherwise hide in plain sight.

7. Host and subdomain enumeration

Once we identify malicious infrastructure, we map it. Host and subdomain enumeration lets us find the other properties an attacker has stood up on the same servers, IP ranges, or naming conventions. One discovered clone frequently leads to a cluster, and enumerating the host turns a single hit into the full footprint of a campaign.

8. Chat and messaging platform monitoring

A growing share of fraud is coordinated and distributed off the open web entirely. We monitor chat and messaging platforms such as Telegram, WhatsApp, and Discord, where phishing links, fake offers, and impersonation campaigns spread directly between users. These channels are where many attacks are seeded before they ever appear in a browser, so watching them shifts detection earlier.

9. Our own historical threat database

Every threat we have ever handled informs the next one. We correlate new findings against our historical database to connect fresh threats to known actors, reused kits, recurring infrastructure, and established patterns of behavior. An attacker who has been disrupted before tends to repeat themselves, and that history lets us recognize a campaign on sight rather than investigating it from zero.

Breadth and speed, together

No single one of these methods is sufficient on its own. A patient attacker can avoid any individual signal, but avoiding all of them at once is much harder. Our detection spans the open web, newly registered and lookalike domains, app stores, social platforms, chat and messaging apps, and paid ads, and it is reinforced by integrations with Cloudflare, Google Safe Browsing, AbuseIPDB, Spamhaus, and Netcraft. The combination is what lets us find a clone before your customers do, and then act on it quickly.

Clonedown OÜ is based in Tallinn, Estonia. If you are responsible for protecting a brand online, we are happy to walk you through what this looks like for your own threat surface.