Platform Overview > Cybercrime Detection
A woman sits at her laptop looking at code on her screen. Her left hand is reaching for her mobile telephone.
Green cybercrime icon

Cybercrime Detection

Defend your organization’s digital presence with Netcraft’s comprehensive cyber attack detection and monitoring

A hand rests on a laptop keyboard, which shows code on a screen

Protecting the world’s leading brands from cyber threats

Netcraft’s automated brand protection platform operates around the clock to detect cyber threats including phishing, advance fee or authorized push payment fraud, executive impersonation, fake shops and 100+ more attack types.

Searches cover a wide range of digital channels including typosquatting or lookalike domains, compromised websites, social media platforms, search engine ads, email and SMS. Processing over five million threat reports each day, Netcraft continuously monitors for occurrences of our customers’ brand names, logos and trademarks online.

Defeating cyber attacks with unmatched scale and effectiveness

Netcraft’s online brand protection operates 24/7 to discover phishing, fraud, scams, and cyber attacks through extensive automation, AI, machine learning, and human insight. Our disruption & takedown service ensures that malicious content is blocked and removed quickly and efficiently—typically within hours.

Blocked Attacks Icon

0%

of the world’s phishing attacks taken down

Website Host Icon

0M+

threat reports and suspicious URLs analyzed every day

Content Sites icon

0M

cybercrime attacks blocked to date

Global Phishing Icon

0M+

attacks taken down and growing

Sophisticated detection techniques

At the core of Netcraft’s detection capability are highly effective searches across internet-scale datasets derived from Netcraft’s decades of experience mapping the internet.

Netcraft’s global feeds cover cybercrime targeting any institution, including non-customers, and are widely licensed by browsers and antivirus companies. These feeds drive the powerful detection of compromised sites hosting attacks impersonating your brands.

Detected threats are analyzed using our automated threat intelligence platform and those targeting customers begin the disruption & takedown process.

A Diagram of Netcraft's Cybercrime Detection

Frequently Asked Questions

A malicious website being used in a cyberattack—for example a phishing site impersonating your brand—can be hosted on existing websites or on purpose-created lookalike domains. Around one-third of phishing threats taken down by Netcraft in 2022 were on deliberately registered domains.

Lookalike domains directly impersonate your organizations and will be created purposely for fraud – these might look like examp1eb4nk.com. The domain name itself is under the control of the criminal. On otherwise legitimate platforms where criminals can control only a portion of the domain, you may find examples like examp1eb4nk.example.com

Alternatively, criminals may compromise an existing legitimate website and make the attack available there – for example at example.com/wp-includes/examp1eb4nk/login.php.

Other infrastructure involved can include URL shorteners, redirectors, drop sites, messaging platforms and more. Sophisticated attackers can layer multiple techniques to make attacks stickier.

Detecting fraudulent lookalike websites and domains relies on extensive proactive searches across the internet for instances of your brand name, slogans, trademarks. These proactive searches focus on:

  • Domain name zone files: For example, on a list of all new .com domains. Access to zone files is typically only available to vetted parties.
  • Certificate Transparency logs: Freshly issued SSL certificates are logged publicly and can provide an early indicator of fraudulent intent. 
  • Internet survey data and other sources: Robust internet survey data and other sources can power additional detection, particularly with subdomains like examp1eb4nk.weebly.com that would not appear in domain lists or in wildcard certificates. 

Netcraft uses its industry-standard malicious site feeds to detect cyber attacks targeting our customers on compromised websites. These feeds are widely licensed by browsers, antivirus companies and across the internet industry

Compromised sites will not appear in many of the most common sources of data on new domain registrations as these attacks do not rely on a lookalike domain. For example, they may have a URL that looks like example.com/wp-includes/examp1eb4nk/login.php and there is no indication of malicious activity based on the example.com domain name.

Finding attacks in these high-volume, low-signal sources can be like finding a needle in a haystack and requires sophisticated automated processing to discover, classify, and validate attacks as targeting your organization. Netcraft’s digital risk protection platform deliveries a complete end-to-end service covering the whole pipeline.

Some of these tricks used by criminals to create lookalike domains include using internationalized domain names with lookalike characters, substituting similar-looking characters, manipulating character order, and adding prefixes or suffixes to mimic trusted domains. Combining these tricks with Netcraft’s extensive data on cybercrime impersonation, we use these signals to calculate a deceptive domain score.

By analyzing the minimum number of edits needed to transform one domain name into another, considering tricks commonly used to deceive victims, such as double letters or confusing character combinations. The algorithm also checks against a list of deceptive prefixes and suffixes used by previously blocked attacks.

The domains in the table below have previously hosted phishing attacks and are shown together with their deceptive domain score.

Domain Target Deceptive Domain Score
xn--blockchan-n5a.info
(blockchaín.info)
Matched ‘blockchain’ (Blockchain)
blockchain.info 9.50
ppayparl.com
Remove character: p<p>ayparl
Remove character: paypa<r>l
Looks like ‘paypal’ (PayPal)
paypal.com 9.00
update-capitalone.ga
Matched ‘capitalone’ (Capital One)
Change registerable point from .ga to .com
capitalone.com 8.51
fcbook.com
Remove character: f<c>book
Looks like ‘fbook’ (Facebook)
facebook.com 7.60
american-express-r2se3.com
Remove character: american<->express
Looks like ‘americanexpress’ (American Express)
americanexpress.com 6.72
steamupdatex.com
Remove suffix of ‘updatex’
Matched ‘steam’ (Steam)
steampowered.com 4.20
rdjfa.com
String Entropy
(none) 3.24
Example calculations using Netcraft’s deceptive domain score.

You can take advantage of Netcraft’s automated cybercrime detection and threat intelligence to process reports from your own customers. Netcraft offers both email and API-based reporting options to automatically extract potentially malicious URLs and other threat indicators from customer reports received by your team.

By using Netcraft’s automation, you can make the most of what can be a high-volume, low-confidence source of suspicious URL reports and free up your analysts’ time to invest elsewhere.

Insights

Sendgrid phishing mail screenshot

Blog

Phishception – SendGrid is abused to host phishing attacks impersonating itself

Netcraft has recently observed that criminals abused SendGrid’s services to launch a phishing campaign impersonating SendGrid itself. The well-known provider, … Read More

Learn More

SEE MORE INSIGHTS

Schedule time with us

Learn more about Netcraft’s powerful brand protection, external threat intelligence and digital risk protection platform