Using Certificate Transparency Logs to Detect Brand Impersonation

What Is Certificate Transparency?

Certificate Transparency (CT) is a public logging system that records every TLS certificate issued by publicly trusted certificate authorities. Created by Google in response to CA compromises that allowed unauthorized certificates to be issued without detection, CT provides an auditable record that makes certificate issuance visible to domain owners and the broader security community.

When a certificate authority issues a TLS certificate, it must submit that certificate to one or more CT logs before browsers will accept it. Each CT log is an append-only, cryptographically verifiable data structure that anyone can query. This means that every certificate issued for any domain is publicly recorded and searchable.

For security teams, CT logs serve a dual purpose. Defensively, they let you monitor all certificates issued for your domains -- detecting unauthorized issuance, shadow IT, and misconfigurations. Offensively (from an intelligence perspective), they reveal when attackers register lookalike domains and obtain certificates for them, which is a strong indicator of imminent phishing or brand impersonation campaigns.

How Attackers Use Lookalike Domains

Brand impersonation through lookalike domains is a foundational technique in phishing, business email compromise, and credential harvesting attacks. The process follows a predictable pattern:

1. Domain registration: The attacker registers a domain that visually resembles the target's domain. Common techniques include typosquatting (e.g., examp1e.com, exmple.com), homograph attacks using Unicode characters that look identical to ASCII letters, adding hyphens or prefixes (secure-example.com, example-login.com), and using different TLDs (example.org when the target uses example.com).

2. Certificate issuance: The attacker obtains a TLS certificate for the lookalike domain from a publicly trusted CA. Free, automated CAs like Let's Encrypt issue Domain Validation (DV) certificates within seconds, requiring only proof of domain control -- not proof of identity or brand ownership.

3. Infrastructure setup: The attacker configures the domain with web hosting (a cloned login page, a fake corporate site) and potentially email services for phishing campaigns.

4. Attack execution: The attacker sends phishing emails or distributes links pointing to the lookalike domain. The presence of a valid TLS certificate means the browser displays the padlock icon, lending credibility to the impersonation.

The certificate issuance step is where CT monitoring provides early warning. Because the certificate must be logged before browsers accept it, the CT log entry exists before the attacker's infrastructure is fully operational. Monitoring CT logs for certificates issued to domains resembling yours provides advance notice of potential impersonation campaigns.

Monitoring CT Logs for Your Domains

CT log monitoring involves watching for new certificates that reference your domains or visually similar domains.

Monitoring Your Own Domains

The most fundamental use of CT monitoring is tracking certificates issued for domains you own. This catches:

• Unauthorized certificates: A certificate issued by a CA you did not authorize, potentially indicating a domain validation bypass or account compromise at a CA. Strong TLS certificate management practices reduce the likelihood of these issues going undetected.
• Shadow IT: Certificates for subdomains you did not know existed (dev.example.com, staging.example.com, test.example.com), revealing infrastructure that may not be under security team oversight.
• Expired team projects: Certificates for subdomains created by teams that have since moved on, leaving orphaned infrastructure that may not be maintained.
• Subdomain enumeration: The complete list of subdomains with certificates provides a comprehensive inventory of your internet-facing infrastructure.

Monitoring for Lookalike Domains

Detecting brand impersonation requires monitoring for certificates issued to domains that resemble yours but are not yours. This involves:

Fuzzy matching against your primary domains. Generate permutations using common typosquatting techniques:

• Character substitution: example.com -> examp1e.com, exampl3.com
• Character omission: example.com -> examle.com, exmple.com
• Character transposition: example.com -> exmaple.com
• Character addition: example.com -> examplee.com, examplle.com
• Hyphenation: example.com -> ex-ample.com, example-login.com
• TLD variation: example.com -> example.net, example.org, example.io

Keyword monitoring for certificates containing your brand name in combination with common phishing terms: login, secure, account, verify, update, portal, support.

Homograph detection for domains using Unicode characters that are visually indistinguishable from ASCII equivalents in certain fonts. The Cyrillic а (U+0430) looks identical to the Latin a (U+0061) in many typefaces.

Tools for CT Monitoring

Several approaches exist for querying CT logs:

crt.sh is a free web interface for searching CT logs by domain:

https://crt.sh/?q=%.example.com

The % wildcard matches any subdomain. This query returns all certificates ever issued for any subdomain of example.com.

CyberShield's CT module performs CT log analysis as part of every domain scan, identifying certificates issued for your domain and its subdomains. This data feeds into the asset inventory and can reveal unknown subdomains.

Certstream provides a real-time feed of certificates as they are issued:

import certstream

def callback(message, context):
    if message["message_type"] == "certificate_update":
        domains = message["data"]["leaf_cert"]["all_domains"]
        for domain in domains:
            if "example" in domain.lower():
                print(f"Alert: Certificate issued for {domain}")

certstream.listen_for_events(callback, url="wss://certstream.calidog.io/")

This approach provides near-real-time alerting when certificates are issued for domains containing your brand name.

Responding to Detected Impersonation

When CT monitoring identifies a certificate for a lookalike domain, the response depends on the domain's current state.

Active Phishing Site

If the lookalike domain is hosting a phishing page or sending phishing emails:

1. Document the impersonation: Take screenshots, record DNS records, capture HTTP responses, save email samples with full headers.
2. Report to the domain registrar: File an abuse complaint requesting domain suspension. Include evidence of brand impersonation.
3. Report to the hosting provider: File an abuse complaint with the hosting service identified through IP lookup and WHOIS.
4. Report to the certificate authority: Request certificate revocation based on fraudulent use.
5. Report to browser blocklists: Submit the URL to Google Safe Browsing, Microsoft SmartScreen, and PhishTank.
6. Notify your users: If the phishing campaign targets your customers or employees, issue a security advisory.

Newly Registered, Not Yet Active

If the lookalike domain has a certificate but no active content:

1. Monitor actively: The domain may be in preparation for a future campaign. Increase monitoring frequency.
2. Proactive registrar complaint: Some registrars will act on trademark-based complaints even before the domain is used maliciously.
3. Defensive registration: Consider registering common typosquatting variants of your primary domains to prevent future abuse.

CAA Records: Restricting Certificate Issuance

While CT monitoring detects certificates after issuance, CAA (Certificate Authority Authorization) records prevent unauthorized issuance proactively.

CAA records declare which certificate authorities are permitted to issue certificates for your domain. CAs are required to check CAA records before issuance and must refuse to issue if they are not listed.

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issue "digicert.com"
example.com.  IN  CAA  0 issuewild "letsencrypt.org"
example.com.  IN  CAA  0 iodef "mailto:security@example.com"

This configuration:

• Allows only Let's Encrypt and DigiCert to issue standard certificates
• Allows only Let's Encrypt to issue wildcard certificates
• Sends notification to your security team when a CA denies issuance based on CAA

CAA limitations: CAA only restricts issuance for domains you control. It does not prevent certificate issuance for lookalike domains that the attacker controls. CAA protects against unauthorized certificates for your domains; CT monitoring detects certificates for domains impersonating yours.

Integrating CT Monitoring Into Your Security Program

CT monitoring is most effective when integrated with broader security operations.

Asset inventory management: Use CT log data to maintain an accurate inventory of your internet-facing assets. Every certificate in CT logs for your domains represents infrastructure that should be in your asset management system. CyberShield's asset tracking correlates CT data with scan results to maintain a comprehensive inventory.

Incident response: When CT monitoring triggers an alert for a lookalike domain, your incident response team should have a documented procedure for investigation and takedown. Response time matters -- the sooner a phishing site is taken down, the fewer victims it collects.

Brand protection: CT monitoring complements trademark monitoring services. While trademark monitoring watches for domain registrations, CT monitoring catches the certificate issuance step, which often happens after registration but before the attack launches.

Threat intelligence: Patterns in lookalike domain registration can indicate targeted campaigns against your organization. A burst of certificates for multiple variations of your domain may signal a coordinated phishing operation in preparation.

Vendor risk assessment: Monitor CT logs for your critical vendors' domains as well. A lookalike domain targeting your vendor could be used to send fraudulent invoices or compromise credentials that provide access to your shared systems.

What CyberShield Provides

CyberShield's CT module integrates certificate transparency monitoring into your regular scanning workflow:

Certificate inventory: Every scan queries CT logs for certificates associated with your domain, building a comprehensive list of issued certificates including subdomains you may not have known about.

Subdomain discovery: CT logs reveal subdomains that DNS enumeration might miss. A development team that created api-staging.example.com with a Let's Encrypt certificate shows up in CT logs even if the subdomain is not in your DNS records.

Historical certificate data: CT logs record the full history of certificate issuance for your domains. This provides a timeline of infrastructure changes and can reveal certificates that were issued during security incidents. Pairing this data with a comprehensive TLS audit gives you full visibility into your encryption posture.

Integration with other modules: CT findings feed into CyberShield's broader assessment. A subdomain discovered through CT logs is automatically included in subsequent TLS, HTTP, and DNS analysis, providing comprehensive coverage of your actual attack surface rather than just the assets you know about.

The combination of CT monitoring (detecting what certificates exist), CAA records (restricting who can issue certificates for your domains), and regular external scanning (assessing the security posture of all discovered assets) creates a comprehensive certificate lifecycle management program that addresses both authorized and unauthorized certificate issuance.