BLOG

5 Free Online Brand Protection Software Tools: Pros and Cons

Online brand impersonation attacks threaten businesses large and small, but do brands really need to open their wallets to protect themselves? The answer might be more complicated than you’d think.

Free or open-source software does exist that can help organizations look for and investigate deceptive websites spoofing their brand. On the other hand, few free tools exist that allow one to take action against online brand impersonation attacks.

The goal of this article is to share some examples of free tools that can contribute to an online brand protection practice and also clarify some of their pros and cons. Did we miss a tool you think we should include? Hit us up on LinkedIn.

Advantages and Disadvantages of Free and Open-Source Software/Tools

To start, let’s make it absolutely clear that this is not a screed against free or open-source tools. The Allure Security team will make use of some of these free tools from time-to-time to augment other methods and technology.

“Free and open-source tools can provide some helpful data for people investigating potential online brand impersonation attacks, but each tool has its own set of blinders on. And some of those blinders are very large. The tools are a mere sliver of a brand protection program. Yes, the data is helpful, but it’s not immediately actionable. Anyone using the tools still has a lot of work to do to determine whether any of the tools’ output might be actionable.”

Allure Security CEO Josh Shaul on the scope and effectiveness of free online brand protection tools

On top of figuring out which results you can do something about, there’s of course additional work in actually doing something about them!

Free and open source software offers a number of benefits: no cost, passionate user communities, and more. The thing is, in some cases, you get what you pay for. Or, you get out what you put in. 

Free and open source software can have a steeper learning curve than commercial software that’s designed to be easy to use. Many free tools also don’t have dedicated support. In addition, because many free and open-source software tools are side passion projects for their developers, they’re not always receiving updates to keep them current.

Free Tools and Software Relevant to Online Brand Protection

While free tools can be effective within their scope, there is only so much you will be able to detect. Combining multiple tools can help. However, each tool takes time to learn and operate and context switching resulting from jumping from tool-to-tool may result in a time sink for busy employees. Below is a sampling of tools that can be used as part of an online brand protection program. 

1. Urlscan.io – https://urlscan.io/ 

Urlscan.io allows users to input a URL and view information about the webpage located there. Urlscan.io examines the website’s content, structure, and behavior in a controlled environment to identify potential risks. It then provides detailed reports on the site’s HTTP transactions, cookies, headers, and other related data.

Where Urlscan.io falls short is that it requires you have the URL on-hand in order to scan it, meaning it is useful for the analysis of a potentially malicious website but cannot detect impersonations by itself. 

• Pros:
  • Allows you to investigate websites without having to visit them
  • Detailed information about a website’s connections, files, security history (under “Verdicts”), and more 
  • Includes screenshots
• Cons:
  • Reactive – requires you to know the specific URL you want to investigate
  • Little to no information or support to help with response to a fake website
  • May not give an accurate representation of the site as presented to consumers/potential victims – fraudsters know what tools security teams use to investigate suspicious websites and so at Allure Security we regularly see different content or no content at all presented when scanned with certain popular tools

3. DNSLytics https://dnslytics.com/ 

There are free and paid versions of DNSLytics available. In the free version, DNSLytics allows the user to investigate a website’s DNS records, IP address, and domain provider, as well as, perform various analyses related to the website’s DNS records and IP reputation

Similarly to URLscan.io, DNSLytics requires that you have found the suspicious website already in order to scan it.

• Pros:
  • Includes WHOIS information
  • Reports whether an IP address is on one of 27 blocklists 
  • Reverse-IP lookup to investigate other domains hosted on a specific IP address
• Cons:
  • Reactive – requires you to know the specific URL you want to investigate 
  • Limited information and no screenshots so that you would need to visit the website yourself to better understand its content and assess any risk
  • No guidance on how to action any outputs/results

3. DNSTwist https://dnstwist.it/ 

DNSTwist allows users to generate hypothetical domain names that are similar to their brand’s website, subsequently checking to see if said domain names are registered. This leads to the detection of phishing websites that use text strings related to a brand’s name in URLs. By guessing the domain name and verifying its use online, the user can then visit the potential phishing site and determine if it is malicious.

This method is only able to detect impersonations on the URLs that it generates. While there’s value there, Allure Security research finds that 71% of brand impersonations use domains that are NOT permutations of a brand’s name. So, relying on domain permutations alone will miss a majority of online brand impersonations.

• Pros:
  • More proactive approach to identifying potentially deceptive URLs for investigation (brings domains to your attention instead of requiring that you find the URLs yourself)
  • Reports on whether a domain is registered to reduce the scope of what you may need to investigate
  • Reports on whether a domain has an MX record that would allow it to send email (i.e., a malicious domain would be sending phishing emails)
• Cons:
  • You must manually investigate any suspicious URL
  • Depending on your technical ability to configure the tool, limited number of permutations (i.e., potentially a mere drop in the ocean of possible relevant permutations) 
  • Focused on one very specific method used by fraudsters (typosquatting) which misses the majority of online brand impersonations  

4. PhishFinder https://github.com/AdviaCU/PhishFinder/blob/main/README.md 

Advia Credit Union’s PhishFinder was developed by an information security officer at the credit union, och0Sec. PhishFinder allows users to monitor new domain registrations (via WhoisDS.com), matches the domains with a watchlist uploaded by the user, and then assigns a risk score based on open source intelligence parameters selected by the user. The risk score is used to determine how malicious a newly registered domain is likely to be and whether it is a phishing website.

PhishFinder relies on crawling through a WHOIS dataset of 100,000 new domains daily, checking for similarities with the uploaded text file of domain names you’d like to watch. The PhishFinder tool will email a list of high-risk domains to the user and log unresolved high-risk domains in another text file. 

Similar to the limitations that occur in how you deploy/use Dnstwist, Phishfinder is limited by its scope because it only detects impersonations that use the same domain name(s) uploaded to the watchlist text file. 

• Pros:
  • A good tool to triage lists of Dnstwist results (lists which tend to be voluminous) because it assigns a basic risk score to help you prioritize potential threats giving you a place to start
  • Purpose built to allow you to schedule automated scans that scan recent domain name registrations to see whether they match domains in the watchlist you create
  • Automatically emails a report of potentially deceptive websites to the address you choose
• Cons:
  • Does not help you discover potential domain names/strings that you may need to evaluate – it requires you to create the list of domain names/strings you want the tool to watch out for 
  • Some technical abilities required as there’s no graphical user interface (i.e., the developer recommends you run it as a daily cron job which requires you to be comfortable with command line)
  • No guidance for taking action on results

5. Canarytokens https://canarytokens.org/generate 

Canarytokens are small blocks of javascript that inform the website owner if a page’s code has been copied and published to another domain. The tokens can be relatively easy to spot if you know what you’re looking for – meaning a sophisticated adversary re-creating a website from scratch is able to remove them. 

Canarytokens can alert you to someone wholesale copying pages, if not the entirety, of your website. However, fraudsters do not completely clone websites as often as they once did. It’s worth considering implementing Canarytokens on your website, but know that the visibility provided by the tokens is limited.

• Pros:
  • Useful for identifying wholesale copies of your website hosted on other domains
  • While fraudsters don’t use full-scale clones of websites as often these days, the tokens are still a good control to have as part of your detection system
  • While some technical skills are required, Canarytokens are relatively easy to deploy
• Cons:
  • Some technical skills are required to create and deploy Canarytokens for cloned websites and requires making changes to your website
  • If you don’t obfuscate the token it can be easy for attackers to find and remove
  • Very few impersonations encountered by Allure Security start as complete clones of a brand’s website that would have transferred the token with it

Should You Use Free Tools to Protect Your Brand Online?

We’ve delved into the pros and cons of various free online brand protection tools. While these tools offer valuable insights and may be a good addition to your brand protection strategy, it’s clear they have limitations. For instance, reactive tools like Urlscan.io and DNSLytics require prior knowledge of a suspicious URL, and even more proactive tools like Dnstwist have their constraints in scope and technical demands.

The takeaway? Free tools can be a starting point, but for comprehensive and less labor-intensive brand protection, considering a more robust, integrated solution may be the way forward. 

If you’re looking for a solution that goes beyond the capabilities of free tools, offering wider coverage and better ease of use, Allure Security’s online brand protection-as-a-service might be just what you need. Our platform is designed to save time and extend protection far beyond what free tools can achieve, proactively identifying and addressing online brand impersonation attacks without the need for constant manual work.

WHAT YOU SHOULD DO NEXT

• Contact us for expert assistance in protecting your brand’s reputation online and responding to abuse.
• Discover how to optimize your team, processes, and technology for effective online brand protection with our complimentary guide, “The Busy Person’s Guide to Online Brand Protection.”
• Check out our blog post to evaluate if your brand is being protected effectively.