Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Fake Entity Detection

Fake Entity Detection

Section titled “Fake Entity Detection”

5 automated security scanners

Spoofed Subsidiary Analysis

Section titled “Spoofed Subsidiary Analysis”

Purpose: The Spoofed Subsidiary Analysis Scanner is designed to identify potential phishing sites or unauthorized entities attempting to impersonate legitimate business units by detecting convincing brand mimicry, similar WHOIS/MX patterns, and legitimate-looking websites. This helps in identifying spoofed subsidiaries that may be used for fraudulent activities.

What It Detects:

  • Domain Similarity Analysis: Identifies domains with slight variations from the original domain name (e.g., acme-corp.com vs acmecorp.com).
  • WHOIS Pattern Matching: Compares WHOIS information of the target domain with known patterns of legitimate subsidiaries, detecting suspiciously similar contact details, registrars, or administrative contacts.
  • MX Record Analysis: Examines MX records to identify if they point to servers that are not associated with the legitimate company infrastructure, looking for discrepancies in mail server configurations that may indicate a spoofed domain.
  • Website Content Similarity: Scrapes and compares website content of the target domain with the official company website, detecting similarities in design, layout, and content that suggest mimicry without authorization.
  • Public Records Cross-Verification: Utilizes public records from sources like SEC filings, LinkedIn, GitHub, news articles, and job boards to verify the legitimacy of the domain, checking for any mentions or references to the target domain in official company communications or third-party reports.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: Identifying spoofed subsidiaries is crucial as it helps in preventing unauthorized access and potential phishing attacks that could lead to significant financial losses and damage the reputation of legitimate companies. This tool aids in maintaining trust and security by detecting fraudulent activities masquerading as genuine entities.

Risk Levels:

  • Critical: Conditions where WHOIS information closely mimics known legitimate subsidiaries or when MX records point to unexpected servers not affiliated with the company.
  • High: Significant domain name variations that suggest mimicry without authorization, particularly if they include hyphens or slight misspellings of the official company name.
  • Medium: Minor discrepancies in website content similarity, such as missing critical pages like “About Us” or “Contact Information”.
  • Low: Minimal differences in WHOIS information but significant deviations in MX records or minor variations in domain names that do not clearly mimic the main brand.
  • Info: Non-critical findings of slight domain name variations without clear evidence of mimicry, where further investigation might be required to confirm legitimacy.

Example Findings:

  1. A domain acme-fraud.com with WHOIS information that closely resembles known legitimate subsidiaries could indicate a critical risk due to potential impersonation.
  2. A domain notacmecorp.org, despite having no clear WHOIS similarities, shows significant deviations in both the domain name and website content from the official acme.com.

Shell Company Detection

Section titled “Shell Company Detection”

Purpose: The Shell Company Detection Scanner is designed to identify corporate profile mimicry, brand-adjacent entities, and operational facades by analyzing public records and open-source intelligence (OSINT) sources. This tool helps in detecting shell companies that may be used for fraudulent activities or to misrepresent legitimate business operations.

What It Detects:

  • Subdomain Discovery: Identifies subdomains associated with the target domain using Certificate Transparency logs.
  • Breach History: Checks if the company has a history of data breaches or security incidents using HaveIBeenPwned API.
  • News Coverage: Searches for news articles mentioning the company in relation to security incidents or breaches.
  • Job Board Analysis: Analyzes job postings to identify technology stack disclosures that may indicate operational activities.
  • SEC Filings Review: Examines SEC EDGAR filings for risk factor disclosures that may indicate operational or financial risks.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: Identifying shell companies is crucial for maintaining the integrity of corporate profiles and preventing fraudulent activities that could lead to significant financial losses and damage to brand reputation.

Risk Levels:

  • Critical: Conditions that directly indicate severe risks such as unaddressed security incidents, data breaches, or material adverse effects on operations.
  • High: Conditions suggesting high risks like prominent risk factors in SEC filings or widespread unauthorized access.
  • Medium: Conditions indicating medium risks such as potential operational issues inferred from technology stack disclosures in job postings.
  • Low: Informative findings that provide limited but useful insights into the company’s operations, though not directly indicative of significant risks.
  • Info: General information about subdomains and breach history, providing basic insights without immediate risk implications.

Example Findings:

  • A company with no disclosed subdomains in public records might indicate a potentially fraudulent entity trying to hide its digital footprint.
  • A history of data breaches as revealed through the HaveIBeenPwned API could severely impact trust and lead to legal liabilities.

Domain Shadow Identification

Section titled “Domain Shadow Identification”

Purpose: The Domain Shadow Identification Scanner is designed to detect similar-looking domains and brand-aligned shadow infrastructure that could be used for malicious activities such as phishing, credential harvesting, or command-and-control operations. This tool helps in identifying potential threats by analyzing domain names for slight variations, common typosquatting techniques, and mimicry of legitimate organizations’ branding.

What It Detects:

  • Similar-Looking Domains: Identifies domains with slight variations in spelling (e.g., example.com vs. examp1e.com) and detects domains using common typosquatting techniques.
  • Brand-Aligned Infrastructure: Finds domains that closely resemble official company domains, mimicking their branding and structure.
  • Malware and Ransomware Indicators: Scans for patterns related to malware or ransomware activities such as mentions of malware, ransomware, potential command-and-control servers using regex patterns like command\\s*(?:and|&)\\s*control|c2|c&c.
  • Phishing and Credential Harvesting: Detects domains associated with phishing attempts or credential harvesting, looking for patterns indicating data exfiltration or unauthorized access.
  • Exposure Indicators: Identifies domains that have been exposed, leaked, or breached using patterns like exposed|leaked|breached, detecting mentions of unauthorized access and data dumps.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • crtsh_query (string): Query for certificate transparency logs (e.g., %.acme.com)

Business Impact: This scanner is crucial for enhancing the security posture of organizations by proactively detecting potential threats posed by similar-looking domains, brand-aligned shadow infrastructure, and malicious activities associated with phishing and data breaches. It helps in mitigating risks associated with unauthorized access and data theft, safeguarding sensitive information and maintaining trust among users.

Risk Levels:

  • Critical: Conditions that could lead to significant damage or loss, such as the discovery of malware or ransomware indicators on critical infrastructure domains.
  • High: Conditions that pose a high risk but are not as severe as critical, such as exposure indicators suggesting potential data breaches.
  • Medium: Conditions that may indicate vulnerabilities in security measures but do not necessarily lead to significant consequences, such as suspicious domain names with slight variations from legitimate ones.
  • Low: Informative findings that provide insights into normal cybersecurity practices or minor deviations from standard operations.
  • Info: Non-critical findings providing general information about the state of a domain’s security posture.

Example Findings:

  • A domain malwaredomain.com flagged as having malware indicators, indicating potential malicious activity.
  • An exposed subdomain exposeddata.acme.com identified by exposure indicators, suggesting unauthorized access to sensitive information.

Fake Partner Ecosystem

Section titled “Fake Partner Ecosystem”

Purpose: The Fake Partner Ecosystem Scanner is designed to safeguard against partnership fraud and misrepresentation by scrutinizing public records, open-source intelligence (OSINT), and digital footprints for inconsistencies that might indicate unauthorized access, data breaches, or misuse of certifications.

What It Detects:

  • Breach Mentions in Public Records: Identifies mentions of security incidents, unauthorized access, and compromised systems within company statements and public records.
  • Technology Stack Disclosure on Job Boards: Detects technology stack disclosures that suggest unauthorized use or misrepresentation of cloud services and DevOps tools.
  • Certification Claims in Public Documents: Verifies compliance with industry standards such as SOC 2, ISO 27001, PCI DSS, and HIPAA through public documents.
  • Subdomain Discovery via Certificate Transparency: Discovers subdomains to identify potential unauthorized extensions of a partner’s digital presence.
  • Breach History on HaveIBeenPwned: Checks the breach history of the domain and associated subdomains to detect past security incidents reported by users who have had their information compromised.

Inputs Required:

  • domain (string): The primary domain under investigation, such as acme.com.
  • company_name (string): The legal name of the company, e.g., “Acme Corporation”.

Business Impact: This scanner is crucial for maintaining trust in partner relationships by ensuring that all claims about technology usage and compliance are accurate and legitimate. Misrepresentation can lead to significant security risks and regulatory non-compliance.

Risk Levels:

  • Critical: Significant data breaches, unauthorized access incidents directly linked to the company or its partners.
  • High: Discrepancies in claimed technology stack experience or certifications that do not align with public records.
  • Medium: Potential misuse of partner relationships indicated by subdomain discovery without clear association to the main domain.
  • Low: Informal mentions of security incidents or minor discrepancies in disclosed technology stacks.
  • Info: General information about potential partners’ breach history, which does not directly impact current operations but is indicative of broader risk management considerations.

Example Findings:

  • “Breach found: Adobe - Data breach affecting millions of users.”
  • “Subdomain discovered: api.acme.com, potentially indicating unauthorized access or separate business units.”
  • “Risk factor mentioned in SEC filings: The company faces potential liabilities due to outdated software protocols that do not comply with current cybersecurity standards.”

Counterfeit Corporate Presence

Section titled “Counterfeit Corporate Presence”

Purpose: The Counterfeit Corporate Presence Scanner is designed to safeguard businesses by detecting unauthorized social media profiles, fake office locations, and discrepancies in manufacturing presence. It analyzes public records and open-source intelligence (OSINT) sources to identify inconsistencies between a company’s official information and its online footprint, helping organizations maintain the integrity of their digital identity.

What It Detects:

  • Social Media Imposters: Identifies unauthorized or misleading social media profiles that impersonate the company, looking for patterns in profile descriptions, posts, and follower counts that deviate from typical corporate behavior.
  • Fake Office Locations: Uncovers discrepancies between official office locations listed on the company website and those found on public records or online directories, analyzing Google Maps reviews, Yelp listings, and other local business directories for inconsistencies.
  • Manufacturing Presence: Verifies the authenticity of manufacturing facilities by cross-referencing with SEC filings, news articles, and job board postings, checking for mentions of specific technologies, tools, and processes used in manufacturing that align with the company’s stated capabilities.
  • Breach Mentions: Searches for public records of data breaches or security incidents involving the company, using regex patterns to identify keywords like “data breach,” “security incident,” “unauthorized access,” and “compromised.”
  • Technology Stack Disclosure: Analyzes job postings, GitHub repositories, and other online sources to verify the technology stack used by the company, looking for specific mentions of technologies such as AWS, Azure, GCP, Kubernetes, Terraform, Ansible, Docker, Splunk, Datadog, and Elastic.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: This scanner is crucial for maintaining the authenticity and security of a company’s online presence, helping businesses avoid legal risks associated with unauthorized social media profiles, fake office locations, and discrepancies in manufacturing information that could lead to significant financial losses or damage to reputation.

Risk Levels:

  • Critical: Conditions where there are clear indications of unauthorized access to systems or public data breaches that pose a high risk to the company’s security and integrity.
  • High: Situations where there is evidence of potential data breaches, unauthorized access attempts, or significant discrepancies in official information that could lead to severe consequences if not addressed promptly.
  • Medium: Findings indicating minor inconsistencies between public records and online profiles, which may require further investigation but do not pose immediate critical risks.
  • Low: Informational findings suggesting minimal deviations from typical corporate behavior, generally considered non-threatening unless they escalate in significance with additional analysis.
  • Info: Generally benign findings that provide limited actionable insights for security enhancements or compliance checks.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings:

  • An unauthorized social media profile impersonating “Acme Corporation” was detected with misleading information about its location and services.
  • A fake office location listed on Google Maps for “Acme Corporation” in a major city does not match any official addresses provided by the company, raising concerns about potential fraud or misrepresentation.