performing-brand-monitoring-for-impersonation▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Monitor for brand impersonation attacks across domains, social media, mobile apps, and dark web channels to detect phishing campaigns, fake sites, and unauthorized brand usage targeting your organization.
| name | performing-brand-monitoring-for-impersonation |
| description | Monitor for brand impersonation attacks across domains, social media, mobile apps, and dark web channels to detect phishing campaigns, fake sites, and unauthorized brand usage targeting your organization. |
| domain | cybersecurity |
| subdomain | threat-intelligence |
| tags | - brand-monitoring - impersonation - phishing - domain-monitoring - social-media - brand-protection - threat-intelligence |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - ID.RA-01 - ID.RA-05 - DE.CM-01 - DE.AE-02 |
Performing Brand Monitoring for Impersonation
Overview
Brand impersonation attacks exploit consumer trust through lookalike domains, fake social media profiles, counterfeit mobile apps, and phishing sites that mimic legitimate brands. In 2025, brand impersonation remained one of the most costly cyber threats, with AI-generated phishing emails achieving a 54% click-through rate. This skill covers building a comprehensive brand monitoring program that detects domain squatting, social media impersonation, fake mobile apps, unauthorized logo usage, and dark web brand mentions using automated scanning and alerting.
When to Use
- When conducting security assessments that involve performing brand monitoring for impersonation
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Python 3.9+ with
dnstwist,requests,beautifulsoup4,Levenshtein,tweepylibraries - API keys: VirusTotal, Google Safe Browsing, Twitter/X API, Shodan
- List of brand assets: domains, trademarks, logos, executive names
- Certificate Transparency monitoring (Certstream or crt.sh)
- Understanding of domain registration and TLD landscape
Key Concepts
Attack Surface
Brand impersonation spans multiple channels: domain squatting (typosquatting, homoglyphs, TLD variations), phishing sites (cloned websites with stolen branding), social media (fake profiles impersonating executives or company), mobile apps (counterfeit apps in app stores), email spoofing (display name and domain impersonation), and dark web (brand mentions in forums, marketplaces).
Detection Approaches
Effective brand monitoring combines proactive scanning (domain permutation with dnstwist, CT log monitoring), web crawling (screenshot comparison, logo detection), social media monitoring (profile name matching, post content analysis), app store monitoring (name and icon similarity detection), and dark web monitoring (forum scraping, marketplace tracking).
Risk Prioritization
Not all impersonation is malicious. Risk factors include: active web content (especially login pages), SSL certificate present, MX records configured (email receiving capability), visual similarity to legitimate site, recent registration date, and hosting in regions associated with cybercrime.
Workflow
Step 1: Multi-Channel Brand Monitoring System
import subprocess
import requests
import json
from datetime import datetime
from urllib.parse import urlparse
import Levenshtein
class BrandMonitor:
def __init__(self, brand_config):
self.brand_name = brand_config["name"]
self.domains = brand_config["domains"]
self.keywords = brand_config["keywords"]
self.executive_names = brand_config.get("executives", [])
self.logo_hash = brand_config.get("logo_hash", "")
self.findings = []
def scan_domain_squatting(self):
"""Detect typosquatting and lookalike domains."""
all_results = []
for domain in self.domains:
cmd = ["dnstwist", "--registered", "--format", "json",
"--nameservers", "8.8.8.8", "--threads", "30", domain]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if result.returncode == 0:
domains = json.loads(result.stdout)
registered = [d for d in domains if d.get("dns_a") or d.get("dns_aaaa")]
all_results.extend(registered)
print(f"[+] Domain squatting scan for {domain}: "
f"{len(registered)} registered lookalikes")
except (subprocess.TimeoutExpired, Exception) as e:
print(f"[-] Error scanning {domain}: {e}")
for entry in all_results:
self.findings.append({
"type": "domain_squatting",
"indicator": entry.get("domain", ""),
"fuzzer": entry.get("fuzzer", ""),
"dns_a": entry.get("dns_a", []),
"ssdeep_score": entry.get("ssdeep_score", 0),
"detected_at": datetime.now().isoformat(),
})
return all_results
def check_google_safe_browsing(self, urls, api_key):
"""Check URLs against Google Safe Browsing API."""
url = f"https://safebrowsing.googleapis.com/v4/threatMatches:find?key={api_key}"
body = {
"client": {"clientId": "brand-monitor", "clientVersion": "1.0"},
"threatInfo": {
"threatTypes": ["MALWARE", "SOCIAL_ENGINEERING", "UNWANTED_SOFTWARE"],
"platformTypes": ["ANY_PLATFORM"],
"threatEntryTypes": ["URL"],
"threatEntries": [{"url": u} for u in urls],
},
}
resp = requests.post(url, json=body, timeout=15)
if resp.status_code == 200:
matches = resp.json().get("matches", [])
print(f"[+] Google Safe Browsing: {len(matches)} threats found")
return matches
return []
def monitor_social_media_impersonation(self, platform="twitter"):
"""Detect social media profiles impersonating brand or executives."""
suspicious_profiles = []
# Search for profiles with similar names
for name in self.executive_names + [self.brand_name]:
# Using a general search approach
search_url = f"https://api.twitter.com/2/users/by/username/{name.replace(' ', '')}"
# Note: In production, use authenticated Twitter API
suspicious_profiles.append({
"search_term": name,
"platform": platform,
"note": "Requires authenticated API access for full search",
})
return suspicious_profiles
def monitor_app_stores(self):
"""Check for fake mobile apps impersonating the brand."""
fake_apps = []
for keyword in self.keywords:
# Google Play Store search (unofficial)
url = f"https://play.google.com/store/search?q={keyword}&c=apps"
try:
resp = requests.get(url, timeout=15, headers={
"User-Agent": "Mozilla/5.0"
})
if resp.status_code == 200:
# Parse results for brand name matches
from bs4 import BeautifulSoup
soup = BeautifulSoup(resp.text, "html.parser")
app_links = soup.find_all("a", href=lambda h: h and "/store/apps/details" in h)
for link in app_links:
app_name = link.get_text(strip=True)
if any(k.lower() in app_name.lower() for k in self.keywords):
fake_apps.append({
"name": app_name,
"url": f"https://play.google.com{link['href']}",
"platform": "google_play",
"keyword": keyword,
})
except Exception as e:
print(f"[-] App store search error: {e}")
return fake_apps
def generate_monitoring_report(self):
report = {
"brand": self.brand_name,
"generated": datetime.now().isoformat(),
"total_findings": len(self.findings),
"findings_by_type": {},
"high_priority": [],
}
for finding in self.findings:
ftype = finding["type"]
if ftype not in report["findings_by_type"]:
report["findings_by_type"][ftype] = 0
report["findings_by_type"][ftype] += 1
# High priority: has web similarity or MX records
if finding.get("ssdeep_score", 0) > 50:
report["high_priority"].append(finding)
with open(f"brand_monitoring_{self.brand_name.lower()}.json", "w") as f:
json.dump(report, f, indent=2)
print(f"[+] Brand monitoring report: {len(self.findings)} findings")
return report
monitor = BrandMonitor({
"name": "MyCompany",
"domains": ["mycompany.com", "mycompany.org"],
"keywords": ["mycompany", "mybrand", "myproduct"],
"executives": ["CEO Name", "CTO Name"],
})
monitor.scan_domain_squatting()
report = monitor.generate_monitoring_report()
Step 2: Takedown Request Generation
def generate_takedown_request(finding, brand_info):
"""Generate abuse report for domain/site takedown."""
request = f"""Subject: Abuse Report - Brand Impersonation / Phishing
Dear Abuse Team,
We are writing to report a domain that is impersonating {brand_info['name']}
for apparent phishing/fraud purposes.
Infringing Domain: {finding.get('indicator', '')}
IP Address: {', '.join(finding.get('dns_a', ['Unknown']))}
Detection Method: {finding.get('fuzzer', 'domain similarity analysis')}
Web Similarity Score: {finding.get('ssdeep_score', 'N/A')}%
Detection Date: {finding.get('detected_at', '')}
Our legitimate domain(s): {', '.join(brand_info['domains'])}
This domain appears to be impersonating our brand through {finding.get('fuzzer', 'typosquatting')}.
We request immediate suspension of this domain.
Evidence of infringement is available upon request.
Regards,
{brand_info['name']} Security Team
"""
return request
Validation Criteria
- Domain squatting detected through dnstwist permutation scanning
- Google Safe Browsing checks identify known threats
- Certificate transparency monitoring detects new phishing certificates
- Social media monitoring identifies impersonation profiles
- App store monitoring detects counterfeit applications
- Takedown requests generated with required evidence
References
How to use performing-brand-monitoring-for-impersonation on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add performing-brand-monitoring-for-impersonation
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches performing-brand-monitoring-for-impersonation from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate performing-brand-monitoring-for-impersonation. Access the skill through slash commands (e.g., /performing-brand-monitoring-for-impersonation) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.7★★★★★27 reviews- ★★★★★Diego Smith· Dec 20, 2024
Solid pick for teams standardizing on skills: performing-brand-monitoring-for-impersonation is focused, and the summary matches what you get after install.
- ★★★★★Ren Taylor· Dec 12, 2024
We added performing-brand-monitoring-for-impersonation from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Michael Haddad· Nov 3, 2024
performing-brand-monitoring-for-impersonation fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Oshnikdeep· Sep 1, 2024
performing-brand-monitoring-for-impersonation fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Valentina Rahman· Sep 1, 2024
Keeps context tight: performing-brand-monitoring-for-impersonation is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Ganesh Mohane· Aug 20, 2024
performing-brand-monitoring-for-impersonation has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Michael Lopez· Aug 20, 2024
I recommend performing-brand-monitoring-for-impersonation for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Chinedu Gonzalez· Aug 4, 2024
Keeps context tight: performing-brand-monitoring-for-impersonation is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Yash Thakker· Jul 27, 2024
Solid pick for teams standardizing on skills: performing-brand-monitoring-for-impersonation is focused, and the summary matches what you get after install.
- ★★★★★Sakura Thomas· Jul 23, 2024
Registry listing for performing-brand-monitoring-for-impersonation matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 27