Monitor for brand impersonation attacks across domains, social media, mobile apps, and dark web channels to detect phishing campaigns, fake sites, and unauthorized brand usage targeting your organization.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-brand-monitoring-for-impersonationExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-brand-monitoring-for-impersonation from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-brand-monitoring-for-impersonation. Access via /performing-brand-monitoring-for-impersonation in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-brand-monitoring-for-impersonation |
| description | Monitor for brand impersonation attacks across domains, social media, mobile apps, and dark web channels to detect phishing campaigns, fake sites, and unauthorized brand usage targeting your organization. |
| domain | cybersecurity |
| subdomain | threat-intelligence |
| tags | - brand-monitoring - impersonation - phishing - domain-monitoring - social-media - brand-protection - threat-intelligence |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - ID.RA-01 - ID.RA-05 - DE.CM-01 - DE.AE-02 |
Brand impersonation attacks exploit consumer trust through lookalike domains, fake social media profiles, counterfeit mobile apps, and phishing sites that mimic legitimate brands. In 2025, brand impersonation remained one of the most costly cyber threats, with AI-generated phishing emails achieving a 54% click-through rate. This skill covers building a comprehensive brand monitoring program that detects domain squatting, social media impersonation, fake mobile apps, unauthorized logo usage, and dark web brand mentions using automated scanning and alerting.
dnstwist, requests, beautifulsoup4, Levenshtein, tweepy librariesBrand impersonation spans multiple channels: domain squatting (typosquatting, homoglyphs, TLD variations), phishing sites (cloned websites with stolen branding), social media (fake profiles impersonating executives or company), mobile apps (counterfeit apps in app stores), email spoofing (display name and domain impersonation), and dark web (brand mentions in forums, marketplaces).
Effective brand monitoring combines proactive scanning (domain permutation with dnstwist, CT log monitoring), web crawling (screenshot comparison, logo detection), social media monitoring (profile name matching, post content analysis), app store monitoring (name and icon similarity detection), and dark web monitoring (forum scraping, marketplace tracking).
Not all impersonation is malicious. Risk factors include: active web content (especially login pages), SSL certificate present, MX records configured (email receiving capability), visual similarity to legitimate site, recent registration date, and hosting in regions associated with cybercrime.
import subprocess
import requests
import json
from datetime import datetime
from urllib.parse import urlparse
import Levenshtein
class BrandMonitor:
def __init__(self, brand_config):
self.brand_name = brand_config["name"]
self.domains = brand_config["domains"]
self.keywords = brand_config["keywords"]
self.executive_names = brand_config.get("executives", [])
self.logo_hash = brand_config.get("logo_hash", "")
self.findings = []
def scan_domain_squatting(self):
"""Detect typosquatting and lookalike domains."""
all_results = []
for domain in self.domains:
cmd = ["dnstwist", "--registered", "--format", "json",
"--nameservers", "8.8.8.8", "--threads", "30", domain]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if result.returncode == 0:
domains = json.loads(result.stdout)
registered = [d for d in domains if d.get("dns_a") or d.get("dns_aaaa")]
all_results.extend(registered)
print(f"[+] Domain squatting scan for {domain}: "
f"{len(registered)} registered lookalikes")
except (subprocess.TimeoutExpired, Exception) as e:
print(f"[-] Error scanning {domain}: {e}")
for entry in all_results:
self.findings.append({
"type": "domain_squatting",
"indicator": entry.get("domain", ""),
"fuzzer": entry.get("fuzzer", ""),
"dns_a": entry.get("dns_a", []),
"ssdeep_score": entry.get("ssdeep_score", 0),
"detected_at": datetime.now().isoformat(),
})
return all_results
def check_google_safe_browsing(self, urls, api_key):
"""Check URLs against Google Safe Browsing API."""
url = f"https://safebrowsing.googleapis.com/v4/threatMatches:find?key={api_key}"
body = {
"client": {"clientId": "brand-monitor", "clientVersion": "1.0"},
"threatInfo": {
"threatTypes": ["MALWARE", "SOCIAL_ENGINEERING", "UNWANTED_SOFTWARE"],
"platformTypes": ["ANY_PLATFORM"],
"threatEntryTypes": ["URL"],
"threatEntries": [{"url": u} for u in urls],
},
}
resp = requests.post(url, json=body, timeout=15)
if resp.status_code == 200:
matches = resp.json().get("matches", [])
print(f"[+] Google Safe Browsing: {len(matches)} threats found")
return matches
return []
def monitor_social_media_impersonation(self, platform="twitter"):
"""Detect social media profiles impersonating brand or executives."""
suspicious_profiles = []
# Search for profiles with similar names
for name in self.executive_names + [self.brand_name]:
# Using a general search approach
search_url = f"https://api.twitter.com/2/users/by/username/{name.replace(' ', '')}"
# Note: In production, use authenticated Twitter API
suspicious_profiles.append({
"search_term": name,
"platform": platform,
"note": "Requires authenticated API access for full search",
})
return suspicious_profiles
def monitor_app_stores(self):
"""Check for fake mobile apps impersonating the brand."""
fake_apps = []
for keyword in self.keywords:
# Google Play Store search (unofficial)
url = f"https://play.google.com/store/search?q={keyword}&c=apps"
try:
resp = requests.get(url, timeout=15, headers={
"User-Agent": "Mozilla/5.0"
})
if resp.status_code == 200:
# Parse results for brand name matches
from bs4 import BeautifulSoup
soup = BeautifulSoup(resp.text, "html.parser")
app_links = soup.find_all("a", href=lambda h: h and "/store/apps/details" in h)
for link in app_links:
app_name = link.get_text(strip=True)
if any(k.lower() in app_name.lower() for k in self.keywords):
fake_apps.append({
"name": app_name,
"url": f"https://play.google.com{link['href']}",
"platform": "google_play",
"keyword": keyword,
})
except Exception as e:
print(f"[-] App store search error: {e}")
return fake_apps
def generate_monitoring_report(self):
report = {
"brand": self.brand_name,
"generated": datetime.now().isoformat(),
"total_findings": len(self.findings),
"findings_by_type": {},
"high_priority": [],
}
for finding in self.findings:
ftype = finding["type"]
if ftype not in report["findings_by_type"]:
report["findings_by_type"][ftype] = 0
report["findings_by_type"][ftype] += 1
# High priority: has web similarity or MX records
if finding.get("ssdeep_score", 0) > 50:
report["high_priority"].append(finding)
with open(f"brand_monitoring_{self.brand_name.lower()}.json", "w") as f:
json.dump(report, f, indent=2)
print(f"[+] Brand monitoring report: {len(self.findings)} findings")
return report
monitor = BrandMonitor({
"name": "MyCompany",
"domains": ["mycompany.com", "mycompany.org"],
"keywords": ["mycompany", "mybrand", "myproduct"],
"executives": ["CEO Name", "CTO Name"],
})
monitor.scan_domain_squatting()
report = monitor.generate_monitoring_report()
def generate_takedown_request(finding, brand_info):
"""Generate abuse report for domain/site takedown."""
request = f"""Subject: Abuse Report - Brand Impersonation / Phishing
Dear Abuse Team,
We are writing to report a domain that is impersonating {brand_info['name']}
for apparent phishing/fraud purposes.
Infringing Domain: {finding.get('indicator', '')}
IP Address: {', '.join(finding.get('dns_a', ['Unknown']))}
Detection Method: {finding.get('fuzzer', 'domain similarity analysis')}
Web Similarity Score: {finding.get('ssdeep_score', 'N/A')}%
Detection Date: {finding.get('detected_at', '')}
Our legitimate domain(s): {', '.join(brand_info['domains'])}
This domain appears to be impersonating our brand through {finding.get('fuzzer', 'typosquatting')}.
We request immediate suspension of this domain.
Evidence of infringement is available upon request.
Regards,
{brand_info['name']} Security Team
"""
return request
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Solid pick for teams standardizing on skills: performing-brand-monitoring-for-impersonation is focused, and the summary matches what you get after install.
We added performing-brand-monitoring-for-impersonation from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
performing-brand-monitoring-for-impersonation fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
performing-brand-monitoring-for-impersonation fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Keeps context tight: performing-brand-monitoring-for-impersonation is the kind of skill you can hand to a new teammate without a long onboarding doc.
performing-brand-monitoring-for-impersonation has been reliable in day-to-day use. Documentation quality is above average for community skills.
I recommend performing-brand-monitoring-for-impersonation for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Keeps context tight: performing-brand-monitoring-for-impersonation is the kind of skill you can hand to a new teammate without a long onboarding doc.
Solid pick for teams standardizing on skills: performing-brand-monitoring-for-impersonation is focused, and the summary matches what you get after install.
Registry listing for performing-brand-monitoring-for-impersonation matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 27