Phishing Domain Checker — Punycode, Keywords & TLD Heuristics

Full phishing detection requires rendering pages, analyzing forms, and comparing visual branding — operations unsafe to run blindly on unknown malware hosts. Hostname heuristics provide a first-pass filter analysts run on millions of indicators daily. Our checker encodes patterns seen across campaigns: IDN homographs, login-verify keyword combos, and free TLD abuse.

riskScore summarizes pattern density. signals array documents each hit so reviewers override false positives with context — a legitimate secure-login.example.com may trigger keyword signals while being authentic.

Internationalized domain names encode Unicode characters in ASCII using punycode xn-- prefixes. Attackers substitute visually similar Cyrillic or Greek letters for Latin brand characters — microsoft.com versus a homograph with Cyrillic 'o'. punycode true in results triggers a twenty-five-point penalty and explicit signal text.

Browsers increasingly show Unicode in address bars with punycode fallback, but email clients and messaging apps often hide the distinction. Flag punycode domains in user awareness training regardless of score.

We scan joined hostname labels for tokens common in phishing: login, verify, secure, account, banking, wallet, password, signin, confirm, suspend, support, and related terms. One keyword match adds twelve points and records the matched token in signals.

Keyword hits are intentionally broad — marketing landing pages use verify and account legitimately. Combine with domain reputation checker age signals and threat intelligence lookup for composite judgment.

Certain TLDs — including .tk, .ml, .ga, .cf, .gq, .xyz, .top, .bond, and .cam — appear disproportionately in bulk phishing registration due to low cost and weak verification. TLD match adds twenty points with explanatory signal text.

Legitimate projects use these TLDs too. TLD signal is one factor among many — not automatic block justification without additional evidence.

Three or more hyphens suggest auto-generated phishing labels like secure-pay-verify-account.example.com. Four or more digits in the hostname suggest tracking-style phishing URLs. Five or more domain labels indicate deep subdomain chains used to obscure apex ownership.

hyphenCount and digitCount appear in results for numeric threshold tuning in SOAR playbooks. Adjust automation cutoffs based on your false positive tolerance.

Phishing emails sometimes link directly to http://203.0.113.45/path without DNS names to evade domain blocklists temporarily. IPv4-as-hostname detection adds thirty points — among the strongest single signals in the model.

Legitimate appliances and staging environments occasionally use IP URLs — rare in consumer-facing brand communications. Investigate context when this signal fires.

When input validates as a public domain, we attempt a short HTTPS HEAD request to report reachable true or false. Unreachable does not mean benign — attackers may geo-fence or user-agent filter. Reachable does not mean safe — phishing pages respond 200 routinely.

Treat reachable as supplementary metadata. Core riskScore derives from hostname analysis independent of HTTP availability.

riskScore twenty-five or above sets suspicious true with medium or high riskLevel. High starts at fifty-five points. SOAR integrations can map high to automatic ticket creation, medium to analyst queue, and low to log-only.

Export signals array into SIEM fields for searchable indicator history. Recheck domains after takedown — re-registration under new labels resets score until patterns reappear.

Malware URL scanner analyzes full URLs including path, redirect chains, and structural reachability signals across batch inputs. Phishing domain checker focuses on hostname pattern heuristics without deep URL crawling.

Paste bare domains here for quick triage. Paste full suspicious URLs into malware URL scanner when path and query parameters matter.

Analysis runs on domains you submit. HEAD probes contact public HTTPS endpoints briefly. Use for authorized phishing triage and user report investigation — not for harassing legitimate sites.

Heuristic flags are not accusations. Document human review steps before sharing results externally.