How can I use WHOIS data for security purposes?

Question

I’m a small business owner and it’s my first time giving a WHOIS database download service a try. I’ve seen what details are shown in the records and I heard that WHOIS information can be used not only to learn domains owners’ contact information but for security purposes as well. So I was wondering how exactly it can be used? And are there any other use cases for it?

Answer 1

From a defensive point of view, the WHOIS database might tell you:

• that you are exposing too much information about yourself in your own domain info (owners name, address, phone number, etc.)
• how long domains have been registered so that you can use automated tools to block domains that are very young (and likely to be malicious if suddenly appearing in emails)
• who to contact in the event that a legitimate domain is sending spam or hosting malicious content

Answer 2

WHOIS databases are indeed used in the context of information security, among others. More specifically, cybersecurity folks work with current and historic domain data to analyze websites and prevent cyber attacks coming from malicious hosts. For example, they collect evidence of online misdeeds by cross-checking WHOIS information with other data available on websites (in contact forms, “about us” pages, etc.), and with it spot dangerous profiles and possibly learn about the identities of perpetrators.

With regard to the second part of your question, WHOIS download services have other use cases.

WHOIS databases can assist in investigations done by law enforcement agencies. WHOIS records, for one, have helped the U.S. Federal Trade Commission identify the location of malicious individuals and gather useful leads.

Now if you ever suspect misuse of your brand or intellectual property, you could research a website and verify who might be behind the abuse. Domain data provides you with the ownership details you need to file a report to the registrar hosting the site or even prepare a lawsuit. The records reveal other domains associated with a target too so you can learn who the actor’s accomplices might be.

Another fairly common scenario is when you’re interested in securing a domain that’s already been taken. When you browse the WHOIS database, you might find that the web address you want is about to expire and possibly scoop it up before someone else does. Alternatively, it’s possible to get in touch with the owner and see if he is willing to sell the domain.

Developers also use WHOIS databases. Since a wide range of ownership data is available for them, they are able to carry out more complex tasks that require knowledge of domains. Add to that the fact that some APIs can provide parsed responses in either the JSON or XML format, making it easier to work with them.

There’s also a more unconventional use for WHOIS information, that is, as a source of market insights. An online marketing team can study the recently registered domains of their competitors to scope out their initiatives or plans. This information can be processed for hints on upcoming products or services.

Here’s a non-exhaustive list of WHOIS database services (classified alphabetically with no implied preference or recommendation) I heard of and might help:

https://domainindex.com/tools/whois-database-download-complete-gtld

https://domainnamestat.com/whois-database-download

https://iqwhois.com/whois-database-download

https://jsonwhois.com/whois-database-download

https://whoisdatabasedownload.com/

https://whoisology.com/whois-database-download

https://www.whoisxmlapi.com/whois-database-download.php

Answer 3

In information security, the gathering of information is very important to attack a company. Let's think of an example of how you could possibly use this information:

You are a hacker and you want to attack a company. First, you need to obtain some information about them, so you start searching the web. You come across their website and look it up using WHOIS. Next, you take a look at all the stored notes about a domain. The information in the WHOIS database may vary from domain to domain, so you won't know exactly what you will find before you search for it. You may find a contact for this domain, like an e-mail address and a name; Great! You now have a real person with a working address that has higher privileges inside the target company. Now you can search for this person and try to find some information about them on other websites. After that, you could possibly try a phishing attack on them to obtain their password or other details.

But that's not all. Another detail about the website may intrigue you. The target domain/ip address is used in a range and a connected server shows up, so now you have 2 servers to attack instead of one. As a result of this, you may find the company that is the host of this domain, so you can try to hack their site as well and log into the users account, through social engineering or alternative methods.

If you move away from this idea, think about a hacker who wants to find some e-mail addresses to spam/scam. The only thing they would have to do is to lookup domains on WHOIS and find a good address.

So as you can see information is mandatory about your target. You need to obtain as much information as you can to be successful, and the WHOIS database stores lots of information. If you want to protect yourself from spam, spear phishing and information gathering I would suggest to use a WHOIS protection, available from most hosting providers.

Answer 4

There are numerous information in a whois that can help build an attack. Each is harmless in itself, but gives some information that combined with other stuff can help.

Maybe they are useless to you as a business owner, as I am not sure to understand your question. Typically, business owners/companies use whois access to monitor abuse of their trademarks and names: if someone registers your exact name or a close one or something ambiguous, then they may try to either do phishing by using those names or just to profit from your reputation.

Along the same route, if you spot new domains being registered but with your company as owner (and other emails), then someone may be trying to use your company reputation to do some phishing for example. In that specific case since it "looks like" the domain is registered by you, it could be easy to retrieve it if you ask the registrar.

More on the "intelligence" front, companies use it to monitor what their competitors do: for example in advance of launching a new product, a company may register a domain name for it, and the simple name can give information on what is about. If you look at all domains registered by registrant X or with email Y or even with using company nameservers at Z, it may give you business intelligence on what the other company is planning to do.

On the opposite, if you track the whole portfolio of names of a company (or registrant X or email Y), seeing how the list of names change over time can give you ideas on future plans... if the company starts to sell/not renew some names it may mean the associated service will stop, etc.

But, more generally (not sure about your question), other information in whois can also help people attacking you:

Creation Date

Some people use the domain name creation date for reputation scores: the idea is that a domain name registered since 10 years should be more trusted (less source of spam for example) than a domain registered since 10 minutes and for some time, before it "earns" its trust.

Expiration Date

Looking at expiration date and "hoping" that someone forgets to renew its domain name can be the first step to catch the domain name, and then profit from whatever links/reputation it has. If you see below about the attack based on emails, you can quickly see how devastating that is

Registrar

Some may considers some registrars better than others at the security level. Having names at registrars known to be weak may give a feeling that it will be either to target them and exploit flaws in their website/API

Emails of contacts

This is one of the more devastating attack, showing the problem of dependencies and people forgetting about them.

Typical scenario: domain A is registered by someone using an email address of "whatever@domainB.example". This simple fact really create a link (dependency) between domainA and domainB Because, as soon as someone is able to get hold of domainB (see above about expiration for example) it means it may be able to gain full control of domainA! Why? Because in most registrars you will be able to claim "lost password" or such and get back a new login/token/temporary password sent by email. Hence, if you control the contacts email you may control the domains they are contact on.

Of course this is "recursive": if domainB uses contacts with emails on domainC then control on domainC may mean control on domainB which may mean control on domainA.

Nameservers

This is exactly similar than the previous case, but on the direct technical level. If domainA uses nameservers ns1.domainB.example and ns2.domainB.example, then anyone controlling domainB can in fact control domainA since it controls its resolution, and hence can decide where www points to, or where emails for domainA should be sent...

It is recursive as well as for the case on emails, except if you always use in-bailiwick nameservers but this creates other issues.

But you can go even one level deeper below: domainA nameservers are resolving at some IP addresses. In fact the one controlling those IP addresses control in fact those nameservers and in turn control domainA. IP addresses can be "stolen", for a time, due to BGP hijacks. This happens all the time, most often because of human technical errors without implication of doing evil, but they are also real attacks with that.

Caveat about whois

Whois is a protocol, not a format nor a database (yes it will often be names like that, but repeating a wrong does not make it a right). It is widely different (as for what content you can retrieve through it) between TLDs, and specifically gTLDs vs ccTLDs (which explain that for any access you get to "whois data" in bulk you will not see the same content or amount based on TLDs as some are more difficult to access than others, and basically entities doing that are doing it through repeated bulk queries to build their databases)

• ccTLDs often put since a long time more precaution on divulging personal data, hence you may not get a lot out of whois. Do a whois today for any .de domain and see how you get basically no data. In those cases whois content is also not sold: to "get" it you need to loop over a list of domain names and extract data. Of course this is rate limited by registries and can be against the terms of service (one can discuss if just accessing a whois server means implicit agreement on them, but IANAL and see current case in .NZ land that is exactly about that: New Zealand’s .NZ administrator sues DomainTools) which basically state that the data should not be use for automated processing or abuses, spams, etc.
• in gTLDs it is different on at least these two aspects:
  • prior to GDPR last year (2018), whois displayed almost everything, except for the people opting for privacy/proxy services; in the wake of GDPR everything changed and if you look now at registries whois output you will often see the mention "REDACTED" and no more personal data
  • registrars are under contract with ICANN; this contract requires them to sell their whole "whois database" for anyone asking for it, for no more than 10 000$/year. Besides the cost (which is not a little problem: this is per registrar, there are more than 1000 of them...) this is an easy way to "siphon" all of registrar data.

Note also that in one month (August 26) any gTLD registry and registrar will now have an RDAP server. RDAP can be seen as successor of whois: some purpose basically but because it is standardized and formatted (JSON over HTTPS) it is easier to parse. So in a way it simplifies the life of people needing whois parsing... while work is undergoing to build "tiered access" to it in order to reach the (impossible?) goal of providing as little personal data as possible to the public, but as many details as possible in case of investigations or disputes, that is to law enforcement agencies and maybe intellectual property related companies, etc.

Finally, remember also that content change over time and any access to data that you may have is in fact cached data, data on the domains from the past. The only authoritative source on the data is each registry whois server, and this is the only one you should query.