Home Did you know ? The Role a WHOIS DB Plays in Cybersecurity and Beyond

The Role a WHOIS DB Plays in Cybersecurity and Beyond

by Mic Johnson

Keeping track of domain ownership and registration details are essential for cybersecurity and other crucial business processes. However, this could be challenging without a WHOIS database since there hundreds of millions of websites worldwide.

A WHOIS database, also known as a “WHOIS DB,” is a repository of WHOIS records containing data points, such as domain registration dates, contact information, email and postal addresses, and server details. You can find more info about a WHOIS Database here. Such a database helps organizations add to the security their networks and make data-driven business decisions. Here are four specific areas that a WHOIS DB can help improve.

Threat Detection and Prevention

The goal of threat detection and response is to catch threats before they can harm an organization’s network. Using a WHOIS DB as a threat intelligence source helps cybersecurity experts do that. With a WHOIS DB, they can access domain ownership details, helping them identify and respond to threats.

Say, for instance, that an organization’s threat detection solutions blocked the suspicious domain hryspap[.]cn when it attempted to access their network. This domain is tagged as a malware host on VirusTotal and Malware Domains List. A query on a WHOIS DB would reveal the following WHOIS details:

  • Registrar name: Xiamen Shangzhong Online Technology Co., Ltd.
  • Nameservers: jm1[.]dns[.]com and jm2[.]dns[.]com
  • Registrant name:  *****军
  • Registrant email address: *****123@**.com

Security teams could detect more suspicious domains by digging the WHOIS DB for domain names that share the same WHOIS details. The nameserver jm1[.]dns[.]com, for example, is associated with 14 other domains, while jm2[.]dns[.]com is shared by 13 additional domain names. 

The email address, on the other hand, is shared by thousands of different domains. A closer look at some of them on VirusTotal revealed that they have also been reported for malicious activities or at least tagged. A few examples are:

  • elchbulli[.]com
  • tg99114[.]com
  • rf9988[.]com
  • 456239[.]com
  • 4477222[.]com

From one detected malicious domain, security teams may face thousands of associated domains that are possibly suspicious. Knowing this, they can better protect their network.

Cybercrime Investigation

In the previous section, we illustrated how a WHOIS DB can help security teams uncover more suspicious domains that threat actors could use in cyber attacks. The same intelligence, along with other data sources, can be applied to deepen cybercrime investigations. 

If the malicious domain hryspap[.]cn was successfully used in a cyber attack, a WHOIS DB, along with a combination of other domain and IP intelligence sources, could help investigators map out the attackers’ digital footprint.

Aside from the data points found in the WHOIS DB, a WHOIS history database would also reveal that in June 2018, the malicious domain was registered using the email address ****yl2***@***.com. This address is associated with 1,717 other domain names.

Cybercrime investigators can use these details to pursue leads and help security teams identify potential attack vectors.

Market Research

A WHOIS DB can also play a role in market research. A financial services company, for instance, would be able to glean insights on how many domains are dedicated to financial literacy. Using the sample WHOIS DB for the .info space, the company would find five domain names related to finance. Three domains contain the term “money.” Note that more domains could be seen when an actual WHOIS DB is used.

The database can also be used to obtain location-based insights by looking at the registrant street address, state, and country.

Brand Protection

Malicious actors could imitate an organization to bank on its reputability by registering look-alike domain names. A WHOIS DB can help brand owners detect the unauthorized use of their brand and trademarked names.

For example, in the sample WHOIS DB for the .net space, a PayPal-look-alike domain (paypalla[.]net) was found. This domain could be used to imitate the payment processing company and trick account owners into clicking a malicious link.

Together with other data sources, a WHOIS DB can provide useful information that can help organizations strengthen their cybersecurity posture. The data it provides can also enrich market research and help organizations protect their brands.

You may also like