Other than a ping, probably no tool is more basic and important for cyber security professionals than a Whois query. All domain registrants are required to provide contact information when registering their domains and their basic information is provided to the public. A free Whois database search can quickly expose details that raise red flags in a registrant’s information, and it should play a major role in validating the authenticity of websites and blocking the registrant’s IP address if necessary.
One way a Whois database query can help is to identify malicious websites. If the domain has been recently registered, then it is the first alarm call. A short life expectancy is another warning sign, as is a mismatched address between the registrant and company.
Another warning sign can be the country or other top level domains (TLDs). Some are notorious for being abused by bad actors and the worst TLDs should be considered guilty until proven innocent. Whois can also expose fraudulent websites by cross-referencing suspicious activity from an IP block with specific domains. A Whois geolocation search can also turn up a plethora of valuable information.
A routine trick that scammers use is to set up bogus websites that are named very similarly to well-known brands or products. Just by adding apparently innocuous terms to a brand a harmful website can easily trick users into diverting to their sites, where the fraudsters can gather valuable information or install malware onto visitors’ machines.
A reverse Whois API can instantly locate known malicious actors. This allows for very specific searches using any contact information, such as the registrant’s:
Many bad actors use obscuring techniques to avoid being spotted. However, it is not unusual for them to make mistakes and fail to conceal all of their tracks. Cross-referencing the details can rapidly uncover clues and expose their other illicit activities by analyzing data that establishes a pattern of abuse and links between known and unknown threats.
A reverse query could also expose credit card fraud. An email address search can identify known troublemakers and prevent the issuing of credit to scammers. Emails associated with phishing attacks can also be located this way – you can compare contact information on the website to that on the Whois database record. Any inconsistencies should immediately raise red flags and should lead to a close inspection of their records.
The Whois database is also ideal for evaluating third-party credibility. Prior to entering into partnerships, a simple Whois search will provide the invaluable information mentioned above, and a history search can uncover connections to shady operators or known malicious websites and IP addresses. They are also essential to investigations once an attack has been identified, allowing IP blocks to be emplaced and databases updated to reflect the new information.
To put it simply, cyber security begins with a Whois search in a quality database. Before you provide information to a website and plan on conducting business or establishing relationships with other online companies, you should perform a Whois query. The seconds it takes far outweigh the months – or even years – of untangling the dire consequences of fraud.Read the other articles