Blog

We closely follow the latest developments in the industry.
But okay, we can share them with you!

Power Cybercrime Investigations By Digging Into A Domain’s Past

Posted on February 3, 2020
Importance of Whois History for Cyber Security Experts!

Gone are the days when cyber criminals would do their worst and get away undetected. With the right tools, cybersecurity analysts and investigators can run a series of actions that can help find these criminals and bring them to book. An essential tool in the trend of cybersecurity today is the use of a historical Whois database that can help professionals to delve into a domain’s past and uncover what really is behind the domain.

What Exactly Is A Domain’s Past?

Over 100,000 new domain names are registered every day globally and a much more significant number of domains experience various registration updates in the form of changes in its registrant, contact details, nameservers, etc. The analysis of these WHOIS record alterations help security experts examine the “before and after” changes, which can provide great insights on the activities undertaken by the domain. This can provide crucial clues during an investigation into any given domain name, and can even be valuable for detecting certain types of cybersecurity attacks.

Whoisology provides comprehensive historical WHOIS records for domains and can be a reliable tool in cybercrime investigations because it allows security professionals to access and analyze any changes implemented to a domain’s Whois record; when it was done, what was done, and what happened before or after such changes. Our advanced tool, in fact, monitors any alterations that are made to a domain’s WHOIS right from the time it was first registered. Our systems have been tracking & archiving WHOIS records for more than a decade and at present our database consists of billions of historic domains WHOIS records. Now that we understand what a domain’s history is, let’s see how this can help security professionals.

Applications Of WHOIS History In Cybercrime Investigations

1) Correlate Domain Information

With WHOIS history, investigative analyses are performed on a domain name to check for information such as registrar's name, email, domain's location, country code, etc. With these and other bits of information from the WHOIS history, crosschecks can be done with other similar (or suspected) domain records to study correlating details, and criminals can be narrowed down to their personal or organizational information. By comparing domain information revealed in the WHOIS history of two or more suspected domain names, it is possible to pin a criminal, and then the right security authority can be called on for the appropriate legal action.

2) Building Case Evidence

Historical WHOIS records can be instrumental in backing up criminal claims through important information such as registered date and time, updated date and time, ownership changes and so on. These WHOIS records, when used in conjunction with other Intel can be used to research digital footprints of domain activity and can help to prosecute criminals. Whoisology provides the most accurate historic WHOIS records that can span about 12 years of registration data.

3) Domain Owner Attribution

WHOIS history makes it easier to uncover the real identity of a criminal hiding under the mask of 'privacy'. Since most people don't have their domains protected when they purchase the name from their registrar, an investigator can backdate their check of a suspected domain name in the WHOIS history up to 12 years to check for the non-protected details of a domain, before its privacy was enacted. The information can be screen-grabbed and compared with the transitioned information after the privacy protocol had been implemented. Consistent information in the domain registry before and after the WHOIS privacy enactment shows a high tendency of pointing at who the criminal might be.

4) Building A Suspect profile

The first step toward catching a criminal is by building a case profile to understand their pattern, location, and attributed email. WHOIS record is instrumental for cybersecurity analysts in building such profiles. Analyzing patterns of fraud can also help to uncover new variations of cyber threats from hackers. Information spanning several years is made available through the WHOIS history, including any changes in ownership, contact details, name server, hosting information, mail server, name registration date, and so on.

5) Prevent Fraud

With e-commerce booming more than ever today, fraudsters are trying various ways to harm unsuspecting businesses. Security teams can safeguard their company and customers against online threats and prevent fraud by constantly monitoring their visitor logs and cross-checking suspicious-looking traffic sources via WHOIS history search tool. Various data modifications that show red flags are changes in ownership or contact details, recent registration, and connections to other identified malicious domains.

6) Fight Domain Hijacking

These days, hackers try to hijack or steal domain names by getting unauthorized access to the domain registrar account without the consent of the original registrant. Having your domain stolen can significantly impact your business if you don’t recover your domain ownership. Security teams in such cases can prove domain ownership by putting together pieces of information using WHOIS History to establish enough proof for at least claiming domain ownership back from the host (registrar).

7) Create Blacklist Database

Malicious domains are a common medium for carrying out phishing, scams, and malware injections. WHOIS History can be used to research the digital footprint of known nefarious domains. This lets cybersecurity professionals reveal who their owners are. With a reverse WHOIS, they can go a step further to find all the domains such bad actors possess. This information can then be used to update existing blacklist databases, in order to keep risky domains and IP addresses associated with these threat actors at bay.

8) Enforce Cybersecurity

Cyber Security analysts can gain immense insights by analyzing historical WHOIS records to improve their overall web security efforts. Once they have identified a malicious website, by checking its history specialists can use their discoveries to block malevolent IP addresses, update firewalls, or block connected malicious websites.

Part Of An Integrated Approach

WHOIS history works seamlessly as part of an armory of tools in cyber investigations. It forms a vital part of the wholesome cyber investigation toolset as it can work alongside WHOIS lookup and reverse WHOIS lookup to provide invaluable information about various domain associated activities. It finds applications as a stand-alone tool and also as part of an integrated approach to cybercrime detection and prevention.

Whoisology combines the power of 3 tools, WHOIS, Reverse WHOIS, WHOIS history in a single easy-to-use web-app which will definitely ease the process of domain research during cybercrime investigations. Each record includes the date when the target domain was created, updated, or when it expired; the registrant’s name, address, and contact information as well as the name of the registrar. Also included are the array of name servers; the WHOIS server; and the administrative, technical, billing, and zone contact information. The tool also keeps tabs not just on commonly used TLDs, but also on thousands of newly created gTLDs and ccTLDs. And with a database containing billions of well-structured and regularly updated records, you can get all the information you need on practically any domain registered anywhere in the world.

Whoisology offers you access to:

  • Over 5.2 billion WHOIS records
  • Over 582 million domains
  • Over 2,850 TLDs
  • Over 10 years’ worth of historic WHOIS data

Conclusion

When Emily Dickinson said, ‘The past is not a package one can lay away’, she was quite obviously talking about the human past. But in today’s time, that statement quite correctly applies to a domain’s past as well! The past cannot be undermined, which is why learning about the background of a domain should be a priority to avoid the consequences. While cyber criminals are waging new and sophisticated attacks each day, there is always some digital footprint that is also being left behind. Tracing their steps and outsmarting them is one way security professionals can ensure web security!

Let’ start working together!
Please contact us

Or shoot us an email to

Whoisology uses cookies to provide you with the best user experience on our website. They also help us understand how our site is being used. Find out more here. By continuing to use our site you consent to the use of cookies.