Cybercriminals often use malicious email addresses, IP addresses, and domains in phishing and malware attacks or to lure victims to fake pages. But while many sources reveal indicators of compromise (IoCs) related to ongoing attacks, the IoC lists may not be exhaustive. Many connected domains, IP addresses, and email addresses remain unknown. There is a way, though, to find out all associated domains for more comprehensive security; that is, through reverse WHOIS lookups enabled by solutions like Reverse WHOIS .
3 Reverse WHOIS Lookup Techniques for Cybersecurity
Reverse WHOIS searches can particularly help cybersecurity teams reveal domain connections. That allows them to identify all other potential attack sources given a single or few IoCs. Reverse WHOIS API or Reverse WHOIS Search, in particular, can:
1. Prevent Phishing and Malware Attacks
More than half of IT decision-makers think phishing is the biggest threat to their networks. Around a third of breaches, in fact, stemmed from the mere act of opening a phishing email. It’s also interesting to note that more than a fourth of data breaches started from malware infections. And every breached entity stood to lose as much as US$3.92 million per attack in 2019. Those facts highlight the importance of safeguarding networks against phishing and malware.
So, suppose a number of your employees received an email from what turned out to be a phishing address username@domain[.]com asking them to update their login credentials. A few may have forgotten to pay attention to the sender’s domain and automatically replied with their chosen username and password. They might think that since the message bypassed their email filters, it must be legitimate and came from within their network.
An email security solution enhanced by Reverse WHOIS and Threat Intelligence Platform (TIP)’s capabilities, though, could red-flag the email because domain[.]com is related to the domain firststeel[.]com[.]cn, which is a suspected malware host.
Instead of giving out their credentials (which they may use for other accounts) to potential attackers, the employees could avoid ending up as cyberattack victims.
2. Enrich Threat Data with Related Domain Names
Aside from thwarting attacks, reverse WHOIS searches can also help cybersecurity teams enrich their threat data. They can use Reverse WHOIS API or Reverse WHOIS Search to uncover the culprits’ infrastructure.
A company that uses PayPal to pay its employees’ salaries, for instance, could fall prey to a fake email from the financial service provider. An example of a deceiving email address would be paypal@support[.]com. As it turns out, support[.]com is a suspected malware host. A reverse WHOIS search for it reveals 13 related domains that should probably be included in blocklists as well.
Among the 13 connected domains, which could figure in several attacks, four were also tagged “malware hosts” on VirusTotal:
- account-paypal-support[.]com
- https-paypal-support[.]com
- upgrade-paypal-support[.]com
- limited-paypal-support[.]com
Reverse WHOIS API- and TIP-enhanced security solution users would thus be able to avoid opening emails coming from the domain support[.]com but also messages from account-paypal-support[.]com, https-paypal-support[.]com, upgrade-paypal-support[.]com, and limited-paypal-support[.]com.
3. Protect against Brand Abuse of Trademarked Names
While brand protection may not fall under the primary responsibilities of cybersecurity staff, preventing brand abuse can help them keep their organizations off blocklists. One way to catch typosquatters and trademark infringers is by monitoring domain copycats. Cybercriminals, after all, always ride on the popularity of the biggest brand names to attract victims to their sites.
Let’s take the brand Gucci, for example. Performing a reverse WHOIS search for the term “gucci” would give a list of 4,931 domains.
A vast majority of these domains do not belong to Gucci but could be banking on the brand to lure in visitors. Many may be selling counterfeits, while others could figure in phishing or malware attacks.
Cybersecurity teams can use solutions such as Reverse WHOIS to provide better protection against cyberattacks to network users or beef up their cyber threat intelligence sources. For real-time protection, they can also integrate a reverse WHOIS API into existing security solutions and systems and monitor all registered domains.
About the Author
Jonathan Zhang is the founder and CEO of WhoisXML API—a domain and IP data intelligence provider that empowers all types of cybersecurity enterprises to build better products and achieve greater network security with the most comprehensive domain, IP, DNS, and cyber threat intelligence feeds. WhoisXML API also offers a variety of APIs, tools, and capabilities, including Threat Intelligence Platform (TIP) and Domain Research Suite (DRS).