Blog & How To Guides | WhoisXML API

WhoisXML API Enterprise Blog

Subdomain Finder Tools and Data Sources: Top 4 Cybersecurity Applications

Subdomains are useful as they help domain owners organize their websites. They identify specific pages on a company’s site, guiding customers and internal and external users to where they will find the information they need or product they wish to buy.

But while using subdomains indeed has advantages, it has disadvantages as well. Cybercriminals can use them for malicious campaigns that rely on subdomain takeovers, among other cyberattacks. Threat actors can also create subdomains and hide them under what seems to be totally legitimate domains to evade detection.

Subdomain-related threats are addressable, at least to some extent, with the help of a subdomain finder that enumerates the subdomains of a particular domain. This post explains how to go about it.

Continue reading

A Cyber Threat Intelligence Recap for COVID-19 in 2020

Much has been said about the COVID-19 pandemic. In many ways, it has changed the way we live, work, or simply interact with our relatives and friends. From the standpoint of cybersecurity, the pandemic also had a strong influence on how threat actors and cybercriminals created and executed all types of cyberattacks and phishing campaigns.

To illustrate, this post features a timeline of COVID-19-related cyber threats and some cyber threat intelligence found for each month of 2020.

Continue reading

Social Media Phishing: Expanding the List of IoCs for Recent Facebook Page Impersonation Attacks

A few months back, security researchers noticed a spike in the volume of social media phishing attacks. Cybercriminals had been impersonating the Facebook pages of various influential personalities proactively in hopes of luring their followers into parting with their account credentials. The social media campaign focused on the Facebook pages of influencers with tons of followers.

A researcher from security firm Trend Micro believed an average of three pages were being spoofed per day. The personalities targeted were from Taiwan, India, Australia, Canada, and the Philippines.

The attackers began by stealing the target pages’ administrative account credentials. Once done, they sent a malicious link to all of the page’s followers for the potential victims to give out their own account credentials. As a common practice among phishers, the cybercriminals mimicked the pages down to their profile photos. As of August last year, 120–180 fake Facebook pages believed to be part of the campaign were seen.

Continue reading

Powering Asset Discovery with Domain and Subdomain Intelligence Sources

Everyone leaves digital footprints behind while using Internet-based technologies. Besides, in the process of improving digital services, acquiring new companies, and doing business in general, organizations inadvertently create digital trails. When threat actors pick up the scent, the result could be devastating and costly.

Asset discovery can help organizations keep track of their technological assets, so they can apply the necessary protection and keep their overall infrastructure safe from malicious actors. How so? Let’s take a closer look.

Continue reading

Cybersecurity Forensics Analysis Using Domain Intelligence Sources

Forensic science has crossed over to the digital world in what is now called “digital or cybersecurity forensics.” And just like their physical crime scene counterparts, cybersecurity forensics experts need to hold on to whatever evidence they have and use it to get one step closer to catching the perpetrator.

Evidence comes in many different forms, but cybercriminals often use domain names and Domain Name System (DNS) infrastructure since those assets are practically what makes the Internet work.

When creating botnets for a distributed denial-of-service (DDoS) attack, for example, threat actors need to infect hundreds or thousands of devices. Each of these devices has an IP address, and the requests they send to the target’s server may sometimes contain the command-and-control (C&C) server domain. Even with their most effective entry point - phishing emails - the bad guys need to use domain names and subdomains.

Continue reading

Cyber Threat Intelligence in Action: Malicious COVID Footprint Enrichment, Expansion, and Infrastructure Analysis

We have been monitoring COVID-19 cyber threats for several months now. More recently, we partnered with GeoGuard to enrich a dataset of coronavirus-themed URLs and IP addresses with WHOIS data and domain reputation scoring, followed by a passive DNS analysis to enlarge the malicious footprint under the study. The three sections in this post discuss the results of our research in greater depth.

Continue reading

Domain and IP Intelligence: Tracking the Spike in Coronavirus-Themed Domain Registrations

The first cases of COVID-19 infection came to the fore in December 2019. Five months later, the world is still reeling from the disease. The numbers are overwhelming. According to the Johns Hopkins Coronavirus Resource Center, more than 4 million people worldwide have gotten infected, over 290,000 of whom have died from the disease at the time of writing. And dismayingly, these numbers are still expected to rise.

In response, governments all over the world have imposed varying degrees of social distancing strategies. People are urged to stay home, schools are closed, mass transportation in many countries is suspended, and countless small businesses have ceased operations. For the majority, one consolation of being in home quarantine is their access to the Internet and, therefore, the world. But even on the Web, people are not safe from the virus.

Using our IP and domain intelligence, we detected an increasing trend toward coronavirus-themed domain bulk registrations—some of which may have to do with the proliferation of coronavirus-themed cybercrimes taking advantage of the pandemic. Let us show you our key findings.

Continue reading

How to Check Site Activity & Validity with Domain and IP Intelligence Tools

In an industry that increasingly gets more competitive every day, a seller’s reputation matters a lot. As personal selling is not possible online, e-commerce sites rely on several factors to establish consumer trust. Among them are reviews, which compensate for the lack of face-to-face transactions. In fact, 90% of consumers stated that positive reviews influence their purchasing decisions. Consistency in terms of the quality of one’s product and services also plays a crucial role in fostering trust.

But because digital commerce is cut-throat, online merchants sometimes resort to whatever it takes to maintain their share of the profits—even if they tarnish someone else’s reputation in the process. For instance, some sell replicas and pass them off as authentic items. They may also impersonate legitimate businesses on your site or manipulate product search results with blackhat marketing techniques. Finally, with the right exploit tools, some even manage to hijack someone else’s brand, starting with products and the target’s account.

This tutorial instructs users on performing vendor website assessments with enterprise-grade domain and IP intelligence solutions to prevent rogue sellers from abusing e-commerce platforms. But before we go on, let’s first deconstruct the reasons behind website audits.

Continue reading
Posted on March 25, 2020

Leveraging Cyber Threat Intelligence: Must-Dos for Companies To Prevent Phishing and Other Attacks

While phishing is considered one of the oldest threats in any cyber attacker’s arsenal, it still manages to work. The targeted organization or individual, social engineering bait, and the manner in which information gets stolen or malware is delivered may change. Still, the motivation often remains: to take someone’s details or even identity.

In many phishing scams, cybercriminals opt to create a fake company pretending to offer services that may be hard for users to resist. Such is the case of two confirmed phishing domains we analyze throughout this piece—technoarubacloud[.]com and teichdata[.]at. Any visitor lured to avail themselves of these two fake suppliers’ offerings is likely to be tricked into handing over personally identifiable information (PII) to the criminals behind the bogus sites.

In short, phishing and cyber attacks in general will continue to occur. So how can individuals and companies alike prevent themselves from falling into information-stealing traps? Following the four-stage process in this post aided by reliable cyber threat intelligence solutions may be the answer.

Continue reading
Posted on February 3, 2020

The Equifax Settlement Case: Shielding Financial Service Customers from Phishing with Domain Research Monitoring

Data breaches continue to plague organizations today. In the first six months of 2019 alone, 3,813 data breaches were recorded, exposing more than 4.1 billion records. This figure translates to more than a 50% increase in victim volume over the past four years. Worse still, three of these recently recorded data breaches made it to the all-time list of top incidents.

Of all these unfortunate events, we decided to take a closer at Equifax’s case. First, because it has been the financial sector’s biggest breach victim to date. Second, because it shows how cybercriminals insist on exploiting every vulnerability there is. It’s indeed possible that malicious entities are now trying to trick victims into disclosing more personally identifiable information (PII) on fake Equifax settlement websites.

We then used the Domain Research Suite (DRS) to show how potential targets can avoid falling prey to instances of phishing and cybersquatting attacks.

Continue reading
Posted on January 9, 2020

Yahoo! Data Breach Settlement: A Deep Dive into Fake Websites through Domain Name Monitoring

The massive Yahoo! data breach that lasted from 2012 to 2016 is one of the most notable data breaches to date, with 3 billion accounts compromised. Users’ names, birthdays, email addresses, phone numbers, and even encrypted and unencrypted security questions and answers were just some of the information stolen and potentially peddled in underground markets.

The good news is that those who have been affected can now claim benefits for the damages and losses they incurred. They can get two years of free credit monitoring or US$100–25,000 in cash as settlement for theft and potential fraud. Those interested can check if they are eligible for settlement payment by contacting the administrator of the official data breach settlement site,

It seems those who suffered from the Yahoo! compromise could rest easy, right? Probably not as new threats arose shortly after the breach settlement announcement. Much like the case when Equifax announced its breach settlement details and informed victims where they could file claims, several fake websites mimicking Yahoo!’s settlement website surfaced. Those who are not careful could end up exposing even more personally identifiable information (PII) instead of obtaining remuneration from what they already lost.

To better illustrate this point, we have used various of our domain intelligence tools to study what the emerging threat environment around Yahoo! settlement site looks like and present recommendations on how to mitigate the resulting risks.

Continue reading
Posted on December 12, 2019

Privacy or Accountability: What the Redaction of WHOIS Data Means for Cybersecurity

WHOIS data has usually been the starting point for security professionals, incident responders, and forensic investigators when a suspected cyber attack takes place. WHOIS registrant, administrative, and technical details are deemed reliable by investigators, as using fake registrant credentials when purchasing a domain is a violation of the Internet Corporation for Assigned Names and Numbers (ICANN) terms of service.

By making it a requirement for domain owners to provide their email address and other personal details and making them publicly accessible, the ICANN has somehow given them the accountability to use their websites ethically and legally. While this policy has neither eradicated nor even prevented cybercrime completely, it does provide a valuable resource for forensic investigation and threat prevention.

As such, these publicly available records have been used to trace sources of malware, detect and investigate fraud, as well as tracking down cyber attackers.

A registrant’s email address, for instance, allows investigators to directly contact the owner of a domain without having to go through other channels. Email addresses are also a handy resource for domain disputes and complaints about copyright infringement, among other things. WHOIS data, in its totality, is an abundant reservoir that aids organizations in strengthening their cybersecurity posture.

Continue reading
Updated on September 22, 2019

Brand Monitor and Brand Alert API: How to Combat Brand Misrepresentation in the Retail Fashion Industry

Misrepresentations together with negative brand equity are probably the biggest nightmares of today’s most prominent companies — and more often than not, that’s connected to cybersecurity and data breaches.

For example, the latest stats show that one in every 99 emails you get each day has ties to a phishing attack, the majority of which come laced with malware specially crafted to harvest victims’ financial credentials or use popular brands as social engineering bait.

A great example would be an email offering a considerable discount that the victim may find very hard to resist. So she clicks the link to a site where she’s asked to fill in her personal data, including the credit card, for instance, that she plans to use to purchase goods. She doesn’t get the items she supposedly bought and so complained to the store via all possible means — email, phone, and social media.

What’s worse, others who fall for the same ruse join the frenzy, dragging the brand’s name through the muck. What can the victimized company do? Could it have prevented the phishing attack? These are just some of the things this article answers by analyzing Zara’s real-life case study.

Continue reading
Posted on August 23, 2019

Threat Intelligence API: Walking the Cybersecurity Talk

To many, threat intelligence still sounds like a strange term. Some specialists even claim that it’s not for every business out there and recommend either adopting it correctly or abstaining altogether… and they might have a point.

The truth is that failing to deploy threat intelligence the right way is like painting with a broad brush with no idea of the bigger picture. Adding to this is the fact that making informed decisions in the world of cybersecurity requires you to have the necessary data close at hand.

The good news is that software such as Threat Intelligence API allows actionable data to be readily integrated into various processes and solutions. This product is composed of six sub-APIs: Domain’s Infrastructure Analysis, SSL Certificates Chain, SSL Configuration Analysis, Domain Malware Check, Connected Domains, and Domain Reputation. Each of them provides specifics on specific areas of the host’s infrastructure.

But before we talk about them in more detail, let’s start with the current threat landscape to understand the relevance of threat intelligence in general and Threat Intelligence APIs in particular.

Continue reading
Posted on March 19, 2019

Threat Intelligence Platform Investigation #1: Payoneer Phishing Scam Hunted

It’s no exaggeration to say that cybercrime is plaguing the Internet and, consequently, business operations carried out online. As a response to that challenge, a growing number of businesses have started to move away from reactive cybersecurity practices in favor of new ones, such as threat hunting, which involves the proactive search for threats and exploitable vulnerabilities.

But even though proactivity is a battle half won, what does a threat hunt look like in practice? This report explores a real-life use case and illustrates how modern perpetrators operate as well as describing the techniques threat hunters can apply to detect and investigate foul schemes.

Continue reading
Posted on January 10, 2019

Fight against phishing e-mail with WHOIS: A technical blog based on the 2018 "Airbnb" case

Phishing is a way to obtain sensitive information by sending electronic communication pretending to have come from a reliable, trustworthy partner. According to the 2018 IBM X-Force Threat Intelligence Index, "Despite the increased use of chat and instant messaging applications, email continues to be one of the most widely used communication methods for any organization, and phishing attacks continue to be one of the most successful means of making unknowing insiders open the door to malicious attackers."

Continue reading
Try our WhoisXML API for free
Get started
Have questions?

We are here to listen. For a quick response, please select your request type or check our Contact us page for more information. By submitting a request, you agree to our Terms of Service and Privacy Policy.

Or shoot us an email to