Iranian misinformation network, website seizures, and what's left online | WhoisXML API
Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages Cyber Threat Intelligence Services
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Premium API Services
Premium API Services

Enjoy priority data access with our premium API services topped with extra perks including dedicated team support, enterprise-grade infrastructure, and SLAs for full scalability and high performance.

Threat Intelligence Analysis
Threat Intelligence Analysis

Carry a complete threat intelligence analysis for a given domain or IP address and get access to a report covering 120+ parameters including IP resolutions, website analysis, SSL vulnerabilities, malware detection, domain ownership, mail servers, name servers, and more.

Threat Intelligence APIs
Threat Intelligence APIs

Gather threat intelligence via API calls covering Domain’s Infrastructure analysis, SSL Certificates Chain, SSL Configuration Analysis, Domain Malware Check, Connected Domains, and Domain Reputation Scoring.

Threat Intelligence Data Feeds
Threat Intelligence Data Feeds

Bolster enterprise security with our feeds covering Typosquatting domains, Disposable domains, Phishing URLs, Domain & IP reputation, Malicious URLs, Botnet C&C, and DDoS URLs.

Custom development

We offer comprehensive services for the integration of our data – from consultations to the precise definition of the basic needs of the business to increase the work efficiency.

Registrar WHOIS Services

Set up and manage public WHOIS servers for your business. Our WHOIS parsing system is a utility that collects extensive information about any given domain by sending series of DNS and WHOIS queries. The report is generated in raw as well as in parsed format.

Support services

Regardless of whether you are a startup, a small business or a global one, our team is always ready to help you. Enterprises operating on a scale can also choose special premium support management with high priority 24/7 email and telephone responses and other professional services.

Internet Statistics Reports

Get customized reports on TLDs covering datasets falling under domain name, WHOIS and DNS category.

×
Contact Us

White Papers

Read other articles

Iranian misinformation network, website seizures, and what's left online

By Alexandre François, Head of Marketing & Security Researcher at WhoisXML API

Part 1: Context and website seizure by the U.S. Department of Justice (DOJ)

In June 2021, the U.S. Department of Justice (DOJ) went ahead and seized a few dozen of Iranian-owned domain names, on the grounds that the websites hosted on those had been spreading misinformation. Those websites were mostly media sites owned by or affiliated with the Iranian state.

Among the websites seized were:

  • presstv[.]com
  • lualuatv[.]com
  • almasirah[.]net

All of those websites now display the message “This Website Has Been Seized” and a note of the United States Government according to screenshot lookups (as of July 17):

All of those websites now display the message “This Website Has Been Seized” - 1
All of those websites now display the message “This Website Has Been Seized” - 2
All of those websites now display the message “This Website Has Been Seized” - 3

As we intend to investigate these properties closely, let’s add them to our list of objects:

Step 1: We add presstv[.]com, lualuatv[.]com, and almasirah[.]net

We add presstv[.]com, lualuatv[.]com, and almasirah[.]net

Now the first question would be about what those websites used to host. In other words, what were their contents before they were seized?

Step 2: To answer this, we ran the Maltego transform Snapshots between Dates [Wayback Machine] and set it just for June 1, 2021.

And so, for June 1, 2021, we found several results including the following:

for June 1, 2021, we found several results including the following - 1
for June 1, 2021, we found several results including the following - 2

We handpicked a few of those screenshots to show what presstv[.]com and almasirah[.]net used to host as of June 1:

We handpicked a few of those screenshots to show what presstv[.]com and almasirah[.]net used to host as of June 1 - 1

https://web.archive.org/web/20210601001639/https://www.presstv.com/

We handpicked a few of those screenshots to show what presstv[.]com and almasirah[.]net used to host as of June 1 - 2

https://web.archive.org/web/20210601133207/https://almasirah.net/

Nothing was found for lualuatv[.]com for June 1, 2021, so we decided to broaden our range a little to cover the whole month of June. Here is our Maltego output using Snapshots between Dates [Wayback Machine]:

Here is our Maltego output using Snapshots between Dates [Wayback Machine]

https://web.archive.org/web/20210601133207/https://almasirah.net/

For June 10, 2021 for lualuatv[.]com, we found the following:

For June 10, 2021 for lualuatv[.]com, we found the following

https://web.archive.org/web/20210610193148/lualuatv.com/

On a side note, an extensive review of all the screenshots for presstv[.]com seems to indicate that the actual seizure took place between June 23 and June 24, 2021. In fact, as of June 23, PressTV mentioned that the website had been seized:

Extensive review of all the screenshots for presstv[.]com seems to indicate that the actualseizure took place between June 23 and June 24, 2021

https://web.archive.org/web/20210623020805/https://www.presstv.com/

But it may not have been effectively seized before June 24:

But it may not have been effectively seized before June 24

https://web.archive.org/web/20210623020805/https://www.presstv.com/

Part 2: Identifying public historical WHOIS registrant details with WhoisXML transforms

Now, from what we know about PressTV, it’s a rather extensive Iranian state-owned news and documentary network. So, as a starting point, we tried to establish ownership attribution by using WHOIS data.

Step 1: In Maltego, we used the transform WHOIS Records [WhoisXML] to gather the WHOIS record, and more specifically the transforms Registrant Name [WhoisXML], Registrant Email [WhoisXML], and Registrar [WhoisXML]; unfortunately, this query only returned information about the registrar information here below specified as Instra Corporation Pty Ltd. This is certainly related to the fact that presstv.com’s latest WHOIS information has been heavily redacted, thus leaving no such registrant email address or name.

We used the transform WHOIS Records [WhoisXML] to gather the WHOIS record, and more specifically the transforms Registrant Name [WhoisXML], Registrant Email [WhoisXML], and Registrar [WhoisXML]

Step 2: So, we check for that by running the transform Historical WHOIS Records [WhoisXML] for presstv[.]com

So, we check for that by running the transform Historical WHOIS Records [WhoisXML] for presstv[.]com

There we were able to find more WHOIS records dating back to 2019, for which we ran a Registrant Name [WhoisXML] query. This indicated, however, that the records were already made private as specified by the “Private data” and “REDACTED FOR PRIVACY”.

There we were able to find more WHOIS records dating back to 2019, for which we ran a Registrant Name [WhoisXML] query.

Step 3: Let’s specify these parameters in the Transform Manager for the Historical Whois Records [WhoisXML]. Under Transform Inputs, we can specify “2016-01-01” for Updated Date From and “2019-01-01” for Updated Date To:

Let’s specify these parameters in the Transform Manager for the Historical Whois Records [WhoisXML].

Now let’s re-run the transform Historical WHOIS Records [WhoisXML] for presstv[.]com with these new parameters. As expected, it shows new records for these dates:

Let’s re-run the transform Historical WHOIS Records [WhoisXML] for presstv[.]com

Step 4: Let’s now re-run a Registrant Name [WhoisXML] query for these new records. And bingo! For some of these records, we now have a name “Hami Farajolli”. How about attempting to get an email address and registrant organization too? For that, we run the Registrant Email [WhoisXML] and Registrant Organization [WhoisXML] queries for these records with a name mentioned. Doing so gave us the details PressTV as an organization and the email address [email protected].

Let’s now re-run a Registrant Name [WhoisXML] query for these new records.

We have now explicitly linked presstv[.]com to an individual and an organization. These are all WHOIS details for which we can consider running a reverse WHOIS query to find all domains that share the same details. After all, there might be a lot of domain names owned by the PressTV network. And, we can possibly try to understand if the U.S. Department of Justice (DOJ) has seized all of them.

But before doing that, let’s keep trying our luck and see if we can find more historical WHOIS information. In particular, can we learn more about presstv.com’s past DNS infrastructure. For that purpose, we ran the Nameservers [WhoisXML] and could identify two of them, namely ns2.presstv.ir and ns1.presstv.ir:

We ran the Nameservers [WhoisXML] and could identify two of them, namely ns2.presstv.ir and ns1.presstv.ir

Part 3: Reverse WHOIS analysis of identified public registrants using WhoisXML transforms

So, to recap, we identified 5 public WHOIS registrant details in presstv[.]com’s historical WHOIS records. These are:

So, to recap, we identified 5 public WHOIS registrant details in presstv[.]com’s historical WHOIS records

For the next part of the investigation, we will want to check for connected domain properties. An interesting finding would be to identify more websites that are part of the PressTV network but haven’t or couldn’t have been seized by the U.S. Department of Justice (DOJ).

Step 1: So, we ran a series of Domains and IP addresses (Historical Reverse WHOIS Search) [WhoisXML] queries for our different objects -- i.e., note that it’s needed to run the transform Domains and IP addresses (Historical Reverse WHOIS Search) [WhoisXML] for each object type individually.

This led us to identify multiple domain footprints, some of which have domain names overlapping across object types:

This led us to identify multiple domain footprints, some of which have domain names overlapping across object types - 1
This led us to identify multiple domain footprints, some of which have domain names overlapping across object types - 2
This led us to identify multiple domain footprints, some of which have domain names overlapping across object types - 3

In total, we are now looking at 37 properties. We expect, however, that there are more of such connected properties that we could identify if we were specifying more specific date ranges. Though just a sample, those 37 properties still give us a good overview of how extensive the PressTV network might be today (or how extensive it might have been historically).

Still, we wanted to find out which of those domains might still be active today, and may or may not have been targeted originally by the DOJ, or simply were overlooked or out of scope. So, we tried retrieving live screenshots as of July 17 for each of those domains.

What stood out was the following:

  • 18 of the 37 domain properties displayed live content
  • Though presstv[.]com was seized, presstv[.]ir may have become its replacement or at least it has been used to host the same or similar content with the same branding. In fact, the live screenshot for presstv[.]ir looks very much like the content hosted on presstv[.]com prior to the seizure as per the below:
    The live screenshot for presstv[.]ir looks very much like the content hosted on presstv[.]com prior to the seizure as per the below - 1
    The live screenshot for presstv[.]ir looks very much like the content hosted on presstv[.]com prior to the seizure as per the below - 2
  • PressTV’s network may go beyond English-speaking communities. Live websites were notably found in French and Spanish:
    PressTV’s network may go beyond English-speaking communities. Live websites were notably found in French and Spanish - 1
    PressTV’s network may go beyond English-speaking communities. Live websites were notably found in French and Spanish - 2

Conclusions

As this investigation shows, the PressTV network was hit, probably critically, by the seizure of some of its domains by the U.S. Department of Justice (DOJ). Even so, the network remains active. Also, the PressTV network does not limit its operations to English-speaking countries.

Connections between presstv[.]com and other websites above could be established using the capabilities of Maltego and historical WHOIS data from WhoisXML API.

Feel free to reach out to me at [email protected] to discuss this or other investigations you may wish to carry out using WhoisXML API datasets.

Read other articles
Try our WhoisXML API for free
Get started