Success stories

The Daily Scam Features WhoisXML API’s Domain Abuse Research

The Daily Scam is an online publication that exposes Internet-based scams. The website was developed by Doug Fodeman (Editor-in-Chief) and David Deutsch (Creative Director).

The Daily Scam and its founders acknowledge that online threats increase every year. With that, their goal is to educate people about these threats and how to avoid them. The publication has tackled several issues, including email scams, online and phone fraud, and two-letter country-code scams.

In a recent interview with WhoisXML API’s Head of Marketing and DNS Researcher Alexandre Francois and Senior Project and Contact Marketing Manager Anna Danilova, The Daily Scam helped bring to light the impact of domain abuse on different types of threats.

“It doesn’t matter whether you are targeted by a malicious text, email, fake ad, or social media post. A vast majority of these threats rely on using a domain name as part of the fraud. And that is especially true if the threat is a malware trap. A website is usually set up where the malware lies in wait and you are sent a trigger. That website is first set up with a domain name,” read part of The Daily Scam’s newsletter featuring the interview.

ScamAdviser

Domain Registration Data Aids in Understanding the State of Online Scams

For over a decade now, ScamAdviser has been helping consumers make safe and informed online shopping decisions by allowing them to check a website’s trust scores, report scams, and learn about the different types of online scams.

As part of this initiative, ScamAdviser has been investigating how countries worldwide are fighting online scams through their annual “The Global State of Scams Report.” Their mission is aligned with WhoisXML API’s aim to realize a safer and more transparent Internet.

In line with this, we collaborated with ScamAdviser in The Global State of Scams Report for 2022 by providing domain registration data that allowed them to see online scams through the DNS lens. WhoisXML API CEO Jonathan Zhang also participated in an interview published in the same report.

WHOIS Data Aids Lighthouse Reports Shed Light on Years-Long Surveillance Operations

Lighthouse Reports is a nonprofit investigative news organization that undertakes extensive investigations to create an impact and facilitate real-world changes. They employ modern investigative tools and methods, including open source intelligence (OSINT), algorithmic auditing, social media listening, and data mining.

Media partners, such as The Guardian, Le Monde, Der Spiegel, SRF, and Republik, publish Lighthouse Reports investigations in several European Union (EU) countries.

WhoisXML API's data was a part of a massive investigation by Lighthouse Reports entitled “Revealing Europe’s NSO.” This investigative project brought to light the proliferation of cyber surveillance technology in Europe.

WHOIS Data Provides Context to Academic Research on ML-Powered Domain Blocking

WhoisXML API is constantly on the lookout for research collaborations with experts from various fields. Among those who heeded our call for partnership is Mohammad Ismail Daud, a student at the University of California, Davis (UC Davis), who has been working on a thesis on developing a federated learning system that can classify dangerous domains.

Patterns characteristic of malicious domains were analyzed with the help of critical Internet data provided by WhoisXML API. The data allowed the researcher to feed his project while developing his machine learning (ML) algorithm.

APTLD

APTLD Hosts WhoisXML API for an Exclusive Cybersecurity Webinar

In line with WhoisXML API’s goal to help make the Internet a safer and more secure environment, we launched the Data Exchange Program for Internet Abuse Prevention. As part of this program, we partner with Internet registries and registrars in various ways, notably to facilitate and expedite critical cyber threat data collection and distribution.

To prevent abuse on the Internet and attain our ultimate goal, we raise awareness about cybercrime trends, threat detection techniques, and threat hunting best practices.

Thus, it was not by coincidence that APTLD invited the WhoisXML API team to share their expertise on cybersecurity with the APTLD community at an exclusive cybersecurity webinar held on 9 June 2021.

OWASP Amass

OWASP Amass and WhoisXML API Are Now Integration Partners

Access to relevant data is extremely valuable in today’s information-driven environment. That is especially true in the realm of attack surface mapping. By getting a sense of attack surfaces through asset discovery processes for vulnerability management, organizations can assess their security posture and better protect themselves against external attacks.

Attack surface mapping may seem like a lot of work, but cybersecurity experts don’t have to go at it alone. Many members of the cybersecurity community are linked through the Open Web Application Security Project® (OWASP) Foundation, a nonprofit organization that aims to improve software security. The OWASP Amass Project, meanwhile, embodies the community’s synergistic and collaborative effort.

Saarland University

A Roadmap for More Effective Web Vulnerability Notification

Building on their initial research on large-scale web vulnerability notification, B. Stock et al. [1], researchers at CISPA, Saarland University, sought to lay the groundwork for a more effective web vulnerability notification system.

Leading Threat Intelligence Exchange Platforms Integrate WhoisXML API’s WHOIS, IP, and DNS Data

Threat intelligence exchange platforms help organizations make sense of the threats they could be exposed to in support of detection and mitigation efforts and incident response processes. Yet to provide enterprise users with comprehensive and holistic information about risky Internet properties, security platform vendors glean data from a wide variety of sources.

Therein lie major challenges. Collecting WHOIS, IP, DNS, and subdomain data in meaningful ways requires dealing with millions of DNS and domain queries weekly, and establishing contractual relationships with hundreds, if not thousands, of domain registrars, Internet registries, and ISPs. On top of this time-consuming process come formatting and compatibility issues, as different Internet entities typically use different data formats. That translates to billions of rows of data that require extraction and parsing into a uniform format.

In light of these challenges, various threat intelligence exchange platforms have integrated WhoisXML API’s ready-to-use and well-parsed data gathered for more than 12 years—consisting of 10.1 billion WHOIS records, 2.3 billion subdomains, and 13.1 million IP netblocks in total.

Cyber Hunter Academy

Cyber Hunter Academy Explains How They Use WhoisXML API Tools to Teach OSINT

Following our roadmap of collaborations with prestigious partners, today we want to talk about WhoisXML API. Many will know this name, but for those of you who don't, I would like to tell you who they are. The WhoisXML API team has been collecting, analyzing and correlating domain, IP, and DNS data for years. We're talking billions of pieces of information, which provides an unmatched scope for our research.

WhoisXML API's goal is aligned with Cyber Hunter Academy's "Make the Internet a safer place". We focus on teaching and high-level training to achieve that goal. They provide ready-to-use data as a source of intelligence. As you will see, our collaboration is obvious...

Maltego

WhoisXML API Transforms Now Available on Maltego

Among the first obstacles in the way of cybercrime investigations is evidence gathering. Questions like “Where can we find the correct data for investigation?” and “Is the data we gathered enough to identify a cybercriminal?” often bug investigators and forensic teams. Without accurate and sufficient evidence, diagnoses would mostly remain assumptions and theories.

Maltego addresses this issue by employing various threat intelligence sources, which now include WhoisXML API, one of the largest domain and IP intelligence providers. With WhoisXML API transforms, Maltego enables investigators and researchers to include current and historical WHOIS and Domain Name System (DNS) records of IP addresses and domains in their investigations.

With WhoisXML API transforms in Maltego, investigators can now visually map out ownership timelines and network infrastructure, uncover hidden domain associations, and gain more insight to enhance their investigations.

ProPrivacy

ProPrivacy Open Data Project: Mapping Malicious Coronavirus Domains Using WHOIS Data

The COVID-19 pandemic has driven many people to do almost everything within the confines of their homes. Nearly exclusive reliance on digital means to work, study, shop, and communicate amid uncertainty opened many avenues for cybercrime to take place—notably through the use of coronavirus-related domain names.

To demonstrate this trend, ProPrivacy has partnered with WhoisXML API and VirusTotal to investigate the extent to which cybercriminals are weaponizing the Domain Name System (DNS) in an open data project called “COVID-19 Malicious Domain Research Hub.”

NormShield

NormShield Success Story: Leveling Up Third-Party Risk Assessment with Domain & IP Intelligence

WhoisXML API is proud to announce its partnership with cybersecurity solution provider NormShield. NormShield enables enterprises to evaluate their external cyber risk posture by letting them conduct non-intrusive third-party risk assessments. NormShield’s growing client base operates in various industries, among which are financial services, healthcare, manufacturing, retail, and tech in general.

The results of third-party risk assessments powered by NormShield come in the form of intuitive scorecards that immediately tell enterprise users what their most salient cyber risks are. The scorecards also contain recommendations on how to deal with each risk based on its priority level.

NormShield relies on comprehensive and accurate domain, subdomain, and IP address data to conduct thorough risk evaluation of its clients’ suppliers, subsidiaries, and other stakeholders. The company has partnered with us to integrate the IP Neblocks WHOIS Database Feed and Whois Database Feed into its processes — now monitoring more than 1.2 billion domains, 15.6B+ WHOIS records across 7,298 top-level domains (TLDs), and 9.1 million IP netblocks.

Here is more about the challenges our products have helped to deal with and the exciting details of this fruitful collaboration.

Université Grenoble Alpes

Cybercrime After the Sunrise: are the new gTLDs nests of abuse?

ICANN's new gTLD program, initiated in 2007 and started in 2013, resulted in the appearance of more than a thousand generic top-level domains, confirming the significant business demand for these. Some are related to regions or locations (like .amsterdam), some to communities (e.g. .pharmacy) or brands, and many of them are just words having a marketing value. But apart from the opportunities for customers, unfortunately they also pave new ways for cybercriminals for abusing the domain name system. Even though ICANN has built safeguards into the process to mitigate this risk, it has become a widely accepted surmise that new gTLDs are frequently the base camps of spamming, phishing, botnets and other forms of abuse. Is it really the case?

IBM

DNS Forensics Using the Big Data Extension of IBM’s QRadar Security Intelligence Platform

The basis of IBM’s key security solutions is the QRadar Security Intelligence Platform, a security information and event management system (SIEM). It is a unified platform covering many security-related tasks and incorporating a broad spectrum of solutions including the use of X-Force Threat Intelligence, IBM’s cloud-based threat intelligence platform.

The big data extension of QRadar can be used to do DNS forensics in order to identify risky domains, risky users, and risky IP addresses, and feed this information back to QRadar in order to define new protection rules...

MITRE Corporation

WhoDat Project: an Interactive Pivotable Tool for Working with WHOIS Data

As the analysis and research of WHOIS data is crucial in cybersecurity, the MITRE cooperation develops a front-end for the services provided by WhoisXML API in support of researchers' and analysts' work...

Simon Fraser University

Dark Crawler, a Useful Tool to Assess Child Exploitation from Online Communities

Child sexual offenders have always been quick to adapt technological advances, such as photography and film for the purposes of exploiting children. The move of child exploitation material (CEM) to the Internet has enabled them to form online communities which allow easier access to CEM, recruiting co offenders and business partners, as well as validating their deviant behavior amongst other offenders.

Despite the established harm inherent within child exploitation imagery and distribution online, current attempts to limit such content have been largely unsuccessful.

Dark Crawler is a tool used by search-engines to automatically navigate the Internet and collect information about each website and webpage which can be used to seek out specific content, such as child exploitation material...

University of Michigan

The WPAD Name Collision Vulnerability in the New gTLD Era: a Threat Crying for Urgent Solution

Sometimes certain comfortable and seemingly innocent protocols can introduce significant security risks, especially when the system's environment changes.

The WPAD (Web Proxy Autodiscovery) protocol is prevalently used to configure the web proxy settings of end systems such as desktops and other devices belonging to an administrative domain, e.g. a corporate network. The benefit of this solution is that system administrators can deploy local web proxy settings essentially without any user interaction. Due to a very progressive change in the domain registration policies, the otherwise very useful WPAD protocol has introduced the possibility of a new and very dangerous man-in-the-middle attack...

University of Maryland, Northeastern University, Duke University, Akamai Technologies

Is a HTTPS Webpage as Secure as Expected?

Encrypted communication on the Internet is most commonly realized by Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Webpages communicating sensitive content, including Internet banking, webshops, etc. use the HTTPS protocol which is based on this. E-mail servers, when communicating with clients in a secure manner, use the relevant e-mail transfer protocols such as SMTP, IMAP or POP3 over SSL/TLS.

In current practice web pages are often hosted at least in part by third-party hosting providers or content-delivery networks. Thus the hardware systems we communicate with belong to these third parties, which may host many other pages of completely different entities. And, in order to establish desired secure communications, these parties have to get hold of private keys of these entities. Currently, many providers overtake even the management of keys from their clients which gives rise to profound and possibly severe security implications...

Institute for High Performance Computing and Networking (ICAR-CNR); DIMES, University of Calabria

Malicious URL Detection via Machine Learning

Protection against malicious websites is an important task in cybersecurity. A common way of identifying such sites is the use of blacklists which contain a large set of URLs considered dangerous. There are various techniques for compiling such lists, and there is obviously a need for methods to verify if a suspicious site is really dangerous...

Delft University of Technology

WHOIS Data for Vulnerability Notifications

One of the cornerstones of cybersecurity is threat intelligence sharing. Maintenance of our IT systems' security and their protection against malicious activity require up-to-date knowledge of the entire field. There are significant efforts to assist experts in this activity, including those of market leaders such as IBM X-Force Exchange.

Due to the decentralized architecture of the Internet, however, the collaboration of the actors as well as voluntary campaigns in order to detect vulnerabilities are also of utmost importance. If, however, the owners of the affected systems cannot be notified, these efforts can hardly achieve their positive goal. And in this notification process, WHOIS data have their use...

Christine Bejerasco

Senior Analyst at F-Secure Labs

We found certain nameservers that were always used for a phishing campaign, having those in our rules enabled us to catch phishing sites before they affected our user base. WhoisXML API is a responsive and reliable provider of domain intelligence. Whenever there are issues, they are quick to respond and resolve them. Working with them is smooth and straightforward.

Rich Sutton

VP of Engineering at Proofpoint

The Proofpoint Digital Risk team uses Whois data as an input to heuristic detection of suspicious and/or malicious domains. At Proofpoint, we're in the business of protecting our customers from threats across web, mobile, email and social. WhoisXML API’s domain intelligence allows us to quickly integrate Whois lookups into our security heuristics and algorithms without having to worry about hosting services, staging and merging data, and the complicated task of normalization.

Antonio Piccolo

PhD Student University of Calabria

Getting whois information for 20.000 urls could be painful. Whoisxmlapi is a fast, flexible and reliable service that saved me a lot of time during my research work. Its API documentation and examples are well written and provide clear information, you are ready to run the queries in your favorite programming language in less than a couple of minutes.