University College London (UCL) and WhoisXML API: Understanding Smishing Infrastructures
About
University College London (UCL), a world-leading university based in London, is at the forefront of academic research into emerging cyber threats. In a recent project, Sharad Agarwal, a PhD student from the Department of Computer Science, Faculty of Engineering, led an investigation into SMS phishing (smishing). This research aimed to understand the infrastructure criminals exploit to conduct smishing campaigns.
Highlights
-
Studying smishing infrastructures requires automated access to the WHOIS data of thousands of malicious domains, which traditional command-line WHOIS lookups and Python packages don’t allow.
-
The PhD student utilized WHOIS API to easily collect the registrar details of malicious domains.
-
The researcher was able to identify a trend in smishing, specifically in terms of the most abused registrar.
The Need for Automated Access to WHOIS Data
To identify the infrastructure criminals abuse in smishing campaigns, Agarwal collected malicious URLs from various sources. He then needed to extract the registrar names from the WHOIS details of these URLs since registrars are key stakeholders—cybercriminals abuse them to register domain names.
However, traditional command-line WHOIS lookups, including various Python packages, restrict users from automating queries, making it impossible to query thousands of domains manually.
Intuitive and Scalable WHOIS API
For this project, the researcher needed a solution that would allow him to identify the abused registrars for several smishing domains to study the complete infrastructures used to conduct malicious campaigns.
Agarwal chose WHOIS API to retrieve the malicious URLs’ domain registration details and collect registrar information. He found the tool easy to use. It provided the automated access he needed to run WHOIS queries at scale. This allowed him to obtain the registrar details of all the malicious domains in his dataset.
“WHOIS API is easy to use and provides the required results, which helped us understand the infrastructure criminals abuse to host malicious domains and conduct smishing. The implementation using the API documentation is straightforward.”
Determining the Most Abused Registrars in Smishing
Using WHOIS API, the researcher was able to identify the registrars criminals commonly abused to register smishing domains. His key findings include:
-
Abuse levels varied across registrars, with some being far more frequently targeted than others.
-
Different smishing categories showed distinct abuse patterns—delivery and telecom impersonation scams tended to concentrate around certain providers, while banking and government impersonation scams were linked to others.