Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.
Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.
Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.
Access our latest research and insights on WHOIS, IP, and DNS data for cybersecurity, data
science, and other business purposes through our webinars, podcasts, white papers, threat
reports, and videos from the Academy.
The Internet relies on autonomous systems (ASs) and internet service providers (ISPs) to enable global connectivity. Understanding how Internet traffic is routed through these entities is crucial for improving routing performance and avoiding networking bottlenecks.
Moreover, insights into AS and ISP distribution offer valuable information that organizations can leverage for strategic business and market analysis. With this perspective in mind, the WhoisXML API research team analyzed 4.4 million IP ranges, uncovering findings such as:
While businesses gained an advantage by using domains with native-language characters to enter local markets, the utilization of Punycode also gave threat actors more leeway to create look-alike domains.
The WhoisXML API research team analyzed the TLD distribution, IP resolution, and WHOIS registration data of 63,105 unique FQDNs containing native-language characters. We also zoomed in on the FQDN dynamics and took a closer look at some homograph clusters, among other checks.
Our analysis yielded these interesting findings, among others:
Europe is home to many international organizations like Europol, INTERPOL, and NATO, among others. That makes it a prime APT group target.
The WhoisXML API research team analyzed the latest attacks launched by six APT groups known for trailing their sights on Europe using current and historical WHOIS and passive DNS data. We uncovered:
At least 41 advanced persistent threat (APT) groups have reportedly targeted North American countries over the past two decades. And their targets have ranged from individuals (e.g., field experts and think tanks) to entire sectors (e.g., industrial and government).
The WhoisXML API research team analyzed the inner workings of seven of these APT groups1—APT33, APT41, FIN7, Kimsuky, Molerats, Turla, and ZIRCONIUM—by expanding 59 indicators of compromise (IoCs) associated with their latest attacks.
Our study of the seven APT groups known for targeting North America led to the discovery of:
WhoisXML API researchers leveraged historical WHOIS intelligence to expand lists of indicators of compromise (IoCs) connected to six APT groups, namely, APT29, APT32, Earth Lusca, Higaisa, Sandworm Team, and Turla.
The report examined the publicly exposed email WHOIS footprints of domain IoCs reported to belong to APT groups. From 44 IoCs studied, we found:
As DNS abuse and cybercrime remain two sides of the same coin, WhoisXML API researchers decided to build on Spamhaus’s list of TLDs with the worst reputation for spamming.1
Using our WHOIS and DNS intelligence, we retrieved and analyzed thousands of domains under these TLDs that were added in Q4 2022. Our key findings revealed that:
Counterfeiting is an age-old problem that has reached unprecedented proportions following the global shift to online shopping. Let’s investigate this cybercrime—particularly those targeting specific luxury brands using WHOIS, DNS, and IP intelligence gleaned through Maltego and WhoisXML API transforms.
The domain registration landscape can be affected by many things, but WhoisXML API detected and studied six general themes and trends in particular.
As part of mapping the domain registration landscape, we dived into some of the most significant events, trends, and threats that occurred in Q2 2002. Among the registration drivers identified are holidays, seasons, news, global events, technological developments, and industry-specific trends.
Business impersonation cost organizations US$2 billion1 in the past year alone, making it one of the most lucrative types of cybercrime. The most common medium to carry out this threat comprises domains and subdomains, mainly in the form of cybersquatting.
To map the business impersonation landscape, WhoisXML API researchers searched the DNS for the digital footprints of Fortune 500 companies and the world’s top CEOs. Among our findings are:
Being at the forefront of global Domain Name System (DNS) data, we identified threat hunting tactics that can help uncover clues and track the footprints of malicious actors and resources even if they redact their WHOIS information.
WhoisXML API, as part of its effort to make the Internet a safer place through transparency and the sharing of data relevant to the battle against cybercrime, was invited to attend the 13th Operation In Our Sites (IOS) conference held in Alicante, Spain, on 6–7 April 2022.
As cryptocurrencies gain ubiquity, so do the scams taking advantage of them. DNS intelligence analyses can help individuals and organizations alike avoid the costly repercussions of becoming a crypto scam victim.
The U.S. Department of Justice took down several Iran-owned websites believed to be involved in a misinformation campaign on June 2021.
In an effort to uncover possibly connected artifacts to make the Internet safer and more transparent, we at WhoisXML API dove deep into the threat, specifically three of the seized sites—presstv[.]com, lualuatv[.]com, and almasirah[.]net, aided by our comprehensive DNS intelligence sources.
Domain brand squatters refer to individuals or entities who register domain names resembling those of legitimate
companies. These domains are commonly known as “look-alike domains” or “typosquatting domains.”
Brand squatters may have several tricks up their sleeves, including the sale of counterfeit products and the
execution of phishing and malware campaigns. In this research, we are primarily interested in brand squatting
activities that could lead or may have already led to phishing campaigns.
We collected more than 13,000 typosquatting domains registered within two days and categorized them into roughly
2,400 groups. These domains satisfy two requirements that hint at bulk registration—they closely resemble one
another and were registered on the same day. Then for a period of 14 days from the day after their registered
date, we checked daily if the domains were detected by major malware engines.
We’ve recently decided to take a look at the U.S Secret Service’s Most Wanted Cybercriminals list which we
closely monitor and track for new developers for the purpose of using basic OSINT techniques on our way to
attempt to track down and collect and present personally identifiable information including technical details
behind one of the U.S Secret Service’s Most Wanted cybercriminals and we succeeded in doing that by finding out
and providing additional information on one of their Web properties which is basically a managed Android malware
enterprise.
We’ve recently decided to take a look at the U.S Secret Service’s Most Wanted Cybercriminals list which we
closely monitor and track for new developers for the purpose of using basic OSINT techniques on our way to
attempt to track down and collect and present personally identifiable information including technical details
behind one of the U.S Secret Service’s Most Wanted cybercriminals and we succeeded in doing that by finding out
and providing additional information on one of their Web properties which is basically a managed Android malware
enterprise.
CoolWebSearch is a spyware that has been plaguing Microsoft Windows computers users for more than 10 years now.
Owing to the malicious program’s age, more than 50 variants have been discovered so far, all the more widening
CoolWebSearch’s coverage.
Our DNS security research team uncovered several CoolWebSearch indicators of compromise (IoCs) and artifacts,
which comprise about 200 registrant email addresses and 2,134 domain names...
We’ve decided to use Maltego in combination with WhoisXML API’s integration for the purpose of providing
actionable and real-time intelligence on a currently active domain portfolio known to have been operated by
known high-profile cybercriminals. We used our own high-profile cybercriminal data set for the purpose of
empowering fellow researchers and vendors including organizations with the necessary actionable intelligence to
help them stay on the top of their game including to assist vendors and organizations on their way to do a
proper cyber-attack attribution in terms of tracking down and responding to these campaigns including to assist
U.S Law Enforcement and the U.S Intelligence Community on its way to track down and prosecute the cybercriminals
behind these campaigns.
We decided to a look at the recently discovered Pareto Botnet using Maltego in combination with WhoisXML API’s
integration to provide additional actionable intelligence on the campaign, which could be useful to researchers
and vendors on their way to tracking down and responding to the cyberattack campaigns.
In this article we’ll elaborate on the Pareto Botnet and offer practical and actionable intelligence on the
actual C&C infrastructure which also includes the use of Amazon’s AWS for C&C (Command and Control)
purposes.
We decided to take a closer look at the Internet-connected infrastructure of the Liberty Front Press Network in
connection with a recent takedown and domain seizure as part of an ongoing law enforcement operation fighting
online propaganda online and to offer practical and relevant including actionable intelligence on the
Internet-connected infrastructure behind the Liberty Front Press Network including the individuals behind
it.
In this analysis, we’ll take a closer look inside the Internet-connected infrastructure behind the Liberty Front
Press Network and offer practical and relevant information including actionable intelligence on its
Internet-connected infrastructure as well as the individuals behind it.
We decided to take a closer look at the Internet-connected infrastructure used by individuals on the most
recently released U.S Sanctions List and offer additional insights into the infrastructure including to look for
and provide actionable intelligence on their whereabouts.
In this analysis, we’ll take a closer look at the Internet-connected infrastructure of individuals on the U.S
Sanctions List and offer an in-depth discussion on the actual Internet-connected infrastructure.
We decided to take a closer look at the U.S Election 2016 interference provoked by several spear phishing and
malicious campaigns, courtesy of Russia, for the purpose of offering and providing actionable threat
intelligence including possible attribution clues for some of the known participants in this campaign. We hope
that way to potentially assist fellow researchers and Law Enforcement professionals on their way to track down
and prosecute the cybercriminals behind these campaigns.
In this analysis, we’ll take a closer look at the Internet connected infrastructure behind the U.S Election 2016
campaign in terms of malicious activity and offer practical, relevant and actionable threat intelligence on
their whereabouts.
Note: A special thanks to Ed Gibbs, WhoisXML API's Advanced Threat Researcher & Technical Account Manager, for
his help compiling the domain and subdomain files used in this post.
Cryptocurrencies have gone a long way since their inception. Perhaps the most significant evidence that they have
become embedded into our digital society is that as of February 2021, more than 4,000 cryptocurrencies were in
existence. A decade ago, most people didn’t even know what Bitcoin was.
Cryptocurrency investing has changed the lives of certain people, too—from the Winklevoss twins who became
billionaires through Bitcoin mining to the more recent rags-to-riches story of a Dogecoin millionaire who
initially invested his life savings.
We decided to take a peek at the prolific “Jabber ZeuS” gang using exclusively public and proprietary sources in
order to offer additional insights into the online infrastructure of the cybercriminals in question using
Matelgo in combination with WhoisXML API’s integration. As a result came up with some pretty interesting
findings in the context of exposing additional domains registered by the original “Jabber ZeuS” gang, which
could greatly assist researchers and vendors on their way to track down the cybercriminals behind these
campaigns.
We’ve recently decided to map and research various domain registrations made by well-known and established online
cybercriminals. We took several hundred emails known to belong to well-known cybercriminals and decided to
cross-check them for related domain registrations by using Maltego and WhoisXML API’s vast and in-depth
real-time and historical WHOIS records database.
In this article, we’ll thoroughly discuss the relevant findings for this study based on several hundred email
addresses known to be owned and operated by known cybercriminals and checked them for related domain
registrations. Then we will provide actionable intelligence on the online infrastructure of these newly
discovered domains known to be managed and registered by known cybercriminals.
We’ve recently decided to map and research various domain registrations made by well-known and established online
cybercriminals. We took several hundred emails known to belong to well-known cybercriminals and decided to
cross-check them for related domain registrations by using Maltego and WhoisXML API’s vast and in-depth
real-time and historical WHOIS records database.
In this article, we’ll thoroughly discuss the relevant findings for this study based on several hundred email
addresses known to be owned and operated by known cybercriminals and checked them for related domain
registrations. Then we will provide actionable intelligence on the online infrastructure of these newly
discovered domains known to be managed and registered by known cybercriminals.
We’ve recently decided to take an in-depth and personal look inside the modern money mule recruitment ecosystem
by using WhoisXML API’s powerful and versatile real-time and historical WHOIS records database, which is one of
the security industry’s and the Web’s leading databases for real-time and historical OSINT records. WhoisXML
API’s data is a highly recommended tool in the arsenal of OSINT researchers and analysts, which also includes
cybercrime researchers and threat intelligence analysts for relevant enrichment and research and analysis.
For this white paper, we’ve decided to sample several hundred money mule recruitment email addresses for the
purpose of finding out which domains have historically belonged to them for the purpose of looking for
additional fraudulent and malicious activity by using WhoisXML API’s in-depth and vast database of real-time and
historical WHOIS records.
In this research, we’ll offer actionable intelligence on some of the personal domains registered by well-known
money mule recruitment email accounts which we were able to obtain using Maltego and WhoisXML API’s integration
so as to provide actionable intelligence on their whereabouts in terms of their online infrastructure.
We've recently came across to a third-party research indicating a pretty interesting and important Iran-based
foreign influence and disinformation campaign. So, we've decided to take a deeper look by using Maltego and
WhoisXML API so as to offer additional insights into the disinformation campaign in terms of its online
infrastructure.
In this analysis, we'll use public campaign sources for the sample data and will offer an in-depth peek inside
its online infrastructure by using Maltego and WhoisXML API’s vast real-time and historical WHOIS database as
well as specifying additional IoCs (Indicators of Compromise) for the purpose of assisting researchers and
vendors on their way to stay on top of this campaign.
We decided to take an in-depth look into the infamous hxxp://omerta.cc cybercrime-friendly forum community, which
is currently sharing the same infrastructure as the original E-Shop for stolen credit cards information which
we’ve already profiled and elaborated on in two separate white papers and case studies. There I decided to
continue monitoring and investigating the original E-Shop for stolen credit cards information which we profiled
in our original white paper - hxxp://thefreshstuffs.at and came up with some pretty interesting results. Those
results also include an additional set of E-shops for stolen credit card information that are actively sharing
the same infrastructure of the original E-Shop for stolen credit card information, which we profiled in our
original research.
In this analysis, we’ll provide actionable intelligence on the bulletproof hosting infrastructure behind the
recently discovered E-Shops for stolen credit card information including actionable intelligence and personally
identifiable information on the actual cybercrime-friendly forum owners with the idea to assist researchers and
vendors on their way to track down and monitor this campaign for related malicious and fraudulent activity.
We’ve recently become aware of a malicious targeted spear-phishing client-side exploits dropping campaign that
targets legitimate security researchers by approaching them personally or using social media in an attempt to
entice them into verifying the validity of a supposedly newly discovered and recently launched Zero Day flaw,
which in reality once executed drops malicious software on the hosts of the affected researchers. So, we decided
to research even further and offer practical and relevant including actionable intelligence on the campaign’s
infrastructure for the purpose of assisting fellow researchers and the industry on its way to track down and
monitor the campaign.
In this analysis, we’ll take a closer look at the campaign and provide actionable intelligence on the
infrastructure behind it and discuss in depth the TTPs (Tactics Techniques and Procedures) of the cybercriminals
behind it.
On a daily basis, the Emotet botnet continues to make headlines in terms of its widespread spam and malicious
software serving campaigns, and with more researchers trying to profile and infiltrate it in terms of shutting
it down or monitoring it, we’ve decided to take a closer look at the modern Emotet botnet using Maltego and
WhoisXML API’s integration. The purpose is to provide timely and relevant actionable threat intelligence and
high-value information on its network infrastructure potentially offering clues regarding the whereabouts of its
network operators.
We’ve decided to take a closer look at the Emotet botnet C&C infrastructure by using publicly accessible and
obtainable information on its C&C infrastructure using Maltego and WhoisXML API for the purpose of OSINT
enrichment and to actually offer actionable and relevant threat intelligence type of information on the current
whereabouts of the Emotet botnet.
In this research and analysis, we’ll use a sample seed of Emotet known and confirmed botnet C&C malicious and
fraudulent IPs and offer a detailed peek inside its network infrastructure including an additional set of
malicious MD5s which we stumbled upon while profiling it in order to assist security researchers, clients and
customers on their way to stay on top of their game in terms of the Emotet botnet.
The Domain Name System (DNS) is one of the most crucial systems that make the Internet work. It is commonly
referred to as the Internet’s phonebook, though it may also be compared to a Global Positioning System (GPS)
that points domain names to the correct IP addresses.
The DNS is intricately involved in almost every Internet service—websites, chat services, email services, and
social media sites. Subsequently, it is a common target of cyber attackers. One of the most famous DNS attacks
occurred in October 2016, disrupting the services of several high-profile websites for about 18 hours, and some
of the affected websites were PayPal, Twitter, Netflix, Amazon, and Spotify.
DNS attacks are menacing and could affect millions of people. Also, they are among the most prevalent forms of
cyberattack. In fact, about 83% of service providers experienced a DNS attack in 2020.
With more cybercriminals popping up online for the purpose of causing havoc and widespread damage, it shouldn’t
be surprising that both legitimate and purely malicious infrastructure is active and vigorously abused so as to
host malicious software spam and phishing emails. That includes infrastructure used as a botnet and malicious
software C&C (Command and Control) channel, potentially undermining modern IP and domain reputation techniques
and current and ongoing threat intelligence efforts potentially serving the needs of the bad guys who often rely
on legitimate hosting provider’s infrastructure for their malicious and fraudulent needs, which also includes
the actual hosting of malicious software and the actual C&C (Command and Control) hosting infrastructure.
We’ve recently detected and profiled a currently active botnet C&C infrastructure that’s exclusively using
Hostinger’s legitimate infrastructure for actual C&C communication channel and decided to provide in-depth
analysis and report on the topic to further emphasize how the bad guys are actually using legitimate
infrastructure for botnet C&C communication channel with the idea to provide timely and relevant as well as
actionable threat intelligence on the infrastructure.
The campaign relies on Hostinger’s legitimate infrastructure for botnet C&C communication where we’ve also
managed to identify the actual domains and IPs in questions including the actual MD5s that are currently in
circulation and we’ve decided to share the results of our findings in an in-depth and comprehensive report on
the topic.
In this article we’ll discuss the use of Maltego in combination with WhoisXML API for the purpose of mapping and
exposing a currently active bulletproof hosting provider. We’ll use a variety of means and techniques,
potentially attempting to build a working case and actually to try and take it offline in addition to actually
revealing currently active fraudulent and malicious Web sites hosted on the bulletproof hosting provider’s
infrastructure including to present an OSINT research and enrichment case study on one of the websites which we
found on the bulletproof hosting provider’s infrastructure, which is basically a high-profile online E-shop
offering access to stolen credit cards.
WHOIS data has usually been the starting point for security professionals, incident responders, and
forensic investigators when a suspected cyber attack takes place. WHOIS registrant, administrative,
and technical details are deemed reliable by investigators, as using fake registrant credentials
when purchasing a domain is a violation of the Internet Corporation for Assigned Names and Numbers
(ICANN) terms of service.
By making it a requirement for domain owners to provide their email address and other personal
details and making them publicly accessible, the ICANN has somehow given them the accountability to
use their websites ethically and legally. While this policy has neither eradicated nor even
prevented cybercrime completely, it does provide a valuable resource for forensic investigation and
threat prevention.
As such, these publicly available records have been used to trace sources of malware, detect and
investigate fraud, as well as tracking down cyber attackers.
A registrant’s email address, for instance, allows investigators to directly contact the owner of a
domain without having to go through other channels. Email addresses are also a handy resource for
domain disputes and complaints about copyright infringement, among other things. WHOIS data, in its
totality, is an abundant reservoir that aids organizations in strengthening their cybersecurity
posture.
Hospitals and other healthcare service providers have been among criminals’ favorite breach targets
in the past few years. One of what has been dubbed the biggest data breaches of the 21st century
involved a healthcare insurance giant — Anthem.
The Anthem breach reported in February 2015 was said to have exposed around 78.8 million customer
records. This incident put the personal data of the insurer’s clients at risk of theft. The question
is: could Anthem have prevented the breach? This downloadable white paper will take a look at the
case in greater detail and illustrate how Domain Research Suite can help.
It’s no secret that Cybercriminal operations are not very different from how legitimate businesses
operate. Much like a CEO heads a global corporation, a mastermind may stand behind the most
notorious and widespread cybercriminal gang.
In the early 2000s, the most prominent cybercriminal rings had a mafia-like structure as they were
led by the so-called “dons”. Each don had a right-hand man known as a “consiglieri,” who made sure
the wheels of the operation kept turning.
The very first cybercriminal gangs that gained notoriety for reaping millions of dollars from victims
the world over while evading capture for years include CarderPlanet, Shadowcrew, and the RBS
WorldPay Gang. Times may have changed, and the rings’ structure, tools, tactics, and targets may no
longer follow those of the old crews, but cybercriminal attacks continue to linger on. Though we
still see reports on the misdeeds of individual threat actors today, cybercriminal rings continue to
wreak greater havoc due to the scale of their operations — the case in point: The Business Club.
This downloadable white paper will take a closer look at the Club in action and show how domain
intelligence feeds and APIs could help in similar situations.
They say that becoming a cybercrime victim is, in this day and age, a matter of “when” and not “if.”
But that doesn’t mean you should let fate determine your company’s future. Focus instead on
enhancing your business’s security posture by protecting your brand from all sorts of online
threats. A great means to safeguard your digital assets is through Brand Monitor — a specialized
online brand protection component of the WhoisXML API Domain Research Suite.
This white paper will tell you how Brand Monitor can help your company combat specific cyber threats
like domain name typosquatting, website spoofing, and phishing.
In this white paper, we give an overview of the Domain Name System, or DNS, one of the pillars of the
Internet. We start by understanding the goal: to assign names to named resources on the Internet and to
maintain their database. For this, it is important to understand the structure of domain names and DNS zones.
The roles of the actors in the system are domain maintainers, registries and Network Information
Centers. The structure of delegation of authority will also be clarified. We give an overview of the
structure of data available in the DNS, notably, the resource records (RRs) occurring in zone files. We also
review the technology side: the DNS protocol, its operations supporting queries of name resolution, zone
file transfers necessary to maintain the system and for reverse mapping. We briefly mention the most popular
implementations, notably, BIND, which may be the most prevalent DNS server software. This necessitates a
little insight into netblocks and Classless Inter-Domain Routing (CIDR). We address the internal security
issues of the DNS as well as the crucial role it plays in cybersecurity. Finally, we provide some references
for further reading.
How to geolocate the IP address of our customers? This is one of the questions businesses are
repetitively asking because when they know the answer, it becomes easier to plan out strategic and
tactical operations successfully — e.g., reaching out to target audiences, setting up offices and
stores, promoting new products, and gaining momentum.
Location is also a crucial element of interacting with clients, and it should not only be taken into
consideration by brick-and-mortar organizations but also by online stores whose buyers are scattered
all over the Web.
So how can businesses put their hands on such critical information? That’s simple: They can geolocate
IP addresses of their customers with an IP geolocation database, a resource that enables
organizations to obtain location-based data quickly and, as a result, get to know where their
consumers are.
In this whitepaper, let’s find out how employing IP Geolocation can benefit companies and what are
its most prominent use cases across industries.
The Web is a tangle of information. Data is everywhere and finding reliable sources can be a challenge in the
era of fake news. Websites, as a prime example, can be informative, misleading, or even dangerous.
You may get your hands on something useful or be deceived into clicking on the wrong links or downloading unintended files... and learning more about domain owners and assessing whether they’re
trustworthy or with a hidden or malicious agenda is notoriously hard.
This is where the powers of WHOIS database download services come in, whose applications are multiple — ranging from
cybersecurity to marketing research to criminal investigation to ensuring a top position in search engine results. How so? This white paper considers a variety
of use cases.
Phishing is a way to obtain sensitive information by sending electronic communication pretending to
have come from a reliable, trustworthy partner. According to the 2018 IBM X-Force Threat
Intelligence Index, "Despite the increased use of chat and instant messaging applications, email
continues to be one of the most widely used communication methods for any organization, and phishing
attacks continue to be one of the most successful means of making unknowing insiders open the door
to malicious attackers."
If you’ve ever looked at a WHOIS entry, you probably know how much valuable information is contained
within the records of just one domain registration. When this information is accurate, it can make
getting in touch with other parties on the web a lot easier. In the real world however, accessing
consistently accurate WHOIS data is more of a goal than anything else. For every accurate WHOIS
record, there are many more inaccurate and sometimes fraudulent records...
The domain information lookup service WHOIS publishes data about the owners of websites around the
world. WHOIS also contains personal information of the European Union (EU) citizens. Further, the
database maintains location and infrastructure information of cybercriminals who set up websites
with malicious intent...
The Internet is not just the hotspot of all things digital and technical. Largely due to its ubiquity
and countless (and frequently anonymous) points of entry, the web
has given rise to a new breed of outlaw – cybercriminals who prey
on the wealth of valuable information available online...
The European Union (EU) may unintentionally be giving cyber criminals a helping hand. The EU’s
well-intentioned efforts to promote data privacy through its newly launched General Data Protection
Regulations (GDPR) have also put handcuffs on the efforts of cybersecurity professionals to protect
individuals and organizations from hackers. Unless global Internet authorities and infosec
professionals are able to achieve a rapprochement with the EU, black hats may gain unprecedented
advantages over white hats. Otherwise, the cybersecurity community will have to develop new
approaches to protecting individuals and enterprises against hackers...
