White Papers | WXA Research Center | WhoisXML API

WXA Research Center

Access our latest research and insights on WHOIS, IP, and DNS data for cybersecurity, data science, and other business purposes through our webinars, podcasts, white papers, threat reports, and videos from the WXA Academy.

Have questions?

Contact us at

White Papers

Hot on the Trail of Compulsive Brand Squatters — The Complete Research

Domain brand squatters refer to individuals or entities who register domain names resembling those of legitimate companies. These domains are commonly known as “look-alike domains” or “typosquatting domains.”

Brand squatters may have several tricks up their sleeves, including the sale of counterfeit products and the execution of phishing and malware campaigns. In this research, we are primarily interested in brand squatting activities that could lead or may have already led to phishing campaigns.

We collected more than 13,000 typosquatting domains registered within two days and categorized them into roughly 2,400 groups. These domains satisfy two requirements that hint at bulk registration—they closely resemble one another and were registered on the same day. Then for a period of 14 days from the day after their registered date, we checked daily if the domains were detected by major malware engines.

Continue reading

Person on U.S Secret Service's Most Wanted Cybercriminals List and U.S Sanctions List Runs a Profitable Managed Android Malware Enterprise - An OSINT Analysis

We’ve recently decided to take a look at the U.S Secret Service’s Most Wanted Cybercriminals list which we closely monitor and track for new developers for the purpose of using basic OSINT techniques on our way to attempt to track down and collect and present personally identifiable information including technical details behind one of the U.S Secret Service’s Most Wanted cybercriminals and we succeeded in doing that by finding out and providing additional information on one of their Web properties which is basically a managed Android malware enterprise.

We’ve recently decided to take a look at the U.S Secret Service’s Most Wanted Cybercriminals list which we closely monitor and track for new developers for the purpose of using basic OSINT techniques on our way to attempt to track down and collect and present personally identifiable information including technical details behind one of the U.S Secret Service’s Most Wanted cybercriminals and we succeeded in doing that by finding out and providing additional information on one of their Web properties which is basically a managed Android malware enterprise.

Continue reading

Exposing a Currently Active Kaseya Ransomware Domains Portfolio - An OSINT Analysis

We’ve recently came across to a currently active Kaseya C&C server domains portfolio and we’ve decided to run them against WhoisXML API’s vast and in-depth WHOIS database in combination with Maltego for the purpose of offering practical and relevant cyber attack and cyber campaign attribution technical details which could greatly assist U.S Law Enforcement on its way to track down and prosecute the cybercriminals behind these campaigns.

In this case study we’ll take a look at some of the currently active Kaseya C&C server domains and offer practical and relevant threat intelligence and cyber attack attribution detail in terms of possible domain registrant email addresses and attempt to look for additional clues in terms of cyber attack attribution.

Continue reading

CoolWebSearch IoC Investigation Using Maltego

CoolWebSearch is a spyware that has been plaguing Microsoft Windows computers users for more than 10 years now. Owing to the malicious program’s age, more than 50 variants have been discovered so far, all the more widening CoolWebSearch’s coverage.

Our DNS security research team uncovered several CoolWebSearch indicators of compromise (IoCs) and artifacts, which comprise about 200 registrant email addresses and 2,134 domain names...

Continue reading

Exposing a Currently Active Domain Portfolio of Currently Active High-Profile Cybercriminals Internationally

We’ve decided to use Maltego in combination with WhoisXML API’s integration for the purpose of providing actionable and real-time intelligence on a currently active domain portfolio known to have been operated by known high-profile cybercriminals. We used our own high-profile cybercriminal data set for the purpose of empowering fellow researchers and vendors including organizations with the necessary actionable intelligence to help them stay on the top of their game including to assist vendors and organizations on their way to do a proper cyber-attack attribution in terms of tracking down and responding to these campaigns including to assist U.S Law Enforcement and the U.S Intelligence Community on its way to track down and prosecute the cybercriminals behind these campaigns.

Continue reading

Can we find Internet properties linked to crypto giveaway scams by using Maltego and WhoisXML transforms?

Continue reading

Iranian misinformation network, website seizures, and what's left online

Continue reading

The Pareto Botnet – Advanced Cross-Platform Android Malware Using Amazon AWS Spotted in the Wild – An Analysis

We decided to a look at the recently discovered Pareto Botnet using Maltego in combination with WhoisXML API’s integration to provide additional actionable intelligence on the campaign, which could be useful to researchers and vendors on their way to tracking down and responding to the cyberattack campaigns.

In this article we’ll elaborate on the Pareto Botnet and offer practical and actionable intelligence on the actual C&C infrastructure which also includes the use of Amazon’s AWS for C&C (Command and Control) purposes.

Continue reading

Profiling the Liberty Front Press Network Online - An OSINT Analysis

We decided to take a closer look at the Internet-connected infrastructure of the Liberty Front Press Network in connection with a recent takedown and domain seizure as part of an ongoing law enforcement operation fighting online propaganda online and to offer practical and relevant including actionable intelligence on the Internet-connected infrastructure behind the Liberty Front Press Network including the individuals behind it.

In this analysis, we’ll take a closer look inside the Internet-connected infrastructure behind the Liberty Front Press Network and offer practical and relevant information including actionable intelligence on its Internet-connected infrastructure as well as the individuals behind it.

Continue reading

Profiling the Internet Connected Infrastructure of the Individuals on the U.S Sanctions List – An OSINT Analysis

We decided to take a closer look at the Internet-connected infrastructure used by individuals on the most recently released U.S Sanctions List and offer additional insights into the infrastructure including to look for and provide actionable intelligence on their whereabouts.

In this analysis, we’ll take a closer look at the Internet-connected infrastructure of individuals on the U.S Sanctions List and offer an in-depth discussion on the actual Internet-connected infrastructure.

Continue reading

Profiling Russia's U.S Election Interference 2016 - An OSINT Analysis

We decided to take a closer look at the U.S Election 2016 interference provoked by several spear phishing and malicious campaigns, courtesy of Russia, for the purpose of offering and providing actionable threat intelligence including possible attribution clues for some of the known participants in this campaign. We hope that way to potentially assist fellow researchers and Law Enforcement professionals on their way to track down and prosecute the cybercriminals behind these campaigns.

In this analysis, we’ll take a closer look at the Internet connected infrastructure behind the U.S Election 2016 campaign in terms of malicious activity and offer practical, relevant and actionable threat intelligence on their whereabouts.

Continue reading

The Crypto DNS Report: The Many Faces of Crypto-Related Internet Properties

Note: A special thanks to Ed Gibbs, WhoisXML API's Advanced Threat Researcher & Technical Account Manager, for his help compiling the domain and subdomain files used in this post.

Cryptocurrencies have gone a long way since their inception. Perhaps the most significant evidence that they have become embedded into our digital society is that as of February 2021, more than 4,000 cryptocurrencies were in existence. A decade ago, most people didn’t even know what Bitcoin was.

Cryptocurrency investing has changed the lives of certain people, too—from the Winklevoss twins who became billionaires through Bitcoin mining to the more recent rags-to-riches story of a Dogecoin millionaire who initially invested his life savings.

Continue reading

Profiling the “Jabber ZeuS” Rogue Botnet Enterprise - An Analysis

We decided to take a peek at the prolific “Jabber ZeuS” gang using exclusively public and proprietary sources in order to offer additional insights into the online infrastructure of the cybercriminals in question using Matelgo in combination with WhoisXML API’s integration. As a result came up with some pretty interesting findings in the context of exposing additional domains registered by the original “Jabber ZeuS” gang, which could greatly assist researchers and vendors on their way to track down the cybercriminals behind these campaigns.

Continue reading

Profiling a Rogue Fast-Flux Botnet Infrastructure That’s Currently Hosting Multiple Online Cybercrime Enterprises - An Analysis

We’ve recently decided to map and research various domain registrations made by well-known and established online cybercriminals. We took several hundred emails known to belong to well-known cybercriminals and decided to cross-check them for related domain registrations by using Maltego and WhoisXML API’s vast and in-depth real-time and historical WHOIS records database.

In this article, we’ll thoroughly discuss the relevant findings for this study based on several hundred email addresses known to be owned and operated by known cybercriminals and checked them for related domain registrations. Then we will provide actionable intelligence on the online infrastructure of these newly discovered domains known to be managed and registered by known cybercriminals.

Continue reading

Profiling a Portfolio of Cybercriminal Email Addresses By Using WhoisXML API's Historical WHOIS Search and Maltego - An Analysis

We’ve recently decided to map and research various domain registrations made by well-known and established online cybercriminals. We took several hundred emails known to belong to well-known cybercriminals and decided to cross-check them for related domain registrations by using Maltego and WhoisXML API’s vast and in-depth real-time and historical WHOIS records database.

In this article, we’ll thoroughly discuss the relevant findings for this study based on several hundred email addresses known to be owned and operated by known cybercriminals and checked them for related domain registrations. Then we will provide actionable intelligence on the online infrastructure of these newly discovered domains known to be managed and registered by known cybercriminals.

Continue reading

Profiling a Money Mule Recruitment Registrant Emails Portfolio - An Analysis

We’ve recently decided to take an in-depth and personal look inside the modern money mule recruitment ecosystem by using WhoisXML API’s powerful and versatile real-time and historical WHOIS records database, which is one of the security industry’s and the Web’s leading databases for real-time and historical OSINT records. WhoisXML API’s data is a highly recommended tool in the arsenal of OSINT researchers and analysts, which also includes cybercrime researchers and threat intelligence analysts for relevant enrichment and research and analysis.

For this white paper, we’ve decided to sample several hundred money mule recruitment email addresses for the purpose of finding out which domains have historically belonged to them for the purpose of looking for additional fraudulent and malicious activity by using WhoisXML API’s in-depth and vast database of real-time and historical WHOIS records.

In this research, we’ll offer actionable intelligence on some of the personal domains registered by well-known money mule recruitment email accounts which we were able to obtain using Maltego and WhoisXML API’s integration so as to provide actionable intelligence on their whereabouts in terms of their online infrastructure.

Continue reading

Exposing a Rogue Domain Portfolio of Fake News Sites - An Analysis

We've recently came across to a third-party research indicating a pretty interesting and important Iran-based foreign influence and disinformation campaign. So, we've decided to take a deeper look by using Maltego and WhoisXML API so as to offer additional insights into the disinformation campaign in terms of its online infrastructure.

In this analysis, we'll use public campaign sources for the sample data and will offer an in-depth peek inside its online infrastructure by using Maltego and WhoisXML API’s vast real-time and historical WHOIS database as well as specifying additional IoCs (Indicators of Compromise) for the purpose of assisting researchers and vendors on their way to stay on top of this campaign.

Continue reading

Exposing a Fraudulent Boutique and Rogue Cybercrime-Friendly Forum Community - An Analysis

We decided to take an in-depth look into the infamous hxxp://omerta.cc cybercrime-friendly forum community, which is currently sharing the same infrastructure as the original E-Shop for stolen credit cards information which we’ve already profiled and elaborated on in two separate white papers and case studies. There I decided to continue monitoring and investigating the original E-Shop for stolen credit cards information which we profiled in our original white paper - hxxp://thefreshstuffs.at and came up with some pretty interesting results. Those results also include an additional set of E-shops for stolen credit card information that are actively sharing the same infrastructure of the original E-Shop for stolen credit card information, which we profiled in our original research.

In this analysis, we’ll provide actionable intelligence on the bulletproof hosting infrastructure behind the recently discovered E-Shops for stolen credit card information including actionable intelligence and personally identifiable information on the actual cybercrime-friendly forum owners with the idea to assist researchers and vendors on their way to track down and monitor this campaign for related malicious and fraudulent activity.

Continue reading

Security Researchers Targeted in a Spear Phishing Campaign - An Analysis

We’ve recently become aware of a malicious targeted spear-phishing client-side exploits dropping campaign that targets legitimate security researchers by approaching them personally or using social media in an attempt to entice them into verifying the validity of a supposedly newly discovered and recently launched Zero Day flaw, which in reality once executed drops malicious software on the hosts of the affected researchers. So, we decided to research even further and offer practical and relevant including actionable intelligence on the campaign’s infrastructure for the purpose of assisting fellow researchers and the industry on its way to track down and monitor the campaign.

In this analysis, we’ll take a closer look at the campaign and provide actionable intelligence on the infrastructure behind it and discuss in depth the TTPs (Tactics Techniques and Procedures) of the cybercriminals behind it.

Continue reading

How to Use WhoiXML API in Combination with Maltego for Advanced Mapping and Reconnaissance of the Emotet Botnet - An Analysis

On a daily basis, the Emotet botnet continues to make headlines in terms of its widespread spam and malicious software serving campaigns, and with more researchers trying to profile and infiltrate it in terms of shutting it down or monitoring it, we’ve decided to take a closer look at the modern Emotet botnet using Maltego and WhoisXML API’s integration. The purpose is to provide timely and relevant actionable threat intelligence and high-value information on its network infrastructure potentially offering clues regarding the whereabouts of its network operators.

We’ve decided to take a closer look at the Emotet botnet C&C infrastructure by using publicly accessible and obtainable information on its C&C infrastructure using Maltego and WhoisXML API for the purpose of OSINT enrichment and to actually offer actionable and relevant threat intelligence type of information on the current whereabouts of the Emotet botnet.

In this research and analysis, we’ll use a sample seed of Emotet known and confirmed botnet C&C malicious and fraudulent IPs and offer a detailed peek inside its network infrastructure including an additional set of malicious MD5s which we stumbled upon while profiling it in order to assist security researchers, clients and customers on their way to stay on top of their game in terms of the Emotet botnet.

Continue reading

The Most Common Types of DNS Attacks Explained

The Domain Name System (DNS) is one of the most crucial systems that make the Internet work. It is commonly referred to as the Internet’s phonebook, though it may also be compared to a Global Positioning System (GPS) that points domain names to the correct IP addresses.

The DNS is intricately involved in almost every Internet service—websites, chat services, email services, and social media sites. Subsequently, it is a common target of cyber attackers. One of the most famous DNS attacks occurred in October 2016, disrupting the services of several high-profile websites for about 18 hours, and some of the affected websites were PayPal, Twitter, Netflix, Amazon, and Spotify.

DNS attacks are menacing and could affect millions of people. Also, they are among the most prevalent forms of cyberattack. In fact, about 83% of service providers experienced a DNS attack in 2020.

Continue reading

How to use WhoisXML API in Combination with Maltego for Advanced Mapping and Reconnaissance of Botnet Command and Control Infrastructure Using Hostinger’s Legitimate Infrastructure

With more cybercriminals popping up online for the purpose of causing havoc and widespread damage, it shouldn’t be surprising that both legitimate and purely malicious infrastructure is active and vigorously abused so as to host malicious software spam and phishing emails. That includes infrastructure used as a botnet and malicious software C&C (Command and Control) channel, potentially undermining modern IP and domain reputation techniques and current and ongoing threat intelligence efforts potentially serving the needs of the bad guys who often rely on legitimate hosting provider’s infrastructure for their malicious and fraudulent needs, which also includes the actual hosting of malicious software and the actual C&C (Command and Control) hosting infrastructure.

We’ve recently detected and profiled a currently active botnet C&C infrastructure that’s exclusively using Hostinger’s legitimate infrastructure for actual C&C communication channel and decided to provide in-depth analysis and report on the topic to further emphasize how the bad guys are actually using legitimate infrastructure for botnet C&C communication channel with the idea to provide timely and relevant as well as actionable threat intelligence on the infrastructure.

The campaign relies on Hostinger’s legitimate infrastructure for botnet C&C communication where we’ve also managed to identify the actual domains and IPs in questions including the actual MD5s that are currently in circulation and we’ve decided to share the results of our findings in an in-depth and comprehensive report on the topic.

Continue reading

How to use WHOIS XML API in Combination with Maltego for Advanced Bulletproof Malicious Infrastructure Investigation

In this article we’ll discuss the use of Maltego in combination with WhoisXML API for the purpose of mapping and exposing a currently active bulletproof hosting provider. We’ll use a variety of means and techniques, potentially attempting to build a working case and actually to try and take it offline in addition to actually revealing currently active fraudulent and malicious Web sites hosted on the bulletproof hosting provider’s infrastructure including to present an OSINT research and enrichment case study on one of the websites which we found on the bulletproof hosting provider’s infrastructure, which is basically a high-profile online E-shop offering access to stolen credit cards.

Continue reading

Privacy or Accountability: What the Redaction of WHOIS Data Means for Cybersecurity

WHOIS data has usually been the starting point for security professionals, incident responders, and forensic investigators when a suspected cyber attack takes place. WHOIS registrant, administrative, and technical details are deemed reliable by investigators, as using fake registrant credentials when purchasing a domain is a violation of the Internet Corporation for Assigned Names and Numbers (ICANN) terms of service.

By making it a requirement for domain owners to provide their email address and other personal details and making them publicly accessible, the ICANN has somehow given them the accountability to use their websites ethically and legally. While this policy has neither eradicated nor even prevented cybercrime completely, it does provide a valuable resource for forensic investigation and threat prevention.

As such, these publicly available records have been used to trace sources of malware, detect and investigate fraud, as well as tracking down cyber attackers.

A registrant’s email address, for instance, allows investigators to directly contact the owner of a domain without having to go through other channels. Email addresses are also a handy resource for domain disputes and complaints about copyright infringement, among other things. WHOIS data, in its totality, is an abundant reservoir that aids organizations in strengthening their cybersecurity posture.

Continue reading

Can Domain Intelligence Help Healthcare Service Providers Combat Data Breaches?

Hospitals and other healthcare service providers have been among criminals’ favorite breach targets in the past few years. One of what has been dubbed the biggest data breaches of the 21st century involved a healthcare insurance giant — Anthem.

The Anthem breach reported in February 2015 was said to have exposed around 78.8 million customer records. This incident put the personal data of the insurer’s clients at risk of theft. The question is: could Anthem have prevented the breach? This downloadable white paper will take a look at the case in greater detail and illustrate how Domain Research Suite can help.

Continue reading

How Domain Data Can Help Law Enforcement Agencies Nab a Cybercriminal Gang Mastermind: The Business Club Case

It’s no secret that Cybercriminal operations are not very different from how legitimate businesses operate. Much like a CEO heads a global corporation, a mastermind may stand behind the most notorious and widespread cybercriminal gang.

In the early 2000s, the most prominent cybercriminal rings had a mafia-like structure as they were led by the so-called “dons”. Each don had a right-hand man known as a “consiglieri,” who made sure the wheels of the operation kept turning.

The very first cybercriminal gangs that gained notoriety for reaping millions of dollars from victims the world over while evading capture for years include CarderPlanet, Shadowcrew, and the RBS WorldPay Gang. Times may have changed, and the rings’ structure, tools, tactics, and targets may no longer follow those of the old crews, but cybercriminal attacks continue to linger on. Though we still see reports on the misdeeds of individual threat actors today, cybercriminal rings continue to wreak greater havoc due to the scale of their operations — the case in point: The Business Club.

This downloadable white paper will take a closer look at the Club in action and show how domain intelligence feeds and APIs could help in similar situations.

Continue reading

Online Brand Protection: Fighting Domain Name Typosquatting,
Website Spoofing, and Phishing

They say that becoming a cybercrime victim is, in this day and age, a matter of “when” and not “if.” But that doesn’t mean you should let fate determine your company’s future. Focus instead on enhancing your business’s security posture by protecting your brand from all sorts of online threats. A great means to safeguard your digital assets is through Brand Monitor — a specialized online brand protection component of the WhoisXML API Domain Research Suite.

This white paper will tell you how Brand Monitor can help your company combat specific cyber threats like domain name typosquatting, website spoofing, and phishing.

Continue reading

Domain Name System Primer

In this white paper, we give an overview of the Domain Name System, or DNS, one of the pillars of the Internet. We start by understanding the goal: to assign names to named resources on the Internet and to maintain their database. For this, it is important to understand the structure of domain names and DNS zones. The roles of the actors in the system are domain maintainers, registries and Network Information Centers. The structure of delegation of authority will also be clarified. We give an overview of the structure of data available in the DNS, notably, the resource records (RRs) occurring in zone files. We also review the technology side: the DNS protocol, its operations supporting queries of name resolution, zone file transfers necessary to maintain the system and for reverse mapping. We briefly mention the most popular implementations, notably, BIND, which may be the most prevalent DNS server software. This necessitates a little insight into netblocks and Classless Inter-Domain Routing (CIDR). We address the internal security issues of the DNS as well as the crucial role it plays in cybersecurity. Finally, we provide some references for further reading.

Continue reading

Geolocate an IP address in 2021: The Definitive Guide

How to geolocate the IP address of our customers? This is one of the questions businesses are repetitively asking because when they know the answer, it becomes easier to plan out strategic and tactical operations successfully — e.g., reaching out to target audiences, setting up offices and stores, promoting new products, and gaining momentum.

Location is also a crucial element of interacting with clients, and it should not only be taken into consideration by brick-and-mortar organizations but also by online stores whose buyers are scattered all over the Web.

So how can businesses put their hands on such critical information? That’s simple: They can geolocate IP addresses of their customers with an IP geolocation database, a resource that enables organizations to obtain location-based data quickly and, as a result, get to know where their consumers are.

In this whitepaper, let’s find out how employing IP Geolocation can benefit companies and what are its most prominent use cases across industries.

Continue reading

WHOIS Database Download:
13 Business, Cybersecurity, and other Applications Explored

The Web is a tangle of information. Data is everywhere and finding reliable sources can be a challenge in the era of fake news. Websites, as a prime example, can be informative, misleading, or even dangerous.

You may get your hands on something useful or be deceived into clicking on the wrong links or downloading unintended files... and learning more about domain owners and assessing whether they’re trustworthy or with a hidden or malicious agenda is notoriously hard.

This is where the powers of WHOIS database download services come in, whose applications are multiple — ranging from cybersecurity to marketing research to criminal investigation to ensuring a top position in search engine results. How so? This white paper considers a variety of use cases.

Continue reading

Fight against phishing e-mail with WHOIS:
A technical blog based on the 2018 "Airbnb" case

Phishing is a way to obtain sensitive information by sending electronic communication pretending to have come from a reliable, trustworthy partner. According to the 2018 IBM X-Force Threat Intelligence Index, "Despite the increased use of chat and instant messaging applications, email continues to be one of the most widely used communication methods for any organization, and phishing attacks continue to be one of the most successful means of making unknowing insiders open the door to malicious attackers."

Continue reading

What you should know about WHOIS and Security

If you’ve ever looked at a WHOIS entry, you probably know how much valuable information is contained within the records of just one domain registration. When this information is accurate, it can make getting in touch with other parties on the web a lot easier. In the real world however, accessing consistently accurate WHOIS data is more of a goal than anything else. For every accurate WHOIS record, there are many more inaccurate and sometimes fraudulent records...

Continue reading

Open WHOIS advocates push for U.S. legislation to counter GDPR

The domain information lookup service WHOIS publishes data about the owners of websites around the world. WHOIS also contains personal information of the European Union (EU) citizens. Further, the database maintains location and infrastructure information of cybercriminals who set up websites with malicious intent...

Continue reading

Cyber Security Investigation and Analysis

The Internet is not just the hotspot of all things digital and technical. Largely due to its ubiquity and countless (and frequently anonymous) points of entry, the web has given rise to a new breed of outlaw – cybercriminals who prey on the wealth of valuable information available online...

Continue reading

GDPR’s Chilling Effect on Cybersecurity

The European Union (EU) may unintentionally be giving cyber criminals a helping hand. The EU’s well-intentioned efforts to promote data privacy through its newly launched General Data Protection Regulations (GDPR) have also put handcuffs on the efforts of cybersecurity professionals to protect individuals and organizations from hackers. Unless global Internet authorities and infosec professionals are able to achieve a rapprochement with the EU, black hats may gain unprecedented advantages over white hats. Otherwise, the cybersecurity community will have to develop new approaches to protecting individuals and enterprises against hackers...

Continue reading
Try our WhoisXML API for free
Get started