Know Your Foe: Who's Behind the WHOIS

Thousands of times a day, domains are bought and/or transferred between individuals. The process to make all of this happen is easy and only takes a few minutes and roughly $7 depending on the registrar provider. Beyond payment details, you must provide additional information about yourself, some of which gets stored as part of a WHOIS record once the domain has been setup.

WHOIS is a protocol that lets anyone query for information about a domain, IP address, or subnet. One of the most common functions for WHOIS in threat infrastructure research is to identify or connect disparate entities based on unique data shared within WHOIS records. If you were reading carefully or ever purchased a domain, you may have noticed that the content asked for wasn’t verified [1]. In fact, you could have put anything in the record (and a lot of people do) which would then be displayed to the world.

Additionally, each WHOIS record has a number of different sections, all of which could include different information. Commonly found sections include “registrar”, “registrant”, “administrator” and “technical” with each potentially corresponding to a different contact for the record. A lot of the time this data is duplicated across sections, but in some cases, there may be slight changes especially if an actor made a mistake. When viewing WHOIS information within PassiveTotal, you will see a condensed record that de-duplicates any data and notates which part of the record it came from. We have found this process greatly speeds up the analyst workflow and also avoids any overlooking of data.

Making Connections

When using WHOIS information to make connections, one must keep in mind that anyone could copy data from one record and reuse it in another, therefore, it’s important to find connections beyond WHOIS to help validate the final assessment. A useful tactic to evaluate data from WHOIS fields would be to look at the frequency distribution as to how much it overlaps with other WHOIS records.

For example, the malicious domain “linkedinmember.com” was registered using the email address of “fitchnick@163.com”. A quick search through Google reveals several WHOIS-based websites outlining that roughly four other domain were registered using the same email address. This is a small amount of overlap, and given the potential phishing theme, this email address could be a good way to link the domains together. Passive DNS data within PassiveTotal confirms the hypothesis and links the two domains to shared infrastructure around the same time.

Also on that same host is the domain “www.iu-edu.us” which was registered using the email address of “aki789@qq.com”. Using the same technique of searching for the email reveals 60 other potential connections. While still small, this larger number of registrations could mean some shared usage of the email address. Additionally, within our searches, we see a court document from the NFL listing the same email address in a lawsuit. Given many of the domains mention jerseys and other NFL materials, it’s fair to assume the case may involve counterfeit goods. Given the overlap, it’s possible that this email address may not be as strong of a connection point in the future.

Registration as a Service

As mentioned in the previous section, frequency distribution and how much overlap a given WHOIS field has is helpful in identifying potentially bad leads. For example, the malicious domain used in a number of targeted attacks, “microsoft-outlook.org”, was registered using the email address of “Qinyz001@163.com”. What’s notable about this address is it’s connection to thousands of other domains even though all the details appear to be associated with a real user.

The reason for this large association comes down to how the domain registration was delegated. Imagine you are signing up for a service through a small local provider that also happens to handle domain registration. Maybe this local provider even uses their own unique information when filling out the WHOIS because they are ultimately the contact responsible for the hosting. There are a number of different theories on how this one person’s data could end up on so many records, but regardless, it’s a poor lead and should be discounted or at the very least, highly scrutinized.

Privacy Protection Services

While information entered into the WHOIS system when registering and purchasing a domain can be readily accessed by anyone on the internet, registrars has established services to obfuscate your personal data from prying eyes. While these services provide individuals with privacy services, they also make it more difficult for analysts to make connections between threat actor registered infrastructure, due to the fact that they obscure the bad guys information as well - even if that data is falsified.

Creation, Updated, and Expiration Dates

During an active investigation analysts can also use WHOIS data to help develop a better understanding of attack timelines and actor operational tempo by reviewing domain creation date and comparing it to historical resolution in passive DNS data. In some cases, actors may register a domain and commence an attack campaign within days of each other or they may register infrastructure and let it sit for months before using it in an attack. In addition to creation date, analysts can gain a stronger understanding of attack timelines based off of a domain WHOIS record last updated domain and expiration dates.

Often actors only register domains for an attack campaign for the minimum required time period, which is one year. If a domain has an expiration date 3-10 years from the creation date, it can usually be a good indication that a domain is legitimate or compromised, as actors rarely register domains for long periods of time, these lengthy registration periods are usually done by organizations wanting to protect their brand.

[1] Some TLDs require verification like .US (http://www.neustar.us/support/)