Product Blog

WHOIS data is useful for tracking down cyber threats, verifying business ownership, and preventing domain brand abuse. For decades, this information was public and easy to access.

Lately, finding the person behind a domain name has become much harder. A regular WHOIS lookup provides very little, as most information is now either redacted or privacy-protected (these are different mechanisms that we’ll get into later).

In this post, we’ll describe some ways cybersecurity researchers can still get access to real WHOIS information despite the redaction or privacy protection. We will also talk about why WHOIS data is now protected. 

With a myriad of free readily available tools online, it’s not so difficult to find out if someone else already owns a domain you’re eyeing or if that domain is available for purchase or registration. But that’s where most tools stop. Sometimes, more details, such as a domain’s ownership history, including current and past registrants’ names and contact details, are hidden since most domain owners opt for privacy protection.

Phishing is one of the oldest threats to date, but there’s a reason it’s still around—it works. AAG recently updated the 2024 Phishing Statistics report, which revealed that Google blocks around 100 million phishing emails daily. Why is that?

Users get tricked into opening phishing emails, notably because the threat actors behind them use realistic domains that closely resemble those belonging to the world’s most popular brands. The latest AAG phishing report looked deeper into five of the most-phished brands—LinkedIn, DHL, Google, Microsoft, and FedEx—which the WhoisXML API research team decided to follow up on.

Specifically, we will scour the DNS for more signs of phishing campaigns that may be cybersquatting on the top 5 brands, how many of the brand-containing domains belong to the companies being spoofed, and who may be behind the suspicious properties.

Business and Chief Executive Officer (CEO) impersonation have become a multibillion-dollar industry. They are, in fact, two of the most common types of phishing employed today.

In this edition of our DIY investigation guide, we will demonstrate how companies and their security teams can detect potential business and CEO impersonation scam vectors in the DNS using the Domain Research Suite (DRS) search and monitoring tools.

Distributing fake virtual private network (VPN) services is no longer a novel cybercrime concept. They have, in fact, likely been around since the service’s usage gained ubiquity in the 2000s.

Business email compromise (BEC) scams cost organizations billions of dollars annually, making it a lucrative business for threat actors. BEC campaigns commonly spoof target companies and reputable email and electronic document service providers.

In this edition of our DIY investigation guide, we will demonstrate how companies and their security teams can detect potential BEC scam vehicles in the DNS using the Domain Research Suite (DRS) search and monitoring tools.

Several ransomware families have been seen targeting healthcare organizations in the past few years, adding to the challenges faced by the healthcare sector. Phishing is a favored initial access vector, where threat actors commonly utilize domain names. This edition of our DIY investigation guide will demonstrate how healthcare security teams and organizations can retrieve and monitor cybersquatting domains using Domain Research Suite (DRS) search and monitoring tools.

Despite being newly launched, ChatGPT has taken the world by storm. The business community is generally thrilled at what the AI chatbot can do, and threat actors are riding the wave. Phishers have been spoofing ChatGPT to lure people into handing over their credit card information and other sensitive data.

This edition of our DIY investigation guide will demonstrate how organizations can lessen the risks ChatGPT-themed threats pose using different Domain Research Suite (DRS) search and monitoring tools.

As forensic data that hint at possible malicious activities, indicators of compromise (IoCs) are valuable threat intelligence that can lead to more dangerous properties. To illustrate, we mapped out the WHOIS and DNS footprints of chatgpt-openal[.]com—a domain involved in phishing campaigns.