Home / Blogs

Investigating Domain Name Crime: Challenges and Essential Techniques

Who would think that so much could go wrong with something as seemingly innocent as a domain name? As cybercrime continues to evolve, causing devastating reputational and financial losses to businesses and organizations, web addresses are used as a weapon — and it's not always easy to notice their many faces.

In this article, let's take a look at the domain name crime landscape, discuss the current challenges investigators and legitimate registrants face, and talk about some useful techniques, including the use of various applications and APIs, that can facilitate the early detection of malicious domains and help set protective measures.

Types of Domain Name Crime

Domain name abuse can be carried out in many ways. Some of them are undoubtedly annoying and counterproductive to a smooth online experience like cybersquatting — where perpetrators reserve domains that incorporate the names of existing businesses with the intent of selling them at a marked-up price.

Other forms like the following ones, on the other hand, are plain dangerous and potentially detrimental to customers, users, and companies as a whole:

  • Domain hijacking which involves gaining access to a website and performing changes to it without consent from the owners to trick visitors into giving up sensitive details;
  • Typosquatting which relies on the typos that Internet users make when inputting web addresses in their browsers, and includes the creation of fake versions of commonly visited domains for malicious purposes;
  • Domain slamming happens when criminals send fraudulent renewal notices to domain registrants which results in the unauthorized transfer of the owned website to new entities.

Current Challenges in Domain Name Crime Investigations

Investigating such crimes is not easy mainly due to the number of related cases happening every week, or even every day. Other hurdles that hinder the effectiveness of the process include the increasing range of devices being involved, automation of the registration services, and a growing skill gap.

But that's not all. Another problem is that the protocols for studying these threats still remain the same while the attacks are continuously becoming more complex. So what can be done? Are there any new methods that could facilitate investigations?

How to Investigate Domain Name Crime

Success in this area requires being knowledgeable on how to effectively approach investigations. Here are five tried-and-tested techniques:

1. Bulk data extraction

With bulk data extraction, investigators save time as they retrieve large amounts of data, such as WHOIS records with a bulk WHOIS API for different use cases. More specifically, users can scan WHOIS directories and extract various important details about potential fraudsters relying on misspelled, misleading, and other dodgy domain names to achieve their deeds.

2. Acquire domain screenshots

The ability to know what a domain's content looked like months or years ago may be used as evidence in court or as part of ongoing studies. Applications like Domain API services allow experts to view different versions of a site's appearance in the past which are known as "web captures."

3. Obtain location-based details

Knowledge of a suspect's potential location is surely imperative to tracking down the perpetrators and their apprehension. Software such as IP geolocation API can help, notably by supplying geographical details of an IP address like the country, region, city, coordinates, and even its ISP.

4. Threat hunting analysis

Lastly, another useful approach for investigators is obtaining insights on how a domain was set to gain knowledge of the protocols malicious sites employ with threat hunting insights. Details about the CMS, developer libraries, and web hosts a website is using or has utilized before can come in handy here, as available through a threat intelligence platform.

There is no permanent halt to domain name crime. The good news is that organizations today can adapt alongside threat actors by using digital forensics know-hows to counteract these attacks.

By Jonathan Zhang, Founder and CEO of WhoisXMLAPI & ThreatIntelligencePlatform.com

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


 Be the first to post a comment!

Add Your Comments

 To post your comments, please login or create an account.




Sponsored byThreat Intelligence Platform

New TLDs

Sponsored byAfilias

Brand Protection

Sponsored byAppdetex


Sponsored byVerisign

Domain Names

Sponsored byVerisign


Sponsored byWhoisXML API

DNS Security

Sponsored byAfilias