Home / Industry

How to Build an Attack Profile with WHOIS Database Download as a Starting Point

Fighting cybercrime is a never-ending battle. As threat actors continue to craft different ways to attack and scam their target victims, companies need to build their security arsenals to fight against all kinds of threats. What's more, an effective way to achieve cyber resilience is by getting to know the enemy and build attack profiles.

That's possible with the help of a WHOIS database. While the Internet can provide a trove of information about specific individuals and organizations, robust WHOIS information can also offer security researchers and threat hunters value — especially when it comes to identifying threat actors and investigating indicators of compromise (IoCs) for further investigation.

Building an Attack Profile Using WHOIS Database Download

WHOIS Database Download has proven a useful ally to security experts when it comes to bolstering threat hunting. Information obtained from WHOIS records can reveal who is behind an attack, such as the offending domain's owner, organization, and more. When correlated with data gleaned from other security tools, a WHOIS database can help reveal connected domains, individuals, and other IoCs — allowing security teams to build attack profiles. Here's how:

1. Look for Domain Connections

WHOIS Database Download is available in MySQL or comma-separated values (CSV) format. Once you have access to the database, you can retrieve more information about a particular domain with its help. You can use any of the following to filter data and spot similarities that can reveal ties to malicious activity:

  • Domain name
  • Contact email address
  • Registrant name
  • Registrant email address
  • Registrant organization

Let us say you are investigating a suspicious domain easytogets[.]com (Note that http[:]//easytogets[.]com/xfxvqq/uxbkabm/ was recently spotted as an indicator of compromise [IoC] tied to a coronavirus-themed malware attack) that keeps popping up on your network logs. You can look for the domain on the WHOIS database. Take note of important details such as the domain's registrant, for instance. In this case, that would be an organization named "Infinity Pro Soft."

Use the company name as your next search term. All connected domains in the database should be highlighted for further investigation.

2. Confirm (or Disconfirm) Suspicions

Your list from the WHOIS database should contain eight domains for which Infinity Pro Soft appears as a registrant, namely:

  • aplusielts[.]com
  • infinityapple[.]online
  • jewelshop[.]online
  • mcdcard[.]com
  • mdccard[.]com
  • saumyafashion[.]com
  • thebestholidayhub[.]com
  • vimalsquare[.]com

To confirm if any of them, along with easytogets[.]com, are malicious, you can consult various publicly accessible blocklists or malware databases like VirusTotal or use a domain reputation lookup to run multiple checks at once. Our search, for instance, confirms that easytogets[.]com is malicious. The other Infinity Pro Soft-owned domains seemed, however, clean (at the time of writing).

3. Blacklist Offenders and Monitor Related Domains

Now that you are sure of the domain's nature, you can opt to block it entirely or block the specific URL indicated in reports as an attack IoC (http[:]//easytogets[.]com/xfxvqq/uxbkabm/).

Blocking an entire domain is not always advised, as should it just turn out compromised, you may be preventing legitimate users from visiting your sites or communicating with anyone on your network. It is pretty safe to block an entire domain, however, if your company has no business or any kind of dealings with the affected company.

And while the related domains are deemed safe to access, including them in a watchlist for monitoring may be a good idea. The fact that one of Infinity Pro Soft's domains was a confirmed malware host says something about its infrastructure's lack of security. Any of its other domains can end up part of an attack, too.

* * *

Using WHOIS information derived from WHOIS Database Download can help cybersecurity experts to know their enemies. With it, they can gain access to both current and historical domain records, build extensive attack profiles, and better protect their networks.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

DNS Security

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

New TLDs

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex