SecurityTrails Blog · Jul 19 · by Gianni Perez

How to Track the Movement of Malicious Actors Using Historical WHOIS Data

Reading time: 4 minutes

Cybersecurity is rife with different measures and practices that enrich analysis and guide decision-making.

Among these, WHOIS records play an essential role. WHOIS, short for "Who Is," refers to a publicly accessible database containing registration details of domain names and other valuable information such as the name, address, contact details, and registration history of domain owners.

While significant data protection laws like GDPR (General Data Protection Regulation) have strengthened privacy protection for individuals (including WHOIS records) by shielding their identity from public view, the tool remains a valuable source of historical domain information.

This brief post will examine WHOIS's unique contribution to cybercrime investigations, highlighting tools like the SecurityTrails API™ to programmatically retrieve WHOIS information for domains of interest and similar use cases. With this information, cyber practitioners can gather evidence, establish associations, and collaborate with pertinent stakeholders to take necessary actions against cybercriminals.

Tracking and Analyzing Historical Domain Registrations

Leveraging historical WHOIS records via domain lookups is particularly useful in detecting patterns and actions by threat actors over time. For instance, by examining changes in domain registrations, cybersecurity professionals and researchers can deduce suspicious or harmful behavior or uncover links between domains and comparable entities—this helps identify key indicators such as frequent changes in domain ownership, sudden surges in registrations, or patterns of domain usage that could indicate malicious intent, such as phishing campaigns or the creation of fraudulent websites.

Various tools and methods can be employed to analyze historical WHOIS data effectively. One approach uses specialized threat intelligence alternatives, like our DNS and IP intelligence API, incorporating WHOIS data analysis capabilities. These platforms provide advanced search functionalities, data visualization tools, and alerting mechanisms to identify patterns, detect anomalies, and track the activities of specific threat actors over time.

Establishing Connections and Attribution with WHOIS Historical Data

By analyzing the registrant information, registration dates, and other details in WHOIS records, investigators can readily identify patterns and link seemingly unrelated domains to a common owner or entity. This technique, often referred to as domain attribution, aids in building a comprehensive understanding of an actor's infrastructure, tactics, and potential motivations.

For example, consider a cybersecurity investigation involving a phishing campaign. By examining the WHOIS records of multiple phishing domains used in the campaign, investigators may uncover similarities in the registrant details, such as shared email addresses, phone numbers, or fake identities.

In another example, law enforcement agencies are investigating a network of illegal content distribution websites when analyzing the WHOIS records reveals a pattern: multiple domains share identical or related contact information. This correlation points to a single entity or group behind the illicit network, aiding investigators in identifying and holding the culprits accountable.

Investigative Strategies: Analyzing Changes in Domain Ownership and Infrastructure

Another useful technique is to keep track of domain infrastructure changes, such as IP addresses, name servers, or DNS records linked to a domain. A noteworthy case study involved tracking the Emotet botnet, a notorious malware operation. In this case, security researchers and law enforcement agencies largely used WHOIS records to monitor botnet infrastructure changes, including domain registrations and IP addresses associated with its command-and-control (C2) servers. By analyzing the differences, researchers proactively detected new malware variants and anticipated many of the botnet's tactics, allowing them to coordinate takedowns and mitigate the threat.

In this context, the SecurityTrails API™ facilitates efficient tracking and analysis using historical WHOIS data. Regularly querying the API for WHOIS data and comparing it to previous records enables the identification of discrepancies and prevents potential security breaches.

Historical WHOIS data

Overall, the SecurityTrails API™ is a valuable tool for conducting efficient and effective WHOIS IP or domain lookups, providing a wealth of actionable intelligence and supporting features to aid in cybercrime investigations, domain research, and monitoring of domain-related activities.

WHOIS IP or domain lookups

In short, cybersecurity professionals can effortlessly elevate their proactive threat detection capabilities by integrating the SecurityTrails API™ into threat intelligence platforms or custom analysis tools, maintain a competitive edge against emerging threats, and bolster safeguarding their systems and networks.

Gianni Perez Blog Author

Gianni is a technical writer at SecurityTrails and adjunct college cybersecurity instructor with over two decades of infosec experience. He knows firsthand the demands security professionals face, and draws upon his knowledge of IT systems - from administration and software dev, as well as automation, to provide valuable security insights that make a real difference.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders