Knowing the backstory of a domain name is critical if organizations are to stay well away from all kinds of threats that can put their networks, employees, customers, partners, and stakeholders in peril. And the most effective way to gain a much deeper perspective into a domain’s entire life cycle is through obtaining historical WHOIS data from a reliable database like domainnamestat.com/whois-history.
This post lists three of the most common ways by which domain ownership history can keep any company cybersecure.
Obtain Domain History Details to Avoid Associations with Malicious Activity
Contents
Look-alike domains are mainstays in a threat actor’s arsenal. Case in point: The domain name crt[.]sectigo[.]com has been cited as a Clop ransomware source. Clop is believed responsible for the attack against Software AG, the second-largest software vendor in Germany, last October.
While it’s true that cyber attackers often employ newly registered domains (NRDs) in their campaigns, this particular entry point is not new. A historical WHOIS query for crt[.]sectigo[.]com revealed that it was created on 16 August 2018. It has a total of six WHOIS records, changed registrars twice and owners thrice, and undergone 247 modifications.
Crt[.]sectigo[.]com’s current WHOIS record appears to indicate that it is owned by a legitimate U.K.-based company. Threat actors may have compromised it specifically for use in ransomware attacks. Its origins, however, point to an individual with the initials J.S. who was based in the U.S. and may have a connection, direct or indirect, to the attack.
Companies that do business with the domain’s real current owner are at the greatest risk of being victimized should they click an embedded link in an email.
Steer Clear of Domains Previously Owned by Known Cybercriminals
Since domains are part and parcel of any kind of malicious campaign, threat actors keep them handy at all times. At times, when attackers are identified and incarcerated, some of the domain names they once kept for their nefarious deeds end up back in circulation. Organizations thus looking for homes for their newly founded businesses may end up with domains that once belonged to identified perpetrators.
Take Zhang Haoran, also known as “Black Alex,” “Metasploit,” or “EvilC0de,” who is part of the Federal Bureau of Investigation (FBI)’s Most Wanted Cyber list, for example. He is part of the hacking group APT 41 and was indicted on 15 August 2019 in the U.S. for charges, such as conspiracy to cause damage to and obtain information by unauthorized access to protected computers and several others targeting high-tech and video gaming companies and a U.K. citizen.
Scouring through domain name history records on a WHOIS history database would turn up 142 domains that have Zhang Haoran as their registrant contact name. The list includes the domain names cungong[.]bid and zzzhaoran[.]top, which were dubbed “malicious” by VirusTotal.
Any company that ends up purchasing and using these for their business may suffer from blacklisting issues, thus missing out on opportunities and tarnishing their reputation in the process.
Jumpstart Any Cyber Investigation Despite WHOIS Record Redaction
Since the implementation of the General Data Protection Regulation (GDPR) and other data privacy laws, organizations the world over have started redacting their personal data from publicly accessible records. This move has made it more difficult for cyber investigators to identify who is behind an attack. It is not impossible, though, as WHOIS history records can leave some form of trace at times.
Take the domain fargohost[.]com as an example. It is a verified phishing domain on PhishTank. While its WHOIS records have been redacted for privacy from 29 June 2018 to the present, its historical WHOIS record dated 3 March 2018 indicated an individual with the initials A.F. who is based in the U.S. as its owner. Any cyber investigator or law enforcement agent keen on obtaining clues as to its current registrant can contact either the domain’s current registrar, eNom, LLC, or its last known owner, A.F. whose contact information is indicated in its 3 March 2018 WHOIS history record.
—
Most threat actors may use pseudonyms and privacy protection services to avoid identification, but they are also only human. They make mistakes like forget to scrub off personally identifiable information (PII) from their domain ownership history records. Such carelessness on their part translates to gains for cybersecurity experts who can scour a WHOIS history database for even the smallest traces they leave behind.