- Change theme
WHOIS Database Download for Cybersecurity:
Checking the Public Attribution of Root Domains
13:18 14 December 2020
A recent study of the top 25 Fortune 500 companies’ domain footprint revealed that many of the domain names containing their brands might not be under their direct control. As such, the domain names could figure in phishing or business email compromise (BEC) and other cyber attacks.
But as the same study showed, organizations can protect their digital assets and identities with specialized tools like WHOIS Database Download. Learn more about WHOIS databases on whoisxmlapi.com.
WHOIS Database: Cyber Investigation Starting Point
Investigating a cybercrime or any other cyber attack can be hard to start. You need a pivot point, and that is where a WHOIS database can help. Given a domain name, you can get tons of information on its owner with the dataset’s help.
Using the study mentioned earlier as an example, which started by determining if any of the Fortune 500 companies’ WHOIS records have been redacted, is doable with the aid of a WHOIS database. All of our WHOIS tools, including Bulk WHOIS Lookup (the service used in the study), pull data from our WHOIS database that contains billions of records with thousands more added each day.
Data from the WHOIS database allowed to determine that two (Walmart and Berkshire Hathaway) out of the top 25 Fortune 500 companies’ records do not indicate their owner’s details. This left a reduced sample comprising these 23 Fortune 500 companies:
|
Table 1: Top 23 Fortune 500 Companies and Their Respective Registrant Organizations |
||
|
Rank |
Company |
Registrant Organization |
|
2 |
Amazon |
Amazon Technologies, Inc. |
|
3 |
Exxon Mobil |
Exxon Mobil Corporation |
|
4 |
Apple |
Apple Inc. |
|
5 |
CVS Health |
CVS Pharmacy, Inc. |
|
7 |
UnitedHealth Group |
UnitedHealth Group Incorporated |
|
8 |
McKesson |
McKesson Corporation |
|
9 |
AT&T |
AT&T Services, Inc. |
|
10 |
AmerisourceBergen |
AmerisourceBergen Corporation |
|
11 |
Alphabet |
Google LLC |
|
12 |
Ford Motor |
Ford Motor Company |
|
13 |
Cigna |
Cigna Intellectual Property, Inc. |
|
14 |
Costco Wholesale |
Costco Wholesale Membership, Inc. |
|
15 |
Chevron |
Chevron Corp. |
|
16 |
Cardinal Health |
Cardinal Health |
|
17 |
JPMorgan Chase |
JPMorgan Chase & Co. |
|
18 |
General Motors |
General Motors LLC |
|
19 |
Walgreens Boots Alliance |
Walgreens |
|
20 |
Verizon Communications |
Verizon Trademark Services LLC |
|
21 |
Microsoft |
Microsoft Corporation |
|
22 |
Marathon Petroleum |
Marathon Petroleum Company |
|
23 |
Kroger |
The Kroger Co. |
|
24 |
Fannie Mae |
Fannie Mae |
|
25 |
Bank of America |
Bank of America |
The WHOIS database also allowed to identify each company’s official registrant organization name, which we needed to continue the investigation.
From there, additional data from reverse WHOIS queries was gathered to identify each company’s possible domain attack surface. For this particular operation, the organizations’ officially recognized names as shown on their WHOIS records were used to check for ownership. The comparison revealed the results shown in the figure below.
Other PII You Can Get from a WHOIS Database
Cyber investigators need a data point that solely belongs to the organization they are putting under scrutiny. The featured study used the companies’ official registrant organization names, for instance. But that is not the unique identifier that you can get out of a WHOIS database. You can also use the following data points to serve as personally identifiable information (PII):
- Registrant’s email address
- Registrant’s complete street address
- Registrant’s phone or fax number
- Administrative/Technical/Billing contact’s email address
Using the companies’ registered administrative contact email address as the search term, you should get a data set for further analysis with the numbers in the figure below. The orange bar portions pertain to non-publicly attributable domain names, while the blue ones refer to those under the organizations’ control.
Using the administrative contact email address as company identifier, 45% of the domain names containing the brands of 13 of the top 25 Fortune 500 companies are not under their control and could figure in malicious campaigns.
Note that Amazon, Apple, CVS Health, AT&T, JPMorgan Chase, Walgreens Boots Alliance, and Bank of America were taken out of the figure above as they owned more of the domains included in the reverse WHOIS search results than not. Exxon Mobil, Alphabet, and Verizon Communications, meanwhile, were excluded from the sample because they did not reveal their administrative contact details.
While the earlier ratio (i.e., based on the registrant organization) differed from those obtained based on the administrative contact email address, one thing remains—a large share of the domains containing the Fortune 500 companies’ brands or names are not proven to be theirs. Using other WHOIS database record detail may yield similar findings.
---
As shown, a WHOIS database can be a useful starting point for cybersecurity research. It provides pertinent information to keep investigations going from a domain name as an initial clue or any other detail present in WHOIS records.