Internet Identity

Part of IID's Takedown Taekwondo Series

In a previous post in our Takedown Taekwondo series, we talked about identifying phishing websites for takedown. Once we’ve determined that what we’re looking at is a phishing site, the investigation turns to figuring out where that phish is located so that we can get it killed. The “where” of phishing-and of the Internet in general-is an interesting question. The phishing scam might be impersonating a bank in the U.S., the criminal might be located in Romania and the hacked site might “live” on a server in Brazil. For a hacked website, figuring out where that phishing site “lives” is a matter of running down the hosting company or website owner. In either case, that information can generally be found in the whois data.

What is Whois?

Whois data is a catalog of information about a given Internet entity, including the name and contact information of the owner of a domain, as well as information about who sold the domain (the registrar) and where it is hosted on the Internet (the web host). Whois information about domains and IP addresses can be found on whois.com, whois.net, domaintools.com and the many other similar websites available online. Registrars’ websites also often provide a whois tool.

Domain whois data, when current and not fabricated, can be a huge asset in tracking down the right people to assist with getting malicious and fraudulent material off of the Internet. When any person registers a new domain, information about that person is cataloged in the whois record for that domain. Domain registrants have the option of keeping that information private for a small fee by purchasing whois privacy protection. Both innocent and criminal registrants take advantage of privacy protection on a regular basis. Because criminals typically buy domains for fraud with stolen credit cards, the added cost of the privacy protection is not a deterrent to them. In fact, using privacy protection may even help keep their phish up longer, as the whois appears to be perfectly legitimate.

When cyber criminals don’t use privacy protection, they still keep their identities hidden in a simple way: they lie. They’re criminals, after all, and don’t want to be found. Whois information for those domains might show Donald Duck as the registrant, living at a nonexistent address with a six-digit phone number.

When that happens, it’s a clear indicator that the domain was registered solely for fraud and the next step is easy to determine: contact the registrar who sold the domain. The name and contact information for the domain registrar can be found in the domain whois information.

Unlike the registrant information, domain registrar information cannot be faked or altered, making this is a reliable source in hunting down a responsible party. And registrars are expected to be responsive to reports of fraudulently registered domains, especially when those domains host criminal content online, so this is typically a fruitful next step.

When a website has been hacked, the domain whois data is typically valid, since the domain was registered legally. As long as that whois information is not protected by a privacy service, it can be useful for getting in touch with the site owner. If that information is protected or is out of date, the IP whois record offers some valuable information: the webhost. Information about what company is hosting content on the Internet is public and always available through IP whois. Between the registrar, the webhost and the site owner (assuming that person is not the criminal responsible for the phish!), the whois data gives our team some starting options regarding who to contact to get that content offline.

Whois Isn’t The Only Option

But whois records aren’t the only place to find contact information about the owner of a website, or about the company that hosts it online. Typically, a website will offer ways for visitors to contact its owner or operator, and ISPs and webhosts have contact information on their sites as well. Even if this means contacting a site owner in a comments section on their blog, that method can be useful in getting the word out that we need to speak with them. All contact avenues are explored when the race is on to get illegal content taken offline. Once we know where the phishing site lives on the Internet, we’re ready to move on to the next step in getting that phish killed. We’ll discuss working with registrars, webhosts, site owners and others in future posts. Stay tuned!