WHOIS Data 101
About WHOIS Data
For more than 25 years, domain name registrants have been required to provide contact information, including name, address, phone number, and email address when they register a domain name. Combined with certain other attributes of a domain name’s registration, this is collectively called WHOIS data.
By default, WHOIS data is made publicly available for generic top level domain spaces like .COM, as well as certain country-code domain spaces. This is like a “white pages” for domain names; it tells you who owns what on the internet.
WHOIS records are used by law enforcement, cybersecurity investigators, copyright and trademark holders, consumers and their advocates, academics, and others to determine who is operating a website, sending an email, or even attacking them online.
Critical Uses of WHOIS Data
WHOIS data is a critical tool for law enforcement, cybersecurity practitioners, and brand protection agencies. As the world becomes more interconnected, and information flows freely between different networks and over geographic boundaries, WHOIS data helps preserve the essential notion that the internet is a safe and secure place to do business.
Here are 10 reasons why WHOIS data must remain open and accessible:
1. Enables law enforcement to do fact-finding
Accessible WHOIS data is important to law enforcement and regulators tasked with protecting consumers. Such data provides information about who may operate illegal sites, common connections between suspect sites, and the identity of Internet Service Providers to contact for additional evidence.
2. Protects and promotes commerce
When a consumer enters a brick and mortar retail store, she can easily deduce the retailer’s identity and evaluate its trustworthiness. If she purchases a defective item, she can easily return to the retailer’s known location and seek redress, or pursue direct legal action. Public registration and licensing information also help the customer verify a company’s operating status. Transparent WHOIS information serves the same purposes, by allowing consumers to vet the web sites and companies that seek their business.
3. Allows companies to protect their Intellectual Property (IP) and combat rampant piracy
The registration of look-alike domain names factors into everything from everyday cybersquatting to the sale of fake goods to the incursion of spear phishing attacks on major organizations worldwide. Protecting against this kind of nefarious activity mandates a real-time understanding of domains registered on the internet and the organizations behind them. WHOIS is critical for mapping and attributing networks of abusive domains.
4. Identifies websites that facilitate the unlawful sale of opioids, narcotics and prescription drugs
Online drug sellers operate anonymously to avoid detection and enforcement. This is especially true now, during the opioid epidemic. As NABP reports1, “Most sites selling drugs illegally online do not post any address, and nearly half have their domain names registered anonymously.” NABP recently found that 54% of the websites they surveyed offer to sell controlled substances, and 40% offered one or more of the drugs frequently counterfeited with fentanyl2.
5. Enables organizations to quickly do risk assessment on domain names
Risk assessment and mitigation is the ongoing everyday duty of the systems and people tasked with network defense and consumer protection. Since domain names are so fundamental to the operation of the Internet, they factor in nearly every attack, and teams in security operation centers must closely analyze domain name registration data to know if an alert represents a credible threat. Applied at scale, risk assessment of domain names using registrant data can identify a signal from noise and bring to the surface otherwise unknown attacks early in their lifecycle.
6. Allows an organization to map attacker infrastructure and associate domains to specific attacks
Using WHOIS data, seasoned security professionals can pivot from a single domain or identity record through related indicators of compromise (IOCs) to map the full infrastructure controlled by a domain registrant. These security teams can then correlate those indicators with other data sources, be it external intelligence from reports on established cyberattack campaigns, indicator lists from trusted peers, or attributes seen in previous attacks against the organization itself. Simply put, a single point of WHOIS data can often become a breadcrumb leading investigators down a path of discovery to an entire set of malicious content and criminal activities.
7. Place Internet businesses on even footing with their brick and mortar counterparts
When a storefront business wishes to engage in commerce, the law demands a reasonable quid pro quo—that in exchange for the right to conduct its activities, the business must disclose its information through entity registration and/or licensure procedures. Internet businesses should be viewed no differently. Those engaging in online commercial activity are availing themselves of the public Internet infrastructure; thus, it is reasonable to expect disclosure in return.
8. Allows an organization to do attribution and remediation of attacks
Attribution is the process of positively identifying the individual or organization behind an attack. Remediation, in the context of domain names, aims to remove malicious content from the Internet and stop criminal behavior, either with legal takedowns or notifying domain owners of compromised sites. Law enforcement, brand owners, governments and top security researchers pursue attribution of attacks to the individual, actor group, and nation-state levels, challenging the perception of impunity held by many online criminal actors and raising awareness of global espionage campaigns. They also architect large-scale takedowns of botnets and criminal infrastructure with global arrest warrants and coordinated network actions.
9. Protects our democracy by allowing reporters and the public to identify ”fake news” and other forces affecting public information
Reporters often use common public domain registrations to find a common thread between web sites. In one instance, the contemporary news outlet Buzzfeed found more than 140 different fake news sites, all registered to a small town in Macedonia3. Similarly, by combining public WHOIS information with server information, Oracle engineers found that the Syrian Electronic Army had used third-party web sites to launch attacks against Thomson Reuters, The Associated Press, The Guardian, and other news outlets.
10. Protects the public against violence by helping law enforcement quickly investigate and track the online activities of shooters and potential terrorists
Police and federal agents may use public WHOIS information to determine the operators of violent websites or to determine which providers they must quickly serve with search warrants or subpoenas in order to trace violent emails and social media posts. Law enforcement’s search for online evidence often continues after crimes have been committed and helps put offenders behind bars and provide insight into their motives.
[1] National Association of Boards of Pharmacy, August 2017 Internet Drug Outlet Report: https://nabp.pharmacy/wp-content/uploads/2016/08/Internet-Drug-Outlet-Report-August-2017.pdf [2] National Association of Boards of Pharmacy, February 2018 Internet Drug Outlet Report: https://nabp.pharmacy/wp-content/uploads/2018/02/Internet-Drug-Report-Feb-2018.pdf [3] See M. Wendling, “The (almost) complete history of ‘fake news,” BBC (Jan. 22, 2018) at http://www.bbc.com/news/blogs-trending-42724320