Archive for the ‘Whois’ Category

Don’t be Schooled by Brexit Phishing Tactics

August 17th, 2016 Comments off

Barracuda Networks, whose early claim to fame was a spam firewall appliance, published a blog post on a phishing campaign that’s been making the rounds. The campaign capitalizes on a timely event—Brexit—by evoking the market uncertainties surrounding Britain’s move. The gist of the spam/phishing emails is that now is a great time to refinance or buy a new home; links in the emails go to phony lending site pages that are likely to do harmful things to the victim.

A screenshot on the blog post shows the sender’s email address, which includes the domain ancybo[.]com (link goes to our Whois record, not to the domain itself). I decided to dig into this domain with DomainTools Iris to see what I could learn about the spammer and any infrastructure connected to that domain. The results were interesting.

The domain is not registered under Whois privacy, which means I had a registrant email address to pivot on. This yielded 6 domains, all registered under the name Jeremy Arias. That may be the spammer’s actual identity, or it may be a stolen or made-up identity; either way, it exposes additional infrastructure related to the initial spam domain.


All of the domains have scores of 100 from the DomainTools Reputation Engine, which means they have been blacklisted. Jeremy’s consistent, at least!

Another common pivot that exposes infrastructure is to look at what else is hosted on the same IP address as a domain of interest. That pivot in this case, on 104.140.152[.]160, yields 26 additional domains, the vast majority of which are all blacklisted (shown here using the visualization tool in Iris):


Pivoting on the non-privacy email addresses in this group of domains ultimately yields a total of 87 domains, all of which score 82 or higher on the DTRE (we have found that 70 and above indicates likely badness). 34 of the domains are below 100, which means that the DTRE flagged them as being closely connected to known badness without having (yet) been put on traditional blacklists. Many of these domains may be “on the shelf” awaiting later weaponization. The domains all have been registered within a 9 month period starting in October of 2015.

The additional IP addresses in this set of domains could yield additional pivots that might be instructive—indeed, if I were looking to protect an organization against threat infrastructure, or if I were law enforcement interested in taking action against the offenders, I would add those to my search. The pivots aren’t time-consuming, either; the entire investigation up to this point represents less than 10 minutes’ time in Iris. It can be informative–not to mention satisfying—to explore malicious infrastructure in this way.

Happy exploring,



DomainTools Membership Evolution

April 25th, 2016 Comments off

Earlier today DomainTools announced an evolution of our membership model for individual users. Going forward DomainTools will only offer one retail membership level, the Personal Membership.

I appreciate all of the feedback that we have received from many of our loyal and longtime DomainTools users. It’s clear DomainTools is a critical resource for our customers.

For 15 years DomainTools has been the leader in Whois and DNS data for a wide variety of customers: webmasters, domain professionals, attorneys, brand managers, investigators, cybersecurity professionals, journalists, researchers and many more. Over that time we have evolved the individual membership levels a number of times, but never asked any legacy customer to change either their price or package allotment.

Customers that have been watching the evolution of our website and public persona will know that in the last three years we have executed a pretty strong pivot towards building tools for enterprise-class threat intelligence enrichment within cybersecurity and incident response environments within organizations worldwide.

As the growth of our enterprise business consumed our focus and resources, we were forced to make some very difficult decisions, including how to streamline our legacy retail business in order to be able to continue to support it with the industry’s best data and toolsets. The Personal Membership level was designed to capture most of the product usage bell curve for our retail members, with only very heavy users falling outside the new boundaries. As with everything, I know we will miss the mark for some longtime users. It’s a unique irony that increasing our monthly price by $5 per year would likely have been better for our reputation than grandfathering tens of thousands of great customers until this one-time membership redesign in 2016.

DomainTools mission today is to continue to develop an invaluable service for cybersecurity teams worldwide who come to work every day on the right side of a very nefarious and rapidly evolving battle that affects all of us. The work we do gets built into the increasingly powerful and expansive products available to our individual users. Many of our users have told us their membership with DomainTools is worth orders of magnitude more than $99/month, but for others it is clear we have to earn that price point. And that’s what we’re going to do.


Introducing DomainTools Reverse IP Whois

March 21st, 2016 Comments off

We are excited to announce the addition of Reverse IP Whois to our DomainTools products. This powerful tool shows you all of the IPv4 address allocations for a given search term—usually an organization like a company, educational institution, or government entity. This can be very useful when trying to gain context, or situational awareness, related to an IP address or organization of interest.Reverse_IP

Just as domains have Whois records, IP address ranges do as well. In DomainTools products such as Iris or the Whois web page, you can enter an IP address or subnet and see the Whois record. While this can be helpful, it often tells only part of the story. That’s where Reverse IP Whois comes in. In many cases, an organization could have other allocations across different network blocks. Reverse IP Whois will show you those.

Some common use cases for this include:

  • Mapping all the IPv4 holdings of an entity
  • Monitoring or defending against the extended infrastructure tied to a suspicious IP address
  • Learning more about an entity by studying its infrastructure–for example, seeing parent, child, or peer business units of an organization, as is sometimes reflected in IP Whois records

Using Reverse IP Whois is easy. In the search box, you typically will enter either the name of the organization you’re researching, or a keyword that you know or believe will appear in the IP Whois records.

  1. When you enter the organization name, Reverse IP Whois displays the IPv4 allocations belonging to that entity.
    • You can click the IP ranges to see the IP Whois records for those ranges
    • Or you can filter the results by the organization, the Whois server, or the country
  2. You can also enter a keyword. For example, if you want to see all IPv4 allocations where the Whois record contains “percussion,” Reverse IP Whois will show them. While this specific update brings Reverse IP Whois as a Web interface, it’s also available as an API.

Reverse IP Whois is another way that DomainTools shows you more about the entities that operate various parts of the Internet. We hope you’ll find it helpful in your investigations.

Thanks for reading, and happy exploring!


The Monday Media Wrap Up

January 25th, 2016 Comments off

Articles from January 16-22

Dive into this past week’s security news:

4 essentials to creating a world-class threat intelligence program
Michael Kassner | TechRepublic | Jan. 22, 2016
Businesses, large and small, are changing tactics when it comes to information security. Rather than spend hard-earned cash attempting to cover every base defensively, company officials are developing information security postures based on the outcome of risk assessments. The purpose of risk assessment, according to the 2012 Guide for Conducting Risk Assessments, is to inform decision makers and support their responses by identifying relevant threats to organizations, vulnerabilities both internal and external, likelihood that harm will occur, and impact to organizations resulting from a successful attack. Any successful threat intelligence program requires an operational and strategic component, involving expert analysis of how current and future threats will affect the business and its assets.

Got threat intelligence data? The value will vary
Fahmida Rashid | InfoWorld | Jan. 21, 2016
Former analyst Rick Holland speaks with Fahmida Rashid about the future of threat intelligence and his new role at threat intel provider Digital Shadows. Organizations are critical of threat intelligence because they don’t see how the indicators they receive are relevant to their organizations. The feeds contain details that aren’t for their geographic location, don’t match their industry, and don’t fit their threat models. They are “more indicators of exhaustion that overwhelm users,” Holland said. “The first piece of threat intelligence is getting the funnel to give better data, to enrich what you are getting,” Holland said. The second is figuring out how to use the information being provided — which is where APIs come in.

Deloitte 2016 Trends Study Finds Analytics Essential for IT Success
Chris Preimesberger | eWEEK | Jan. 22, 2016
eWEEK editor Chris Preimesberger reports on the third annual Deloitte Trends Study, which identifies several trends. The first trend involves security: Enterprises are no longer satisfied with simply “locking the doors” where cyber-security is concerned and are instead going on the offensive by employing more predictive approaches to threat intelligence and monitoring. This, along with other trends detailed in the 2016 report, is driving significant changes in the types of investments the C-suite is making to support business priorities.

FireEye to grow intelligence capabilities with iSight Partners deal
Jeremy Kirk | CSO | Jan. 21, 2016
FireEye has acquired Texas-based iSight Partners for $200 million, a deal that executives say will give FireEye stronger intelligence on cybercriminal and hacking groups before they strike. Intelligence capabilities made iSight attractive, said Travis Reese, president of FireEye’s Mandiant subsidiary. While FireEye and Mandiant study how attacks affect victims, iSight collects intelligence about the attackers.


Not the Boots I Was Looking For

December 22nd, 2015 Comments off

Guest Blogger Shawnda Potvin (a DomainTools Account Specialist) shares a personal experience with Iris 

I was recently on a mission to treat myself to a pair of boots. I went to a website which I thought was an authentic UGG® boots website, as both websites were identical. After I purchased the UGG boots and received a confirmation email, I realized the boots were shipped from outside of the U.S with an expected delivery of 10-15 days (which was a little disconcerting). The boots were advertised at $75 with an additional shipping cost of $15 (for a grand total of $90). Although this price seemed very low, I was not overly troubled as it seemed consistent with a Black Friday deal. My shopping experience took a negative turn when I checked the balance on my card and noticed a charge from Singapore in the amount of $103, which did not reflect the advertised price.

Ugg WebsiteA month later I received the boots, which looked nothing like the ones I ordered and were cheaply made. There were now too many red flags to ignore, so I made contact with an UGG representative through the official website to see if was a distributor of theirs, which they were not. They took note of my experience and forwarded the information to their fraud department. To protect my own credit, I was also sure to cancel my credit card.

Being the curious person that I am, I went to work the next day and started researching this Wild Ox Promotions. I used a product that DomainTools offers, called Iris, which is intuitive and can access a wealth of domain and DNS information. I was able to put into the search box, which then brought up two other emails associated with this domain. I then used the Whois History tool to see where this domain was registered to see if it matched the address on my billing statement. Iris allowed me to see inaccurate information in their Whois record. As an example, the registrar identified their state as the United States (which, last time I checked, is a country). They registered their origin country as AR, which is the country code for Argentina. These two examples gave me enough information to reach out to ICANN and report this particular Whois record. Finally, I continued my investigation by expanding my search to the registrants IPs. I was able to locate 8 other domains hosted on that IP address, providing me with even more context and the ability to monitor these data points moving forward (see the domains below):Ugg on Iris


It’s hard to believe the lengths that people go through to replicate a company’s website and deliver counterfeit products. The bottom line is that you do not have to be a cybersecurity expert to use DomainTools’ Iris Platform. With minimal time and effort, I was able to search for a single domain and locate several other domains associated with a single IP address. I was then able to pinpoint eight other websites selling counterfeit products.

Note: Since I did this research, some of these websites have been removed. And I’m apparently not the only one who has fallen victim to this UGG boots scam. An article in the UK publication This is Money describes a similar set of circumstances.



Hacktoberfest 2015

October 21st, 2015 Comments off

Hack Days has become a quarterly tradition here at DomainTools, and although the “hack days” concept is now considered as cliche as owning a ping pong table and kegerator in the tech industry (check and check), there are a few things that make our own take unique. For example, rather than solely empowering our technical teams to participate, we also encourage cross-functional collaboration. These multi-faceted projects enable both sides of the house to innovate. As a result, many hack days projects evolve into DomainTools products and in-house improvements.

To sweeten the pot, our CTO Bruce always comes up with a few quick project categories that we vote on as hack days comes to a close. Now, as serious as we are about stopping cybercrime, we also enjoy the goofier things in life. Below are the category winning projects. A big thank you to all our team members who participated in hack days; we are already looking forward to our Q4 projects!

unnamed (2)Testament to Your Leadership Award: “Nomad“ Mobile App – Kirk Leon Guerrero and Ray Henriksen

Engineers Kirk and Ray were interested in finding ways to grab DNS data on hard to reach domains (not included in public root zone files). Their solution was to pair Google’s Places API with our own Whois database for a powerful (and fun) mobile app. The app itself uses an algorithm that finds local businesses listed on Google’s Places and generates domain name guesses by deleting unusual characters (like dashes) from the business name and then appending the TLD (.com, .de, .bike, etc). The app compares the resulting domains with our Whois database to quickly capture the creation of new domains. This project won the “testament to your leadership award” because it was bold, challenging, and labor-intensive but not entirely without flaws.

Screen Shot 2015-10-15 at 3.54.08 PM

Illustration: Joaquim Marques Nielsen (

Best Newbie Hack: DNS Video Game Explainer – Josh Hou and Spencer Carstens

Explaining DNS can be a daunting and sometimes impossible task depending on your audience. Front-end developers Josh and Spencer took a stab at making DNS education fun and memorable with their DNS-themed video game. The game’s hero (let’s call him Bob) is on a tireless quest to resolve domain names, seeking help from upstream counterparts in his efforts to get reliable answers. Will Irene know the answer or will Bob have to go all the way to the Root? Every game comes out differently!

Best in Show: Office Morale Booster – Greg Haas Greg

As Greg is our expert in the sometimes-dry field of accounting, we give him a lot of credit for his creative pranks and culinary experiments (curried tuna with bacon and guacamole, anyone?). This quarter, Greg decided to present a subject that would have a noticeable and direct impact on office morale, and be a great complement to our kegerator and ping-pong table. Naturally, it is a fro-yo machine. Greg walked through a variety of financing options ranging from resource-reallocation to an employee funded option to make this dream a reality. (The real joke here is that our morale is already fantastic…not that anyone would object to a fro-yo machine, mind you.) Please feel free to reach out if you are interested in sharing this clever and refreshing presentation at your own office (


Google Hates ICANN’s Attempt to Eliminate Whois Privacy Calling it “Impractical & Ineffective

July 7th, 2015 Comments off
  Google filed it’s comment on the whois privacy issue with ICANN today. Google  seems to hate the proposal of the ICANN working group to prohibit  commercial domain registrants from using proxy or privacy services calling it unfair to small businesses and individuals. Google even cites it’s own Charleston Road Registry an example of how […]
Categories: External Articles, google, ICANN, Whois Tags:

Profiling malicious domains in The DomainTools Report

May 5th, 2015 Comments off

DT-report-iconAt the 2015 RSA Conference in San Francisco, we released the first edition of The DomainTools Report: A Profile of Malicious Domains.

In this report, we investigate the attributes of malicious domains connected to malware, spam, phishing, and botnets. Using an aggregation of blacklists and DomainTools’ data, we compared the bad actors’ preferences for TLDs, email domains, privacy providers, and hosting locations. We identified some key trends that should help to profile cybercriminal behavior.

Why did we create this report?

Much of the malicious activity on the Internet is classified and tracked in domain blacklists and reputation scores. But these do little to profile and predict cybercrime to proactively protect against domains that have yet to exhibit illicit behavior. Malicious actors often behave in a predictable manner, and the more thoroughly we profile that behavior, the better we can defend against them. With that purpose in mind, we analyzed domains from several popular blacklists. This report uses DomainTools’ leading Whois and DNS data to define attributes of those malicious domains and begin to create a profile of locations and privacy preferences of cybercriminals.

What did we learn?

DomainTools Report Chart - EmailsOur comprehensive coverage of Whois records enables us to take a broad look at registration attributes of all domains. Overlaying the domain data with data on malicious activity gave us quantitative insights into where the malicious and innocuous domains “live,” logically as well as geographically.

For example, one of the attributes we analyzed was the email domain used to register domains. In particular, we compared free email domains such as,, and their variants and international counterparts. The results were very interesting and both expected and unexpected. was used for the most domain registrations, malicious or not. But based on percentage, some Japanese free email providers were the most malicious, primarily due to a large quantity of spam originating from those domains.

For more information and analysis, download a copy of the full report.

We will also be planning a live webinar later this quarter to discuss the report, and to answer your questions about the data and results. In the meantime, if you have any questions, please email us at



Beyond Whois, Part 3: Two Faces of Lucy

September 3rd, 2014 Comments off

Lucy_FacesIn the first two installments of this series (Beyond Whois: The Domain Profile and Beyond Whois: IP Addresses Tell Many Tales), we looked at how there are a lot of datapoints in the DomainTools database that go beyond Whois and DNS records to help you find elusive answers to domain ownership and the connections among domains. In this entry, we’ll see how historical information can assist your investigations, too.

Lucy 1: The Missing Link

You’re probably familiar with AL 288-1. Or, more likely, you know this Australopithecus celebrity by the whimsical name “Lucy.” (I’m taking some metaphorical license here, because paleontologically speaking, Australopithecus is not technically considered the “missing link.”) This Lucy represents the way historical artifacts shed light on chains of connection; sometimes a “digital fossil” is the missing link that can advance an investigation.

investigation_reverse_whoisMany attack attribution or website fraud investigations call for you to look back in time, and if you’ve explored our offerings, you’ll be aware that Whois History is just one of the ways you can do your time-traveling explorations. Hosting History provides insight into how the domain has evolved over time, based on a combination of canonical Whois datapoints (name server and registrar) and our IP address data. Screenshot History can do the same.

Earlier, we saw how Reverse IP can show connections between domains that otherwise don’t look connected–especially if the IP in question has a small number of domains on it. Even if the present hosting doesn’t show such connections, though, comparing the Hosting History entries for domains where you suspect a possible connection could help confirm or refute your hypothesis. A shared–and “small”–IP address could be your missing link.

One usage of Screenshot History that we particularly like for attribution work is to look at the threshold of when a domain went into privacy protection. If the “before” screenshots–those taken before domain privacy went into effect–closely match the “after” screenshots, then this raises confidence that the visible owner of the domain before privacy is the same individual or organization behind it after privacy was enabled.


Lucy 2: Using only 10% of our brains?

The 2014 sci-fi hit Lucy trades heavily on the old canard that “we only use 10% of our brains” (which is actually discredited by most neuroscientists, but nonetheless is a common assumption). By using only Whois/DNS data to conduct a digital forensics investigation, you’re missing out on a wealth of other information that can be crucial to finding important answers. If you’re not already using the information we’ve covered in this series, carve out some time to get familiar with the various “beyond Whois” tools. They might just solve some thorny puzzles.

Happy exploring!



What’s better than the world’s best Whois data? The world’s best PARSED Whois data!

August 20th, 2014 Comments off

parsedDomainTools works tirelessly to build the world’s best database of Whois records, with coverage spanning all of the ccTLDs and each new gTLD as it comes online—not to mention the “big six” TLDs: com, net, org, biz, info, and us. We believe we have reason to claim that our coverage is unparalleled. But now we have taken it, as they say, to the next level: we have developed the world’s best Whois parsing engine.

Since parsed Whois has existed for a while, we knew we had to clear a high bar in order to claim market leadership. We believe we have and encourage you to try it and let us know what you think.


  • Covers more domains than anyone else—270M+ including ccTLDs and new gTLDs
  • Parses over 95% of Whois record formats—industry’s highest
  • Is highly reliable thanks to state of the art DomainTools data centers
  • Normalizes fields that vary in format such as dates and phone numbers
  • Priced competitively

The API:
The Parsed Whois API is optimized to allow quick retrieval of a Whois record, with each data field parsed out separately for easy integration into your systems and applications. This is ideal for anyone wishing to search for, index, or cross-reference data from one or multiple Whois records without having to build their own text parser. It opens up nearly limitless possibilities for domain-based research, investigations, and analysis.

Why this is important
In short, because it enables faster, more efficient analysis of the data, because it is delivered in a structured and context-relevant format. People seek Whois data because they are interested in learning about individual domains, groups of domains, the people behind domains or connections between domains. Many kinds of domain-related investigations, such as threat intelligence, incident response or online fraud investigations, depend on this information.

If you are using Whois data for security investigations or incident response, you already know that you can’t afford stale, inaccurate or missing data. While we have long been the leader in Whois data with the best coverage and frequency, we can now make the (somewhat immodest, but indulge us!) claim of the world’s best Whois parsing engine, with the highest level of accuracy and data normalization. That’s how the best just got even better.  Visit the Parsed Whois API page to learn more.

Happy exploring!