Unmasking the perpetrators behind a cyber attack can be daunting. Threat actors use sophisticated anti-detection tools and tactics that make it arduous for cybersecurity professionals and law enforcement agents to stay on their trail.
That is especially true when cybercriminals compromise legitimate websites or use privacy-protected domains for their campaigns. Stealing someone’s identity, after all, automatically throws investigators off one’s scent. And so is abandoning domains that are blocked soon after their discovery.
But, despite the many evasion techniques, there are tools like WHOIS Lookup that can help get leads that are imperative to discovering who is behind an attack.
Following Digital Breadcrumbs
Security researchers recently unearthed a phishing campaign that led to the installation of the Remcos malware on victims’ computers. This particular malicious file gave attackers full control of infected systems. The malware is capable of obtaining passwords and capturing audio. What made it more effective, however, was its use of the Dynamic Domain Name System (DDNS) service.
DDNS is a means of automatically updating a name server in a domain’s DNS record, often in real-time, with the active DDNS configuration of its configured hostnames, addresses, or other information. It is not illegal to use such a service. But, in this case, the attackers abused it to create several DDNS accounts that allowed them to change IP addresses, making detection and blocking harder to do.
How Can a WHOIS Domain Lookup Help?
If you’re a cybersecurity investigator, the first thing you need to get hold of are indicators of compromise (IoCs). These include email addresses used in phishing emails, IP addresses tied to the phishers’ domain, URLs of the phishing websites, and such information that can come from attack reports on reputable publications and publicly accessible blocklists like PhishTank, Virus Total, and many others.
In this attack, we know from a researcher’s findings that the phishing email’s sender used the address timmy55[.]ddns[.]net. You can use the email address as a search term on a WHOIS IP lookup tool. From there, you will learn it’s registrant’s name—Dan Durrer. You’ll also get his address and name servers.
It is unusual for cybercriminals to reveal their identities via WHOIS records, so don’t jump to conclusions. The name could be an alias, the account might be compromised, or the site itself ddns[.]net (which appear to be a third-party service) might have been abused. While you can’t be sure, you still have a starting point for your investigation should you want to dig further.
What You Can Do with WHOIS Lookup Data
Cybersecurity personnel whose primary goal is to protect network-connected users from the attack can do a reverse WHOIS search using ddns[.]net and Dan Durrer as a search term. The tool will give you a list of all domains that you may want to include in your blacklist. So, no matter how many times the Remcos attackers change their IP addresses, you still have some ounce of protection against domains that they may use to infiltrate your network.
Security analysts can also employ a reverse name server (NS) lookup tool to find all domains that share the same host. WHOIS Lookup provides all of the name servers tied to the email address used in the phishing email. In this particular case, for instance, we learned that the domain has ties to four name servers—nf2[.]no-ip[.]com, nf1[.]no-ip[.]com, nf4[.]no-ip[.]com, and nf3[.]no-ip[.]com. Researchers can use these as search terms on a reverse NS lookup tool. The results they will get are domains hosted on the servers. They can then either dig deeper into these or block any communications originating from them as an additional layer of defense against Remcos.
Law enforcement agents, meanwhile, who probably want to do a lot more than just defend their networks, can use other tools to gain more information on the attackers. They can use the same means mentioned above to follow the criminals’ trail until they obtain definitive proof to file a court case.
Every detail revealed on a WHOIS record can serve as a starting point for cybercrime investigations. A simple WHOIS domain search with WHOIS Lookup can tell users who owns a domain, IP address, or email address—valuable information that is also useful in incident response and threat hunting.
About the Author
Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API family, a trusted intelligence vendor by over 50,000 clients.