How to build an attack profile using bulk WHOIS lookup

whois lookup

As we enter a new decade, cybercrime is bigger issue than ever. Last month, the United Nations confirmed that it succumbed to an attack that began as early as July 2019.

More recently, about a quarter of Iran’s entire Internet population was affected by a massive attack. Incidents like these mean only one thing—proactive defense is necessary. And one way of ensuring that is by creating attacker profiles using solutions such as Bulk WHOIS Lookup.

What Is an Attack Profile and What Is It For?

While attacks have grown in sophistication, so have networks’ defenses. And so to evade detection, threat actors employ several approaches to get into a target network. One of these approaches is to register domains in bulk. That way, they can use a variety of email addresses to trick the employees of a target company into clicking a malicious link.

Successfully luring them into doing so usually triggers the installation of a piece of malware on their network-connected computers. Then, it’s just a matter of spreading the infection throughout the network to disrupt the organization’s operations or steal data from insufficiently secured databases.

Thwarting an attack with multiple entry points means blocking all avenues. But before cybersecurity personnel can take the necessary action, they would first need to identify all threat vectors. That may include several domains, IP addresses, email addresses, organizations, individuals, and other data points. All information gathered concerning the incident comprises an attack profile. This report allows incident responders to block all access points to stop an ongoing attack.

Why the Need for Bulk WHOIS Lookup?

In less sophisticated attacks that use a single entry point, a WHOIS Lookup typically suffices. That’s because researchers only need to identify who’s behind the IP address, domain, or email address used to lure a victim into opening the network’s doors to an attack. In a case such as that described above, however, cybersecurity personnel can respond faster if they can do WHOIS searches in bulk.

A bulk domain name checker lets users obtain information about multiple attack vectors at one time, hastening the threat identification and incident response processes. Like a WHOIS lookup tool, it provides:

  • Domain name
  • Registrar’s name
  • Contact email address
  • WHOIS server
  • Name servers
  • Domain’s creation date
  • Date when the domain record was last updated
  • Domain’s expiration date
  • Domain status
  • Registrar details
  • Registrant details
  • Administrative, billing, and technical contact details

How to Build an Attack Profile with Bulk WHOIS Lookup

Here are the steps to follow:

  • Collate information from network logs

Get all IP addresses, domains, and email addresses that obtained access to all network-connected systems. Put them in a single Comma-Separated Values (CSV) file. Each file can contain up to 500,000 domains, IP addresses, or email addresses.

  • Upload the list

Go to the Bulk WHOIS Lookup page and upload the CSV file by following the onscreen prompts. You can also input the list as text by copying from a file and pasting it onto the search field. Make sure to use commas separate text inputs for the tool to work. Click the Upload button when done.

  • Analyze the results and take action

Wait a few minutes for the results. Scroll down to the table and click the number that corresponds to your data set. Download the CSV file that contains the results and open it. See if any of the details have ties to malicious activity. Publicly available blocklists (e.g., PhishTank, Stop Forum Spam, Virus Total, etc.) and threat reports and news can help with comparisons. Block all confirmed malicious IP addresses, domains, and email addresses to prevent them from accessing your network or communicating with your staff.

Building an attack profile is a challenging task. It may require obtaining and analyzing tons of WHOIS records. And without the right tool, that means creating a WHOIS report for each suspicious IP address or domain one by one. But using a bulk domain search tool can at least speed up the process, thereby responding to and mitigating attacks faster.

About the Author

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API family, a trusted intelligence vendor by over 50,000 clients.