Thousands of times a day, domains are bought and/or transferred between individuals. The process to make all of this happen is easy and only takes a few minutes and roughly $7 depending on the registrar provider. Beyond payment details, you must provide additional information about yourself, some of which gets stored as part of a WHOIS record once the domain has been set up.
WHOIS is a protocol that lets anyone query for information about a domain, IP address, or subnet. One of the most common functions for WHOIS in threat infrastructure research is to identify or connect disparate entities based on unique data shared within WHOIS records. If you were reading carefully or ever purchased a domain yourself, you may have noticed that the content requested from the registrars is never verified. In fact, you could have put anything in the record (and a lot of people do) which would then be displayed to the world.
Each WHOIS record has a number of different sections, all of which could include different information. Commonly found sections include “registrar”, “registrant”, “administrator”, and “technical” with each potentially corresponding to a different contact for the record. A lot of the time this data is duplicated across sections, but in some cases, there may be slight discrepancies especially if an actor made a mistake. When viewing WHOIS information within PassiveTotal, you will see a condensed record that de-duplicates any data and notates which part of the record it came from. We have found this process greatly speeds up the analyst workflow and also avoids any overlooking of data. The PassiveTotal's WHOIS information is powered by the RiskIQ WHOISIQ™ database.
A quick overview can be found on our RiskIQ youtube.
Current Whois Lookups
RiskIQ's current whois repository highlights all domains in RiskIQ's Whois collection that are currently registered and associated with the whois attribute of interest. This data highlights the domain's registration and expiration date, along with the email address used to register the domain. This data is displayed in the whois search tab of the platform.
Historical Whois Lookups
RiskIQ's Whois history repository provides analysts with access to all known historical domain associations to whois attributes based on RiskIQ's observations. This data set highlights all domains associated with an attribute that an analyst pivots off of displaying the first time and last time we observed the association between the domain and attribute queried. This data is displayed in a separate tab next to our current whois search tab.