Domain Security, Part 1: Do You Know Who’s in Your WHOIS?

Most people responsible for managing domain name portfolios don’t give the WHOIS much thought. However, there is much more to consider beyond ensuring that domains are registered to a valid legal entity.
Who's in your WHOIS?

“Every year, millions of individuals, businesses, organizations, and governments register domain names. Each one must provide identifying and contact information which may include: name, address, email, phone number, and administrative and technical contacts. This information is often referred to as WHOIS data. But the WHOIS service is not a single, centrally-operated database. Instead, the data is managed by independent entities known as registrars and registries.”1

Through this three-part blog series, CSC® will explore how the WHOIS has become a window into the security set up of an organization due to the ever increasing threats of cyber crime.

WHOIS basics

WHOIS information is stored and displayed differently, in either a thin or a thick data model:

  • Thin Model – Thin WHOIS only provides the registrar, name servers, and registration dates. To acquire full information on domain name ownership, a secondary lookup at the registrar on file is necessary.
  • Thick Model – A thick WHOIS provides useful additional details beyond what is contained in a thin WHOIS record. Typically, the additional details contain contact information, including registrant, administrative, and technical contacts. A thick WHOIS database also provides all the necessary information about who owns the domain, where it is registered, what name servers it uses, when it was registered, and when it may expire.2

The amount of information shared on the WHOIS also varies from top-level domain (TLD) to TLD, as shown here:

#1 threat: contact information

Contact InformationA recent CSC study suggested 41% of WHOIS records for businesses core domains contained a named individual. There is a well-documented history of domain and domain name system hijacking (think Bitcoin3 and Google4) and most recently, the hijacking of the entire operations of a major Brazilian bank5.

Given that it was possible in all cases to use generic details such as “domain administrator,” the question is—why provide details of domain name portfolio managers to bad actors? Without realizing it, companies are providing cyber criminals with the ammunition they need to spear phish or socially engineer access to a brand’s domain management platform.

It’s good practice to ensure that where possible, you use a generic title and email address for all contacts within your WHOIS. Advantages include:

  1. Better domain management – Avoid the complication of making updates to the WHOIS every time a staff member leaves the business, and reduce risk of missing a renewal notice or other important communication due to staff turnover by using a generic email address that always reaches someone at your company.
  2. Compliance – Registries require you to keep your ownership details up to date or you risk having the registration withdrawn. Using generic titles and email addresses means your ownership details rarely, if ever, have to be updated.
  3. Reduced spam and phishing – Using generic details means domain managers can avoid being targeted by email spam and cold calls.

With the help of a domain provider, brand owners should audit their portfolio to ensure that generic information is included in the WHOIS rather than personal details of any employee. CSC can offer this analysis free of charge for customers.

Domain Security, Part 2: You’re Only as Secure as Your Provider

Domain Security, Part 3: Preventing Unauthorized Access

1https://whois.icann.org/en/about-whois
2https://www.domaintools.com/support/what-is-whois-information-and-why-is-it-valuable/
3http://www.ibtimes.co.uk/over-8-million-bitcoin-wallets-left-inaccessible-blockchain-info-hit-dns-hijack-1586237
4https://www.techworm.net/2017/01/google-brazil-hacked.html
5https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/