Who is WHOIS?

To lookup where domain names are registered you can use a database that stores the information of registered domains.

WHOIS has become a verb that describes the action of identifying the owner of a web address (or “domain”). It is effectively a telephone book for the internet. The origins of WHOIS go back to 1982. As the internet has grown (according to this report there are over 326 million top level domain names registered as of March 2016), WHOIS has become a useful tool for law enforcement, investigators, intellectual property and trademark owners, businesses and individuals.

The WHOIS protocol is looked after by ICANN, an independent, private and non-profit organisation, who have committed to "maintain timely, unrestricted and public access to accurate and complete WHOIS information." When any web address or hostname is registered, three pieces of information are requested: the contact of the registrant, the administrative contact (i.e. for payment information) and a technical contact.

For investigators this can be a helpful starting point when trying to determine who is behind a company or project and where they are based. Corporate structures are often confusing or intentionally obfuscated, which can make it difficult to understand who might own a particular company, how long it might have existed or where it might be based. WHOIS searches can also be used to see if the same individual or organisation owns multiple seemingly unrelated websites or online services.

In addition to helping you determine who registered a particular web address, familiarity with WHOIS can help you protect yourself and your information when setting up a website of your own.

It's great because

WHOIS is a great place to start when using websites to investigate the ownership of companies because it sometimes identifies central figures, including where they are based, how to contact them and when they first registered the website in question.

But watch out for

Since 1999 entities other than ICANN offer domain registration services, but they too are responsible for maintaining WHOIS registries. An increasing number of these registrars now offer “privacy shields” that, for a small yearly fee, hide the personal or corporate information of the registrant.

Also watch out for misleading information. The individual who registered a particular web address might have provided fake details or created a disposable identity when doing so. Questions you can ask when trying to determine whether WHOIS information is real include: Does the country code fit the address provided? Does the phone number provided work? Is the address real? Can you find it online through Google Maps or Open Street Maps? Does the email address work?

Learning curve

Gentle

How do you use it?

Through the browser

Go to one of the many WHOIS websites — such as https://w hois.icann.org (which is available in Arabic, Chinese, English, French, Portuguese, Russian and Spanish), https://w hois.net, https://w ho.is or https://w hois.domaintools.com — and enter the web address for which you want to find ownership information.

For example, if you go to https://w hois.icann.org, enter “www.hackingteam.com” and press enter, you will see something like the following.

From here, you can see the domain registrar from which the web address was obtained (in this case “register.it”) and the date on which it was registered. You can also see the name and address of the registrant. If no results are returned, consider checking other WHOIS websites as they sometimes draw on slightly different databases.

Below is a WHOIS search on the website for the Blackhat security conference:

If you do a web search for “United Business Media LLC,” you will find the company’s website, which is www.ubm.com. And, if you search for “ubm blackhat,” you will see strong evidence that the company is real and that it has something to do with the Blackhat conference.

There is at least one commercial service that maintains an “historical” WHOIS database, but it is rather expensive. If you can afford it, a “Personal Membership” may allow you to dig up useful information about a registrant with an active “privacy shield.” This is because people sometimes wait to purchase these services until after they have registered a domain name (or forget to renew them in a timely manner). Because Domain Tools is contantly scraping WHOIS information, their historical database might contain what you are looking for.

Below is an example of the information they provide if you do not have a “Personal Membership.”

Through the terminal

You can also find WHOIS data using the Terminal on a Mac or Linux computer. Simply type the following command: "whois nameofwebsite.com". (Note that you should not include a "www." at the front of the web address.) This method may fail for some websites, but it works for all .com, .net and .edu addresses, and it should work for many others. If you do not find what you are looking for, try the websites mentioned above as they often support a broader collection of registry databases.

For example, if you type "whois techcrunch.com", you should see something like the following.

Do I need to be on the internet to use it?

Yes you do. WHOIS websites and Terminal-based queries both require an internet connection.

Any privacy concerns with this tool?

Unless the service you are using to request WHOIS data supports encryption, others can intercept your queries at various points along the route from your computer to the service. This is true for the Terminal based method described above and for some web based WHOIS services. The Domain Tools WHOIS service, for example, is available at both http://whois.domaintools.com and https://whois.domaintools.com. We recommend using the second URL, which will encrypt the traffic between you and the database.

Like most online services, WHOIS databases are hosted by companies and individuals whom you probably do not know and may not trust. The administrators of a service you are using can monitor your queries and identify where you were on the Internet when you made them. This is true even if you use an “https” URL to encrypt your queries in transit. We recommend using the

Tor

Relying on a network of virtual tunnels, Tor prevents websites from tracking your identity. Take a look at this page to understand how Tor works. To better understand the distinction between Tor and https, go to this graph created by the Electronic Frontier Foundation..

Tor Browser when looking up web addresses related to sensitive investigations.

Further resources

The artist duo KairUs, Linda Kronman and Andreas Zingerle, held a workshop in Graz, Austria to investigate fake businesses created with the intention to commit fraud. In the workshop they investigated how fake online identities and company representation are created and illustrated strategies that activists use to uncover fake companies of criminal organisations. Part of this workshop included investigating the domain name of the presumed fake website where they instructed participants to ask such questions as: Is there another company under the same company name? Is there a same website registered under the .com, .net, .at, etc.? Can I find other information about the company online?

This workshop follows their artwork 'Megacorp', a collection of fake websites scraped from the internet. These websites and companies exist only virtually and are used by cyber criminals for phishing attacks or to support scam stories.

Image by KairUs

Read

Watch

Listen

Learn

The Kit