3 Things You Can Learn from WHOIS History Records

A recent Hackernoon.com article cited two search tools that can provide domain WHOIS historical data. These are WHOIS History Search and WHOIS History API. Both products work roughly the same way but come in different consumption formats. The former is a web-based search engine, while the latter is an application programming interface (API) that is integrable into existing enterprise systems.

But what, exactly, can we learn from WHOIS history records? How can such data benefit enterprises?

Insights You Can Glean from WHOIS History

Historical data obtained using a WHOIS history search tool includes complete domain registration details, such as a domain’s registrar, registrant, and administrative and technical contact details for a given period.

With this data, organizations can learn several things about the domain, including the following:

  • Previous ownership details
  • Past associations
  • Third-party reliability (where applicable)

Previous Ownership: Who Owned the Domain before Privacy Redaction?

When the General Data Protection Regulation (GDPR) came into force in May 2018, registrars began redacting WHOIS registration details, especially for customers from the European Union (EU).

To compare, we checked the WHOIS records of random domain names before and after the implementation of the GDPR. In multiple instances, before privacy redaction, it is possible to see details, such as the registrant’s name, email address, phone number, street address, city, and state.

After that, most of these details will no longer be visible in WHOIS lookup results. Knowing the ownership details before they are redacted can help you reach out to a domain’s owner, among other things.

Past Associations: Has the Domain Been Involved in Malicious Activities?

While cybercriminals could be taking advantage of the anonymity provided by privacy redaction, it’s still possible to find information related to them, and WHOIS history can help. Looking into the past ownership details of a domain can help security teams determine if it has been associated with malicious entities or activities in the past.

Let’s cite the domain microsoftdrive[.]net as an example. Historical WHOIS records reveal that the domain has had a registrant email address that could be owned by a hacker involved in the Charming Kitten cybercriminal group.

The domain’s association with a suspicious email address (and, therefore, suspected cybercriminal) would possibly raise the alarm for most security teams.

Third-Party Reliability: Is the Vendor or Partner Who It Claims to Be?

Many companies state they suffered a data breach due to a third-party vendor. As the supply chain of organizations continues to expand, exposure to third-party risks also increases. WHOIS history data can help enterprises with third-party risk assessment by looking into a vendor’s domain ownership records. This can help answer these questions:

  • Do the details provided by the vendor coincide with its historical WHOIS records?
  • Has the domain been associated with shady entities in the past?

The GDPR and other data protection laws pushed registrars to redact WHOIS records to address data privacy issues. However, it has also created a mismatch, which can be summed up as a dilemma of keeping registrants’ privacy protected while also ensuring accountability for Internet properties.

WHOIS history can still be accessed though to help organizations uncover domain ownership details. Historical WHOIS records provide essential data points that can tell anyone about a domain’s past and whether it can be trusted.