In the present-day Information Age it is unrealistic to expect that cyber crime cases will be isolated incidents when in fact all business sectors are affected to a greater or lesser degree. Unfortunately, more sophisticated technologies mean more sophisticated internet crimes that call for flexible approaches in crime detection and investigation.
Statistics show that 68% of funds lost to what are unrecoverable. To scale down damages, it is necessary to utilize all available resources.
At its most basic, any form of cyber attack involves sending information from one point in the Internet to another. Most often, this means that somewhere perpetrators have used either IP addresses, or mail servers, or domains that can identify them. They can, however, cover their tracks by fake registration details which further complicates the investigation.
Whatever the cybercrime case may be: phishing, malware, identity theft, intrusion, counterfeit e-commerce, they all point back to domain names and IP addresses, which usually lead to Whois records. These records are kept by ICANN registrars (for global top-level domains or gTLDs such as .com, .net, etc.) or by national registries (for country code top-level domains or ccTLDs such as .ca, .de, .es, .au, .mx, etc) and contain registrant details such as: name, email address, postal address, nameservers, etc.
Reverse Whois is a common research tool to access this data. It allows investigators to look up all domain names belonging to a natural person or organization based on any registrant detail from the above mentioned. This is extremely useful in any cybercrime investigation. For example, in counterfeiting cases once the domain owner is known from their Whois record, investigators can check all their websites to uncover other violations and accomplices.
To keep their identity hidden, perpetrators may resort to private Whois, but it is available only for some of the global top-level domains such as .com. This means that their contact details in the Whois record is replaced with an anonymous identity. For such cases, reverse IP or nameserver lookups can come up with all domains sharing a single IP address or nameserver. Thus, the rest of related domains can be researched for Whois details to reveal the domain owner/s.
In cases of identity theft (stealing personal and credit card details), reverse IP searches can offer leads. For example, once investigators establish what IP address/es are used for the unauthorized access, then they can find out all domains that they use and gather owner information from them. Sometimes perpetrators use Content Delivery Networks (CDNs) to hide behind IP addresses in the cloud. Then reverse nameserver lookups can help since investigators can find all domains on the same nameservers and access Whois data from there.