Cybersecurity is rapidly becoming one of the hottest topics in the contemporary corporate landscape considering the fact that corporate giants operate huge company networks. Due to their sheer scale, these networks run a higher risk of being compromised. In 2014, 41% of all spear-phishing emails targeted large enterprises. However, because of the omnipresence of Internet, cybersecurity is paramount to any business activity online as well as for both nongovernmental organizations and government institutions.
In general, regardless of what the particular type of cyberthreat is, they leave behind a trail of information evidence that can be used in cybercrime detection and investigation. Such evidence includes IP addresses, mail servers and domain names. This is because cyberattacks are a form of criminal activity that involves an unauthorized access to data for the purposes of stealing funds, destroying data, violating intellectual property rights, etc. Such activities include a wide scope of crimes: spam, service disruption, information theft, money laundering, phishing, etc.
Tools such as reverse Whois and reverse IP lookups can provide some leads to the people or organizations behind those attacks. Reverse Whois is a way to find out all domains belonging to a natural person or legal entity while reverse IP checks surface all websites sharing the same IP address. When these cannot yield satisfactory results, reverse nameserver lookups can be used to surface all domains on the same nameservers.
As an investigation tool, reverse Whois can be adequately applied as long as there is a complete Whois record available. Some perpetrators may opt for Whois privacy provided by many gTLD registrars where their identifying information is replaced by their service providers’. It is for this reason that it is best to use these reverse domain tools in combination.
Recent statistics from 2014 and 2015 reveal that no one is immune to data breaches — big companies especially have been targeted for the purposes of source code theft and information theft with sensitive company data such as executive emails, client lists, or income data being compromised.
In such cases phishing is a common hacking approach. For example, perpetrators may first gain access to the company’s network by sending a fraudulent email that could be used to mislead employees to submit their access details or inadvertently download some malware that will give perpetrators access to the IT network.
The phishing email comes from a webpage whose domain can be checked at the respective Whois database (depending on the domain extension: either global such as .com or country code such as .fr.) The Whois record will most often contain an email address which can be used for a reverse Whois lookup to surface more domains associated with that email address and owner which can lead to other email addresses and associates. In the case of Whois privacy mentioned above or incomplete Whois data, the reverse IP and nameserver lookups can present some leads as well. By learning what domains are hosted on the same IP address or on the same nameservers, they can check their Whois record to trace for any association between them.
All in all, it is safe to say that cybersecurity should not be underestimated and therefore a proactive approach with the right investigation tools is the way ahead.