Thousands of times a day, domains are bought and/or transferred between individuals. The process to make all of this happen is easy and only takes a few minutes and roughly $7 depending on the registrar provider. Beyond payment details, you must provide additional information about yourself, some of which gets stored as part of a WHOIS record once the domain has been setup.
WHOIS is a protocol that lets anyone query for information about a domain, IP address, or subnet. One of the most common functions for WHOIS in threat infrastructure research is to identify or connect disparate entities based on unique data shared within WHOIS records. If you were reading carefully or ever purchased a domain yourself, you may have noticed that the content requested from the registrars is never verified. In fact, you could have put anything in the record (and a lot of people do) which would then be displayed to the world.
Each WHOIS record has a number of different sections, all of which could include different information. Commonly found sections include “registrar”, “registrant”, “administrator” and “technical” with each potentially corresponding to a different contact for the record. A lot of the time this data is duplicated across sections, but in some cases, there may be slight discrepancies especially if an actor made a mistake. When viewing WHOIS information within PassiveTotal, you will see a condensed record that de-duplicates any data and notates which part of the record it came from. We have found this process greatly speeds up the analyst workflow and also avoids any overlooking of data.