WHOIS database assists in pwnage attempt

If the headline seems like a typographical error, it's not. The verb "to pwn" is Internet-speak for "to own by cyberattack." Fifteen-year-old hackers use it.--

And who might get "pawned" (pronounced "pawned")? Everyone on the "WHOIS" record. And what's the "WHOIS" record? According to Wikipedia: "WHOIS (pronounced 'who is') is a query and response protocol...used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format."

The "WHOIS" information is that given by whoever applied for a website domain name. If you want to find out who registered, for example, hongkong.com, go to http://www.networksolutions.com/whois/index.jsp and type it in--it will dish up the registration info at the time of registration.

It's a piece of information useful in basic intel-gathering, but I haven't thought of this registry in awhile. Until a friend sent me a panicked e-mail last week--he was convinced of cyber malfeasance. The dodgy missive contained his actual name/address/telephone number, and seemed to offer a search-engine-service in a manner more suited to warning of imminent domain-name expiration. There were links to the usual ("PROCESS SECURE PAYMENT" and "UNSUBSCRIBE INSTRUCTIONS") malware-delivery-sites, but, he said: "they've got my info!"88"

I suggested he remain calm and check the return email address, noting that as it was a string of letters and numbers with a ".in" domain, perhaps he wasn't in imminent danger. Unless of course he'd clicked on the links, which--following essential security practice--he hadn't. Deleting the malicious missive eliminated any chance of pwnage.

But it's been years since I saw a phish based on mining of the "WHOIS" database, so I contacted Richard Stagg, managing director of Hong Kong-based security and penetration-testing firm Handshake Networking.

Stagg's advance is always useful, and after confirming that he sees scams based on "databases being mined for information" frequently, he waxed lyrical on this particular vulnerability.

"So many bits of the Internet are still based on those happy days years ago when it was a small, trusted place and the Russians weren't plugged in," wrote Stagg. "The "WHOIS" database is a classic example. We always check it during penetration-testing, looking for convenient information leaks and occasionally using it for social engineering (famous example: large HK-based retail organisation; one fax on fake letterhead made from their Website, and we OWNED THEIR DOMAIN.....!"

This comment from the ever-inventive Mr Stagg helped spark this blog-post. What comes naturally to penetration-testers (and hackers) is a holistic view of security. Information from the "WHOIS" database is a starting point--correlate with other info gleaned from social networks, "friendly" phone calls to employees, graphics copied from Websites and suddenly a large Hong Kong-based firm no longer owns their own domain. This is why enterprises with significant brand-equity view in-depth online security as sound business practice. The risks are just too great...and diverse.

Stagg then gave some impromptu comments that I feel are worth relaying. "The Internet's greatest challenge is its inertia, and the astonishing amount of will required to upgrade even the tiniest part," he wrote. "Why do we still have spam? Why do we still need search engines? Why are phishers trying extort money? Because we can't upgrade the Internet!"

This string of invective raises more questions than this correspondent can answer, but remember this comes from the managing director of a firm dedicated to helping Hong Kong enterprises protect their networks, and the brand-equity they represent, from criminals who do far worse than blast out a million phishing e-mails based solely on the "WHOIS" database. But for now, let's keep it simple. Go ahead and type any URLs pertinent to your business into the Network Solutions the "WHOIS" database-checker: http://www.networksolutions.com/whois/index.jsp. At the very least, it will show you the information any hacker can easily find, and list the expiration date of your domain-name. Being aware of security issues is always a best practice for enterprises. As Stagg points out, it's been years since the Internet was a small, trusted place.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stefan Hammond

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place