WHOIS database assists in pwnage attempt

If the headline seems like a typographical error, it's not. The verb "to pwn" is Internet-speak for "to own by cyberattack." Fifteen-year-old hackers use it.--

And who might get "pawned" (pronounced "pawned")? Everyone on the "WHOIS" record. And what's the "WHOIS" record? According to Wikipedia: "WHOIS (pronounced 'who is') is a query and response protocol...used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format."

The "WHOIS" information is that given by whoever applied for a website domain name. If you want to find out who registered, for example, hongkong.com, go to http://www.networksolutions.com/whois/index.jsp and type it in--it will dish up the registration info at the time of registration.

It's a piece of information useful in basic intel-gathering, but I haven't thought of this registry in awhile. Until a friend sent me a panicked e-mail last week--he was convinced of cyber malfeasance. The dodgy missive contained his actual name/address/telephone number, and seemed to offer a search-engine-service in a manner more suited to warning of imminent domain-name expiration. There were links to the usual ("PROCESS SECURE PAYMENT" and "UNSUBSCRIBE INSTRUCTIONS") malware-delivery-sites, but, he said: "they've got my info!"88"

I suggested he remain calm and check the return email address, noting that as it was a string of letters and numbers with a ".in" domain, perhaps he wasn't in imminent danger. Unless of course he'd clicked on the links, which--following essential security practice--he hadn't. Deleting the malicious missive eliminated any chance of pwnage.

But it's been years since I saw a phish based on mining of the "WHOIS" database, so I contacted Richard Stagg, managing director of Hong Kong-based security and penetration-testing firm Handshake Networking.

Stagg's advance is always useful, and after confirming that he sees scams based on "databases being mined for information" frequently, he waxed lyrical on this particular vulnerability.

"So many bits of the Internet are still based on those happy days years ago when it was a small, trusted place and the Russians weren't plugged in," wrote Stagg. "The "WHOIS" database is a classic example. We always check it during penetration-testing, looking for convenient information leaks and occasionally using it for social engineering (famous example: large HK-based retail organisation; one fax on fake letterhead made from their Website, and we OWNED THEIR DOMAIN.....!"

This comment from the ever-inventive Mr Stagg helped spark this blog-post. What comes naturally to penetration-testers (and hackers) is a holistic view of security. Information from the "WHOIS" database is a starting point--correlate with other info gleaned from social networks, "friendly" phone calls to employees, graphics copied from Websites and suddenly a large Hong Kong-based firm no longer owns their own domain. This is why enterprises with significant brand-equity view in-depth online security as sound business practice. The risks are just too great...and diverse.

Stagg then gave some impromptu comments that I feel are worth relaying. "The Internet's greatest challenge is its inertia, and the astonishing amount of will required to upgrade even the tiniest part," he wrote. "Why do we still have spam? Why do we still need search engines? Why are phishers trying extort money? Because we can't upgrade the Internet!"

This string of invective raises more questions than this correspondent can answer, but remember this comes from the managing director of a firm dedicated to helping Hong Kong enterprises protect their networks, and the brand-equity they represent, from criminals who do far worse than blast out a million phishing e-mails based solely on the "WHOIS" database. But for now, let's keep it simple. Go ahead and type any URLs pertinent to your business into the Network Solutions the "WHOIS" database-checker: http://www.networksolutions.com/whois/index.jsp. At the very least, it will show you the information any hacker can easily find, and list the expiration date of your domain-name. Being aware of security issues is always a best practice for enterprises. As Stagg points out, it's been years since the Internet was a small, trusted place.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stefan Hammond

Latest Videos

More videos

Blog Posts