Jonathan Zhang, WhoisXML API: “DNS abuse instances are among the top threats we see when monitoring domain and DNS activity”
According to researchers, along with the increasing number of domains, the abuse of DNS is growing.
While the world is facing major crises of the century, cybercriminals are taking advantage of the situation and are rapidly setting digital traps in numerous creative ways. Cyberattacks affect not only individuals but also organizations and governments, begging for top-notch tools to help combat the threats.
The Cybernews team has invited Jonathan Zhang, the CEO of WhoisXML API, an Internet and security data aggregator, to discuss the importance of data and the current situation in the cybersecurity field.
What has the journey for WhoisXML API been like?
WhoisXML API was founded out of a market need I identified after years of working with organizations like NASA JPL and L-3 Communications. I was a software engineer around 2010 and needed access to structured and unified raw WHOIS data for a network security project.
The challenge was that WHOIS records were highly disaggregated and came from multiple registries and registrars, each with a different format. While it was theoretically possible to consolidate everything, the job would have required hundreds if not thousands of work hours. There were also other limitations like lookup restrictions, and while I could think of a few providers of unified data back then, they were quite expensive. The bottom line—nothing made sense to me at the time.
So the problem remained. I mean, how can one achieve optimal network security without the necessary data?
The solution was to create a company that would help make the Internet a safer place for all organizations. And what better way to work toward that goal than by providing a building block for security systems, which is data.
The journey in establishing the company and building the data repositories has been exciting though it wasn’t always smooth. There was some red tape initially, and setting up agreements with different data aggregators was key. Also, the company was busy building the necessary technology to automate data parsing and unification to then deliver consistent and highly pivotable domain records across consumption models.
Can you introduce us to what you do? What methods do you use to collect and analyze such large amounts of data?
At its core, WhoisXML API is an Internet and security data aggregator. We offer complete, real-time, and actionable data using a data-as-a-service model.
Through legal partnerships, we collect WHOIS, IP, and domain data from different aggregators like ISPs, registrars, and registries. We then parse, analyze, and normalize vast amounts of data using advanced data sensing technology and machine learning algorithms.
We enable various use cases, notably to amplify crucial cybersecurity practices and contribute to security platforms designed to mitigate cyber-attacks and protect organizations. For instance, our data can help scope out attack surfaces, giving organizations clearer and broader visibility. At the same time, we have clients who use our data for third-party risk assessment and management.
Threat investigators and law enforcement agencies use our data to look for clues when investigating cybercrime. You may have an IP address, a person’s name, an organization’s name, a website, an email address, a nameserver, or any related data point. From there, our data can help you map out the actor’s digital footprint.
Our domain and IP intelligence also supports phishing prevention and brand protection. We do that by mainly providing real-time information about newly registered and cybersquatting or typosquatting domains.
All these use cases are aligned with the company’s initial goal of making the Internet a safer place.
Across all industries that you work with, what types of threats are the most common nowadays?
DNS abuse instances are among the top threats we see when monitoring domain and DNS activity. These threats include phishing, malware attacks, spamming, and botnet attacks.
A contributing factor is the growing number of domains across different TLDs. As they increase, the potential for DNS abuse also grows. In March 2022 alone, the ICANN classified more than 609,000 domains across 360 TLDs as security threats.
With a satellite view of domain and DNS activity, we continue to encounter thousands of typosquatting domains or domains that impersonate legitimate brands. Some domain groups impersonate car manufacturers, airline companies, luxury brands, NFT platforms, CEOs, and many others.
Several of these typosquatting domains are often already flagged as malicious, which means they have already been abused to display phishing or spam content, for example. Others may have been used to distribute malware or as C&C server URLs.
DNS abuse is further amplified by its time-sensitive nature. Attackers work round-the-clock. If a company’s defenses go down for even a minute, that could be enough time for the threat actors to infiltrate corporate networks. One undetected phishing domain that manages to go through security filters may be enough to launch a ransomware attack.
How do you think the current global events are going to affect the threat landscape?
We have certainly seen threat actors build their campaigns around global events. They tend to take advantage of people’s interest in seasonal and political affairs, scandals, or global events. As long as it makes the news, any event is fair game.
Let me give you some examples. When COVID-19 was declared a pandemic, we saw a spike in coronavirus-themed domain registrations. From only a little over a dozen in December 2019, it went up to more than 50,000 by March 2020.
Many of those properties could be tied to coronavirus-themed phishing, misinformation campaigns about vaccines, and even activities targeting individuals hoping to get financial assistance from the government. Seasonal events like Valentine’s Day, Black Friday, and the tax season also drive multiple domain registrations hinting at DNS abuse. These malicious domains often lead to crimes, such as fraud and credential theft.
So, to answer the question, the threat landscape has and will continue to significantly mirror current events.
In your opinion, should small businesses and large companies approach cybersecurity differently?
Threat actors go after everyone, no matter how big or small your company is.
Large enterprises are targeted because they’re very lucrative victims. When it comes to ransomware, the average demand last year reached around US$2.2 million. The actual payments were estimated at around 42.5% of that amount.
On the other hand, smaller companies are targeted simply because, with fewer resources, they are more vulnerable.
At present, small businesses and large enterprises tend to approach cybersecurity differently, often because they don’t have equal resources. Small businesses, for instance, are likely to outsource cybersecurity to specialists and MSPs.
Meanwhile, large enterprises have more resources and can afford their own SOCs. They also use some of the latest security technologies, such as SIEM, SOAR, XDR, and other platforms.
However, data is crucial to both approaches. Regardless of size, businesses need to gather contextual information in the form of a domain, subdomain, DNS, and IP intelligence. For this reason, WhoisXML API provides its repositories to MSPs, security platform solutions used by large enterprises, and big companies with in-house SOCs.
What enterprise security details are often overlooked but could pose a significant threat to one’s company?
Our data helps businesses enable round-the-clock security operations, intensify digital risk protection, obtain continuous attack surface visibility, and deepen identity verification, among other processes.
With this vantage point, we see firsthand how companies need to pay extra attention to their attack surfaces and Internet brand postures as well as broaden their visibility.
Take typosquatting domains, for instance. These can influence a company’s Internet reputation, especially when threat actors use them to target the impersonated brand’s employees, users, clients, partners, and third-party suppliers. We’ve seen quite a few large corporations that have gone to great lengths to take down or control such domains. While this isn’t the most feasible or practical tactic, their action tells us that part of brand protection is ensuring that one’s brand name isn’t misused in domain names.
We also noticed thousands, if not millions, of dangling DNS records, such as those pointing to subdomains. These aren’t ideal for security. Companies need to pay close attention to subdomains and dangling DNS records since threat actors can easily exploit these vulnerabilities.
In addition, we’ve seen a lot of overly descriptive subdomains and DNS records that could make it easier for attackers to launch targeted attacks. Through diverse scans, the bad guys can learn what systems an organization uses if they are displayed in subdomain names and DNS records.
And finally, what does the future hold for WhoisXML API?
Our mission is set to remain the same—to help create a more secure and transparent Internet for all businesses. We aim to enable that by continuously delivering the most comprehensive domain, IP, DNS, and cyber threat intelligence.
We will continue to broaden our data coverage and improve our scope through more partnerships and collaborations as part of this endeavor. Aside from offering more data, we will also do so when companies need it the most—in real-time.
Time is a critical element. Many things can happen in 24 hours—thousands of domains get registered and immediately weaponized, all forms of DNS abuse can occur, and threat actors can infiltrate networks.
We aim to reduce the window between domain registration and abuse so companies can obtain as much domain and IP intelligence as fast as possible. At present, we can automatically push domain registration and SSL certificate chain data to clients within an hour or less.