Whois API Blog http://www.zisu42.net/blog Wed, 29 Jul 2020 09:29:59 +0000 en-US hourly 1 https://wordpress.org/?v=5.1.2 How to Contact the Owner of a Domain with WHOIS and Website Contacts Products http://www.zisu42.net/blog/how-to-contact-the-owner-of-a-domain-with-whois-and-website-contacts-products/ Wed, 29 Jul 2020 09:29:58 +0000 http://www.zisu42.net/blog/?p=3338 The Internet is one giant marketplace. If you are looking for a software-as-a-service (SaaS) option that you can use for your department, a simple Google search will give you dozens of them. Meanwhile, if you need someone to promote your … Continue reading ]]>

The Internet is one giant marketplace. If you are looking for a software-as-a-service (SaaS) option that you can use for your department, a simple Google search will give you dozens of them. Meanwhile, if you need someone to promote your business, the Internet can suggest several influencers depending on your niche. Once you find a company or person that matches your requirements, all of you have to do next is to contact the domain owner or website representative(s).

Contacting them may be easy since chatbots or contact forms are always available. But how can you connect with the owners of hundreds or thousands of domains without going through a chatbot or waiting for someone to answer the customer service line in each and every case? To help you, we explored four different ways to contact the owner of a domain.

4 Ways to Contact a Domain Owner

Let’s say that an established software company developed a new hotel management system. Aside from partnering with software review sites in the sector, it also wants to tap travel bloggers to subtly market the app since it knows that hotels also look at travel blogs. How can the new company contact the owners of travel websites?

The first thing the business needs is to create a list of travel blogs or websites. Once it has the domain names, it can use any of these four ways to retrieve the contact details of a domain owner.

Option #1: Find Domain Owners’ Contact Information via ICANN Lookup

A reliable source of domain owner’s contact information is the Internet Corporation for Assigned Names and Numbers (ICANN). It’s an organization that supervises the assignment of the domain names and IP addresses on the Internet. Domain registrars such as GoDaddy, BlueHost, and NameCheap need ICANN accreditation before operating. These registrars are also required to collect the contact details of all registrants, which get stored in WHOIS databases.

To retrieve the contact points of a domain owner via ICANN, you can use ICANN Lookup. However, as you will see, it has become hard to get personal details that way, notably due to the use of domain privacy services and the implementation of the General Data Protection Regulation (GDPR) restricting the disclosure of personal information. Nonetheless, a few options are available to get in contact with the domain owner. Let us illustrate that.

Find Domain Owners' Contact Information via ICANN Lookup

In the search box, type the domain name and click on the Lookup button. For illustration purposes, we used a random travel website, theplanetd[.]com, and ran the domain on ICANN Lookup.

As is shown in the screenshot below, details will be redacted for privacy as expected. But if you scroll further down, you would also see the registrar’s contact details, which could be useful information.

Find Domain Owners' Contact Information via ICANN Lookup

Even though the registrar’s contact details are meant for reporting abuse, you may try to ask the registrar how to contact the owner of a domain. You can explain why you need to get in touch with the registrant so the registrar can either forward your email to the registrant or give you the domain owner’s contact details.

Most privacy regulations, such as GDPR, allow contact information sharing as long as the owner gives his or her consent. Thus, the registrar can give you the contact details of a domain owner as long as they are allowed to do so. But there is no guarantee that the registrar would do this, and all you can do is give it a try. 

There are also instances when ICANN Lookup would return the privacy-protected registrant details, as in the case of amateurtraveler[.]com.

Find Domain Owners' Contact Information via ICANN Lookup

While this contact information belongs to the privacy protection service provider, you are closer to learning how to contact a domain owner. For domains protected by Contact Privacy Inc., such as amateurtraveler[.]com, you can use their online portal to contact the owner of the domain.

Otherwise, you can use the other options to learn how to contact a domain owner. 

Option #2: Third-Party WHOIS Database Lookup and WHOIS History 

A third-party WHOIS lookup solution retrieves domain information from data provider’s WHOIS database like ours to tell you how to contact a domain owner. Our products come in the form of a web-based tool or an integrable API.

Either way, a WHOIS database lookup returns the domain name’s registrar, registrant, administrative, billing, and technical contact details—or it’s redacted equivalent. Depending on the data provided by the domain owner, you could retrieve his or her postal address and email address and telephone number.

For the sample domain name theplanetd[.]com, WHOIS Lookup returned more or less the same web contact information as shown earlier. Although WHOISGuard protected the WHOIS registrant details, the result still shows telephone numbers and an email address that you can contact.

WHOIS Lookup

At this point, you have two options—contact the owner of the domain through the privacy protection service or dig into the domain’s WHOIS history to see the registration details before redaction.

For the domain amateurtraveler[.]com, for example, WHOIS History Search reveals the owner’s contact details (which we kept hidden except for the first letter of each field) before he employed the services of Contact Privacy Inc.

WHOIS History Search

Option #3: Bulk WHOIS Lookup and API

If you need the web contacts of several domain names, a bulk WHOIS database lookup can come in handy. Our bulk WHOIS database lookup solutions also come in two consumption models―a web-based service and an API.

When not redacted, you can retrieve the contact details of thousands of domain names at a time, which helps build your marketing contact list, especially when you already have target websites in mind. Aside from the registrar and registrant contact information, you would also see other relevant WHOIS record details such as domain age, expiration date, WHOIS server, and nameserver.

In our hypothetical scenario, the hotel management software company could create a list of travel blogs and websites that it wants to collaborate with. It can then upload the file in CSV format on Bulk WHOIS Lookup.

The screenshot below was taken from the Bulk WHOIS Lookup sample we ran, and it shows the column labeled “Registrant Email.”

Bulk WHOIS Lookup

As you can see, some registrants can be immediately contacted as their email addresses are not privacy-protected. For those registrants with redacted information, it is still possible to get in contact with the domain owners via the privacy service’s online portal (as in the case of ContactPrivacy) or by sending a message to an alternative email address, which will then be forwarded to the actual email address provided at the time of domain registration. The best way to get in touch with domain owners who kept their info private varies according to the policies of each domain privacy service provider.

Alternatively, you may also combine your bulk WHOIS queries with a WHOIS history search to retrieve the domain owner’s contact details before it was redacted, as illustrated in the previous section.

Option #4: Rely on Website Contacts Products for Domain Owners’ Contact Details and More

ICANN Lookup, WHOIS Lookup and API, and Bulk WHOIS Lookup and API rely on the contact information that registrants provided when they registered their domains.

Another method for obtaining web contacts relies on machine learning (ML) to gather the contact details of a domain owner. Unlike the first three approaches that retrieve data from WHOIS databases, our website contacts products obtain contact information from the websites’ contents too. They come in two different consumption models—a database and an API.

Regardless of which consumption model you use, a website contacts product can help you build a marketing contact list. It already categorized millions of sites based on their content and meta tags.

In our scenario, the software company can then use the database or API to retrieve the domain owners’ contact information. The products return the following details when available:

  • Company name
  • Meta description
  • Email address
  • Phone number
  • Facebook account link
  • Instagram account link
  • LinkedIn account link
  • Twitter account link

To illustrate, we used Website Contacts API to retrieve the contact details of the travel website blancotravels[.]com:

  • Email address: info@blancotravels[.]com
  • Phone number: 317-399-4020
  • Facebook: http[:]//www[.]facebook[.]com/blancotravels
  • Instagram: https[:]//instagram[.]com/blancotravelsllc
Website Contacts API

We also retrieved the contact details of theplanetd[.]com, the travel blog that we ran earlier on ICANN Lookup and our WHOIS database lookup tool:

  • Facebook: https[:]//www[.]facebook[.]com/ThePlanetD
  • Instagram: https[:]//instagram[.]com/theplanetd/
  • Twitter: https[:]//twitter[.]com/theplanetd
Website Contacts API

Website Contacts API culls information from the Website Contacts & Categorization Database. You also have the option to download the database and customize it according to your needs. The database is useful if you want to expand your list of target websites, as it already classified domains into different categories. Currently, the groups available are:

  • Arts and Entertainment
  • Autos and Vehicles
  • Beauty and Fitness
  • Books and Literature
  • Business and Industry
  • Career and Education
  • Computer and Electronics
  • Finance
  • Food and Drink
  • Gambling
  • Games
  • Health
  • Home and Garden
  • Internet and Telecom
  • Law and Government
  • News and Media
  • People and Society
  • Pets and Animals
  • Recreation and Hobbies
  • Reference
  • Science
  • Shopping
  • Sports
  • Travel
  • Adult

The hotel management system provider looking to collaborate with travel websites, for instance, can filter the database to show only the domain names under the Travel category. It can then obtain the contact details of the domain owners from the other columns on the database.

Website Contacts & Categorization Database

Note that a domain may have up to three categories, so users can also filter the other columns for the remaining categories.

Website contacts products can help individuals and companies alike contact the owners of domains for whatever purpose. They may want to tap the owner to participate in a marketing campaign, negotiate the sale of the domain, or avail of the vendor’s products or services.

Other Use Cases for Website Contacts Products

Aside from telling users how to contact the owner of a domain, Website Contacts API and its database counterpart can also support other vital business processes. It can help generate leads, allow researchers to find out more about a market, enable marketers to learn about their competitors, and aid organizations in assessing third-party risks.

Use Case #1: Generate Leads

Web contacts products can help our hypothetical hotel management system provider create a stronger marketing strategy. The company can use the tool to get the contact information of hotels, effectively enabling its marketing and sales teams to jumpstart lead generation.

For instance, users can immediately obtain the contact details of Grand Solmar Resorts with one API call. They can add the hotel’s phone number and social media account details to their list of prospects.

Generate Leads

The company can also obtain a list of hotels owned by another organization with the help of Website Contacts API. When you look up dorsetsquarehotel[.]co[.]uk, for instance, you would get a list of the hotels it owns.

  • The Whitby Hotel
  • The Soho Hotel
  • Haymarket Hotel
  • Ham Yard Hotel
  • Firmdale Hotels
  • Fanny Royol
  • Crosby Street Hotel
  • Charlotte Street Hotel
Website Contacts API

Aside from this, you can also get a list of email addresses and phone numbers with Website Contacts & Categorization Database. The screenshot below shows some of Dorset Square Hotel’s email addresses and phone numbers from the database. A Website Contacts API call can also give all these details.

Website Contacts & Categorization Database

Use Case #2: Third-Party Risk Assessment

Website contacts products can also help with background checks on potential vendors, suppliers, partners, and even clients. Third-party risk assessment is a critical business process as most companies reportedly suffered a data breach because of a stakeholder compromise.

Aside from relying on domain intelligence, checking for third-party risks and avoiding fraud is also possible by confirming the company’s contact information.

When you are on the lookout for professional photographers for your advertising and marketing portfolio, you want to make sure that the person or agency is trustworthy.

Take, for example, a photographer who said she is Esther from estherphotography[.]com. She gives you the phone number 311-520-2263 and email address estherphotography@gmail[.]com. You check the website and the artist’s portfolio, and you’re impressed. But before sealing the deal, you decide to use Website Contacts API to do a background check and find that the domain estherphotography[.]com has the following contact details:

  • Phone number: 310-384-6372
  • Email address: esther@estherphotography[.]com
  • Facebook: https[:]//www[.]facebook[.]com/esthercastingandphotography
  • Instagram: http[:]//instagram[.]com/esthercasting
  • Twitter: http[:]//twitter[.]com/esthercasting
Website Contacts API to do a background check

With the help of Website Contacts API, you found a different email address than the one you have been interacting with. While it might still be that Esther is the person behind both addresses, you might want to double-check to avoid dealing with an impostor.

Aside from the risk of dealing with an impostor, there are also other third-party risks. Note that third-party vulnerabilities increased by 80.6% in 2019. So, regardless of the type of third party you’re dealing with, it’s best to investigate before finalizing any contracts or purchases.

Several options are available if you want to know how to contact the owner of a domain. We listed four of them in this post and provided illustrative examples. To recap, you can use any of these tools to obtain the contact details of a domain owner albeit with limitations in certain cases:

  • ICANN Lookup
  • WHOIS & WHOIS History Lookup and API
  • Bulk WHOIS Lookup and API
  • Website Contacts API or Website Contacts & Categorization Database

For more information on these our WHOIS and Website Contacts products, don’t hesitate to contact us.

Strengthening Email Security Solutions & Validation Programs with a Disposable Emails Database http://www.zisu42.net/blog/strengthening-email-security-solutions-validation-programs-with-a-disposable-emails-database/ Tue, 28 Jul 2020 08:22:55 +0000 http://www.zisu42.net/blog/?p=3320 Email validation has become a necessity for organizations that aim to protect themselves against cybersecurity threats. The process becomes all the more relevant as 65% of attackers use phishing as a primary infection vector. That’s not a surprise, since attackers … Continue reading ]]>

Email validation has become a necessity for organizations that aim to protect themselves against cybersecurity threats. The process becomes all the more relevant as 65% of attackers use phishing as a primary infection vector. That’s not a surprise, since attackers have long been weaponizing emails to serve as entry points for cyberattacks.

The ease with which threat actors can create disposable email addresses also contributes to the threat. In less than a minute, they can create a temporary email address with tons of providers, which they then use to send malware-laden and phishing messages to target victims. For this reason, a disposable email domain database can make email security vendors and email validation programs in general more robust and comprehensive. Let us elaborate on that.

2 Ways Email Solutions and Email Validation Program Can Benefit from the Integration of a Disposable Email Database

In a sense, temporary or disposable email services may serve as “privacy tools.” By using these services, people can avoid receiving spam emails on their real addresses. But fraudsters and other cybercriminals have also begun using temporary email addresses to execute attacks while keeping their identity hidden. Disposable email addresses have thus become akin to virtual private networks (VPNs) and proxy servers, which initially served a good cause. 

Since threat actors have found a way to weaponize them, it’s usually best to filter disposable email addresses just as organizations block proxy users. By doing so, you weed out users who may have ill intentions or may not be interested in receiving follow-up brand communications. Sure, you may also sift out legitimate people who use disposable email addresses, but the danger of innocent employees falling for phishing emails far outweighs this.

1. Avoid Phishing by Blocking Disposable Email Addresses

In recent years, cybersecurity experts have seen a spike in attacks that use shared file services such as Office 365, OneDrive, and SharePoint. Employees would receive an email notification about their OneDrive account, for instance. Such emails could range from password expiry warnings to shared file notifications or voicemail alerts. Once the user clicks on the link embedded in the email, the attackers can get hold of his/her login credentials. In some instances, users may download malware in the guise of an innocent-looking file, thereby infecting their network.

Threat actors typically use an email domain that closely resembles that of the shared files service provider. And this is consistent with what we found in our disposable email domain database. For instance, when we searched for the word “drive” (as in OneDrive) on the database, which contained more than 25,000 disposable email domains, we found 52 matching records.

Avoid Phishing by Blocking Disposable Email Addresses

Of the 52 domains, nine could be masquerading as a shared files service domain:

  • 0nedrive[.]cf
  • 0nedrive[.]ga
  • 0nedrive[.]gq
  • 0nedrive[.]ml
  • 0nedrive[.]tk
  • 1drive[.]cf
  • 1drive[.]ga
  • 1drive[.]gq
  • onedrive[.]web[.]id
  • g00gledrive[.]ga
  • skydrive[.]tk
  • xyz-drive[.]info

An email validation program that doesn’t filter disposable email addresses may let all emails from these domains reach their intended recipients. That said, clients may end up receiving emails from 1drive[.]ga, a malicious domain, according to VirusTotal.

Of course, not all disposable email domains necessarily belong to bad actors, but not filtering them would also compromise clients and increase phishing risks.

2. Avoid Spam Emails

Google revealed that it now blocks 100 million spam emails daily on Gmail by using artificial intelligence. Put into perspective, however, this may not be much considering that 107 billion spam emails get sent every day.

A disposable email domain database can make email spam filters a lot more effective, as it immediately weeds out temporary email addresses mostly used by spammers.

Consider these spam messages with the subject line “Apple ID Locked.” The email domains used are lslp6dpp-08448929[.]id and vqeadkdp-56899194[.]jp, which are already suspicious on their own.

Avoid Spam Emails
Avoid Spam Emails

Both email domains are a combination of randomly generated alphanumeric characters, possibly generated by a disposable email service. Our disposable email domain database available for download contains hundreds of similar email domains. Below are some examples of them:

Avoid Spam Emails

Integrating a disposable email domain database into an email validation tool would, therefore, help weed out similar spam emails.

How to Access the Disposable Email Domain Database

You can request access to the disposable email domain database here. If you don’t have an account yet, don’t hesitate to contact us. Once logged in, you will see a complete list of databases, arranged by date.

How to Access the Disposable Email Domain Database

You can find the most recent database that contains all disposable email domains at the bottom of the index.

Disposable email addresses may have some legitimate uses, but since they can be used as attack vectors, security protocol usually ensures that these are blocked outright or are at least investigated before being granted access to an organization’s network. Therefore, an email validation application or program that aims to protect users from phishing and spam should also integrate a disposable email domain database.

Would you like to learn more about using a disposable email database and our other email validation products? Contact us for more information.

WHOIS Lookups & Enterprise Cybersecurity Policies: A Secure Way to Search for Domain Names http://www.zisu42.net/blog/whois-lookups-enterprise-cybersecurity-policies-a-secure-way-to-search-for-domain-names/ Mon, 27 Jul 2020 08:05:33 +0000 http://www.zisu42.net/blog/?p=3317 These days, it’s unwise to assume that all websites are safe to access. For this reason, security teams typically advise employees against clicking on any links embedded in an email, especially from an unknown sender. This recommendation may even extend … Continue reading ]]>

These days, it’s unwise to assume that all websites are safe to access. For this reason, security teams typically advise employees against clicking on any links embedded in an email, especially from an unknown sender. This recommendation may even extend to suspicious search results that appear in search engines.

What’s more, for most companies, visiting websites that are not related to an employee’s work is a violation of established cybersecurity policies and procedures. Most cybersecurity policies include:

  • Standard steps for accessing work data and applications remotely
  • Rules for encrypting emails
  • Instructions on creating and managing passwords
  • Rules on using social media
  • Guidelines for accessing nonwork-related websites

While this last policy may sound extreme to some, it has become common practice, especially among companies that want to beef up their cybersecurity posture. Their stance is ‘Prevention is better than cure’. And keeping employees from visiting potentially dangerous websites is always safer and more cost-effective than dealing with a ransomware attack or data breach.

Given this policy, though, how can one search for domain names that might help the business gain more customers? In parallel, how can security operation centers (SOCs) investigate suspicious online activities with domain names possibly involved in an attempt or attack? Thankfully, tools such as WHOIS Lookup enable SOCs and businesses in general to do extensive research without violating the cybersecurity policies mentioned above.

Digging Deeper into Incidents Using WHOIS Lookups 

In the Eyes of Cybersecurity Experts

When a suspicious email or item in a network log turns up, the first course of action for SOCs is to find out more about the email sender or the domain. Let’s take as an example the email address support@covid-19responsefund[.]org, which attackers have been using to ask recipients for donations on behalf of the World Health Organization (WHO).

The sample email below asks explicitly for donations in the form of digital currencies. It also supposedly comes from the Director-General of WHO. 

Digging Deeper into Incidents Using WHOIS Lookups

While the world deals with the difficulties brought about by these unprecedented times, threat actors are taking advantage of the ensuing pandemic. Employees with good intentions may want to donate to such a good cause, so SOCs need to step in. Thus, let’s dig deeper into the domain name used in the email address cited above.

A quick run on WHOIS Lookup reveals the following details:

  • The domain name was only registered on March 13, 2020.
  • The domain registrant is a certain Wang Ping from Guang Dong in China.
  • The registrar is Alibaba Cloud Computing Co.
Digging Deeper into Incidents Using WHOIS Lookups

In contrast, the official domain name of WHO, that is who[.]int, has entirely different details on its WHOIS record.

  • The domain name was registered on June 5, 1998.
  • The domain registrant reflects the address of the WHO headquarters in Geneva, Switzerland.
  • The technical and administrative contact name is WHO-IMT-ESS, the IT department of the organization.
Digging Deeper into Incidents Using WHOIS Lookups

One could argue that covid-19responsefund[.]org is new because it was specifically created by WHO in light of the pandemic. But the registrant details don’t match, and that’s quite suspicious. If WHO indeed created the domain, why use a different name and address?

In line with cybersecurity policies, SOCs should block the domain name and the email address to prevent employees from falling victim to this heartless scam. Also, they would do well to educate staff about possible scams and cyberattacks that take advantage of COVID-19 in general. 

In fact, the above domain is not the only one of its kind. A quick look at the Typosquatting Data Feed’s file on the day when covid-19responsefund[.]org appeared in the DNS reveals the following list of resembling domain names:

  • covid19responsefund[.]nu
  • covid19responsefund[.]mobi
  • covid19responsefunds[.]com
  • covid19responsefund[.]com
  • covid-19responsefund[.]com
  • covid19responsefunds[.]org
  • covid19responsefund[.]top
  • covid19responsefund[.]xyz
  • covid-19responsefund[.]org
  • covid19responsefund[.]biz
  • covid19responsefund[.]se
  • covid19responsefund[.]info

Before Going into Business Ventures

Cybersecurity policies and procedures should not exempt C-suites. Studies show that 34% of executives and business owners have succumbed to phishing emails. IT staff members follow at 25%. Everyone needs to follow the rules.

If executives and employees are interested in a business venture but can’t seem to establish the legitimacy of a potential partner or even suspect phishing activities, they may not want to visit the site immediately. Instead, they can use WHOIS Lookup. If they need more information after learning the domain registrant’s details, they can use Screenshot API to preview what the website looks like. Good design and coherent text could help in dispelling doubts.

Executives and employees can also coordinate with SOCs to ascertain the security of a website they wish to access. They could ask for assistance in running the domain name through the company’s threat intelligence platform and other security systems.

WHOIS Lookup provides a way for SOCs and employees to search for domain names without violating cybersecurity policies. After all, these policies and procedures are in place to protect the company and everyone in it. Exempting a few people could lead to disaster, especially since threat actors are adept at weaponizing domain names.

No one, not even cybersecurity experts, would know for sure if a domain name is a malware host without using the right domain intelligence. As such, it’s always better to err on the side of caution and run domain names you’re interested in through WHOIS Lookup as a first step.

IP2Location vs. MaxMind vs. WhoisXML API vs. IPify: 4 Best IP Geolocation Services Compared http://www.zisu42.net/blog/best-ip-geolocation-ip2location-maxmind-whoisxmlapi/ Tue, 21 Jul 2020 10:02:16 +0000 http://www.zisu42.net/blog/?p=3308 IP geolocation is an important source of intelligence with benefits in cybersecurity and marketing. Its use cases include cybercrime prevention, fraud detection, website traffic generation, and many others. Thus, it isn’t surprising to find out that a web search for … Continue reading ]]>

IP geolocation is an important source of intelligence with benefits in cybersecurity and marketing. Its use cases include cybercrime prevention, fraud detection, website traffic generation, and many others. Thus, it isn’t surprising to find out that a web search for the keyword “ip geolocation” would return millions of results, many of which include the service pages of some of the best IP geolocation / IP-to-location providers.

Yet with many options available, how would you know which one to choose? We did a comprehensive review of four IP geolocation vendors to answer this question.

What Is IP Geolocation / IP 2 Location?

IP geolocation, also known as IP 2 location or IP to location, is the process of mapping a geographic location to a given IP address. It is essentially what an IP geolocation solution or service does. Using an IP address as a query string, users can get its owner’s geographic location from the country down to the postal code level.

Check out this video for more information:

Some of the Best IP Geolocation Providers Compared

Vendor #1: WhoisXML API

WhoisXML API has been in business for more than a decade now. Its IP geolocation database contains information on over 27 million total unique ranges and more than 9.5 million IP netblocks, giving it a 99.5% coverage of all IP addresses in use. It also harnesses the power of the passive Domain Name System (DNS) to provide clients with connections from IP addresses to domain names over time.

Vendor #2: MaxMind

MaxMind has been in existence for more than 18 years now. Over 5,000 companies use its IP geolocation products to locate Internet visitors and show them relevant content and ads, perform analytics, enforce digital rights, and efficiently route Internet traffic. Its IP geolocation database includes localized names for select locations in English, Simplified Chinese, German, Spanish, French, Japanese, Brazilian Portuguese, and Russian.

Vendor #3: IP2Location

IP2Location is also 18 years old. It has more than 32 datasets that users can choose from and supports over 20 programming languages. Its IP geolocation database contains more than 4 billion IPv4 addresses and over 340 undecillion IPv6 addresses. To date, IP2Location has helped users make more than a billion API calls.

Vendor #4: IPify

IPify has been serving clients since 2014. The provider claims that its database also covers 99.5% of all IP addresses in use, with clients using its products for a variety of business purposes that include content personalization, digital marketing, access blocking, protection against cyber fraud, and security policy reinforcement.

5 Criteria to Find the Best IP Geolocation Service

Breadth, depth, variety of consumption models and adjacent sources of intelligence, pricing, and support and reputation are all important criteria to compare IP geolocation service providers.

1. Breadth: Number of Unique IP Addresses

Details on the breadth of IP geolocation providers’ database offerings are shown below.

  • WhoisXML API: Close to 3.7 billion IPv4 addresses and undecillions of IPv6 addresses.
  • MaxMind: The provider claims to cover 99.99% of IP addresses in use.
  • IP2Location: Claiming to cover around 4.3 billion IPv4 addresses and undecillions of IPv6 addresses.
  • IPify: The provider states that its database includes 99.5% of all IP addresses in use.

2. Depth: IP Geolocation Data Points

The number of geo data points covered varies per vendor.

  • WhoisXML API: A total of 14 data points, namely:
  • Country
  • Region
  • City
  • Latitude and longitude coordinates
  • Postal code
  • Time zone
  • GeoNames ID
  • Connected domains (for shared IP addresses)
  • Internet service provider (ISP)
  • Connection type
  • Autonomous System (AS) number
  • Organization name
  • AS route
  • ISP domain
  • Usage type
  • MaxMind: Total of up to 25 data points (depending on data sets). These include nine of WhoisXML API’s data points listed above (country, city, latitude and longitude coordinates, postal code, time zone, ISP, AS number, organization name, and ISP domain) and the following:
  • Anonymizer type
  • Static IP score
  • User count
  • User type
  • Confidence factors
  • Average income (U.S. only)
  • Population density (U.S. only)
  • Subdivisions
  • Metro code (U.S. only)
  • Accuracy radius (in km)
  • Continent
  • European Union (EU) country
  • Registered country
  • EU registered country
  • Localized names
  • Network
  • IP2Location: A total of up to 24 data points (depending on data sets). These include 14 of WhoisXML API’s data points (i.e., country, region, city, latitude and longitude coordinates, postal code, time zone, GeoNames ID, ISP, connection type, AS number, organization name, AS route, ISP domain, and usage type) and the following:
  • Country code
  • International direct dialing (IDD) code
  • Area code
  • Weather station code
  • Weather station name
  • Mobile country code (MCC)
  • Mobile network code (MNC)
  • Mobile brand
  • Elevation
  • Credits consumed
  • IPify: A total of 13 data points included in WhoisXML API’s data points (i.e., country, region, city, latitude and longitude coordinates, postal code, time zone, GeoNames ID, connected domains, AS number, organization name, AS route, ISP domain, and usage type).

3. Consumption Models and Adjacent Sources of Intelligence

Among the four vendors, WhoisXML API has the most extensive product range.

WhoisXML API Products

WhoisXML API has a total of eight IP intelligence offerings, namely:

  • IP Geolocation API and IP Geolocation Lookup: Apart from an IP address, IP Geolocation API allows users to search for geolocation information using a domain name or an email address as input. It provides results in either JavaScript Object Notation (JSON) or XML format. As such, it is integrable into most if not all compatible solutions or systems. Instructions for its use are available on the API Docs page. Developer libraries and code samples, meanwhile, can be downloaded from the Integrations page.

IP Geolocation Lookup is a web-based service version of IP Geolocation API. While it provides the same results, it does so in a format that even the not so tech-savvy can read. It also gives reports with custom URLs for easy sharing.

IP Geolocation Lookup
IP Geolocation Lookup
  • IP Geolocation Data Feed: This is IP Geolocation API’s and IP Geolocation Lookup’s intelligence source. It contains data on 32 million IP blocks and locations and comes in JSON and comma-separated values (CSV) formats. More detailed instructions for downloading and integration is available on the Specifications page.
IP Geolocation Data Feed
  • IP Netblocks API and IP Netblocks Lookup: These adjacent sources of IP intelligence determine the IP range and netblock an IP address belongs to, along with detailed information on its owner.

The API gives results in JSON and XML formats, making it easily integrable into existing solutions and systems. Instructions for its use and integration is available on the API Docs page.

IP Netblocks Lookup, meanwhile, provides easy-to-read reports for the less tech-savvy. It also gives a custom URL for each report, making it easy for users to share.

IP Netblocks Lookup
IP Netblocks Lookup
  • IP Netblocks WHOIS Database: Like IP Netblocks API and IP Netblocks Lookup, the database lets users check the IP range and netblock of an IP address, along with detailed information on its owner. It’s available in two formats—JSON and CSV. Users can also choose to download the database in full or daily increments via HyperText Transfer Protocol Secure (HTTPS) or File Transfer Protocol (FTP). Detailed instructions for downloading are available on the Specifications page.
IP Netblocks WHOIS Database
  • Reverse IP/DNS API and Reverse IP/DNS Lookup: These other adjacent sources of IP intelligence allow users to obtain a list of all the domains that resolve to an IP address and when each resolution was first and last seen. They collect data from an extensive passive DNS database, making them useful for cybersecurity purposes.

The API returns results in JSON and XML formats, making them easy to integrate into platforms. Instructions for its use are available on the API Docs page. Code samples for various languages are also available on the Integrations page.

Reverse IP/DNS Lookup reports, meanwhile, are easy to read even for the non-tech-savvy. The service gives a custom URL for each report, making it easy to share too.

Reverse IP/DNS Lookup reports
Reverse IP/DNS Lookup reports

MaxMind Products

MaxMind has a total of five product lines, namely:

  • GeoIP2 Anonymous IP Database: This allows users to identify website visitors that use anonymizers. It classifies anonymizers into four types—hosting provider/data center, virtual private network (VPN), Tor exit node, and public proxy. The database comes in two formats—binary and CSV files.
  • GeoIP2 Enterprise Database: This lets users gather pertinent IP geolocation information on all website visitors. It contains data that is claimed to be 99.8% accurate on the country level, 80% accurate on the state level, and 68% correct on the city level for U.S.-based IP addresses within a 50-kilometer radius. The database includes localized names for select locations and comes in two formats—binary and CSV files.
  • GeoIP2 Precision Services: This provides users with geolocation and other information related to an IP address through APIs. They are integrable into commercial products or applications without the need for additional licensing.
  • GeoIP2 Databases: These refer to locally hosted IP geolocation information sources that allow unlimited internal use within the subscribing organization. Like the first three products, these also include localized names for the same select locations. Open-source APIs are also available for the most popular languages. Subscriptions also come with automated updates.

IP2Location Products

IP2Location has a total of three product lines, namely:

  • IP Address Geolocation Database: These databases are available for download as either CSV or BIN files. They come in various kinds as well, depending on how much information is required.
  • IP Geolocation Web Service: This allows users to query the database to retrieve geolocation information. A manual detailing instructions for its use, including sample query strings, can be accessed.
  • Software and Components: IP2Location offers ready-to-use software, components, or libraries so users can integrate its products into their platforms or frameworks. These components don’t require one to set up a relational database, as they search for records directly from the vendor’s BIN data file.

There are four components on offer, namely:

  • .NET Component: This is made for the .NET Framework and it enables users to perform IP geolocation lookups to determine their website visitors’ geolocation accurately.
  • Java Component: This works with the Java platform and allows applications to discover where website visitors are coming from.
  • ActiveX/COM DLL: This is a component for Windows systems that allows developers to determine where web visitors originate based on their IP addresses.
  • HTTP Module: This is an Internet Information Services (IIS)-managed module that allows users to retrieve extensive information about an IP address.

IPify Products

IPify has two offerings, namely:

  • IP Geolocation API: This lets users discover the physical location of an IP address via API calls. Like other previously cited services, the API is useful for various business requirements. Details on its use are available on the API Docs page.
  • IP Geolocation Data Feed: This provides the same information as the API but in the format of a downloadable database. It contains detailed IP geolocation information gleaned from more than 30 million block records. The data feed comes in JSON format. Download instructions are available on the Specifications page.

4. Pricing

Here are some of the available purchase options and their pricing for each provider:

  • WhoisXML API’s API pricing varies according to the number of queries and type of subscription. The provider offers 1000 free queries per month. Besides, for 1 million and 5 million queries, a one-time credit purchase would cost $179 and $549, respectively. The cost for 1 and 5 million queries goes down to $99 and $299 with a monthly plan, while yearly plans for these amounts of queries cost $990 and $2,990. Database pricing depends on the number of licenses and subscription type. A one-off license valid for 1 month costs $129. A monthly and yearly subscription for one license would cost $99 (per month) and $990 (per year) with discounts available for more sites licenses. Custom pricing is also available, including with Enterprise API and Enterprise Data Feed packages.
  • Maxmind’s GeoIP2 Precision services are priced starting from $0.0001 to $0.0003 to $0.002 per query depending on the data points included (country vs. city vs. contextual insights). For information at the city level, pricing goes to $300 for 1 million queries with discounts available above $2,500 per month. Database pricing is also heavily dependent on the data points included with both monthly and yearly pricing options available. A database with information at the city level would cost $100 monthly and $1,200 yearly. Additional data points can be included at the monthly / yearly cost of $24 / $288 for ISP information, $24 / $288 for domain information and $90 / $1,080 for connection type information.
  • The pricing of IP2Location’s IP Geolocation web service starts at $49 for 100,000 credits and goes up to $441 and $1,960 for 1 million and 5 million credits. The provider’s databases have a yearly pricing that changes based on the number of data points contained and type of licenses. The software components’ yearly costs start between $99 and $149.
  • IPify also has pricing options with different consumption plans. API costs for one-off 1 and 10 million queries are $89 and $449. Comparatively, monthly and yearly subscriptions for 1 million / 10 million queries are worth $49 / $249 and $495 / $2,495. Database pricing also varies based on the number of site licenses starting with $99 for a one-time license valid one month.

5. Support and Reputation

All of the vendors on our comparison list provide support services with contact details, such as:

  • WhoisXML API: All of the information users need to contact the vendor can be found on its Contact Us page.
  • MaxMind: This vendor has a dedicated Support Center with the data users need to contact it.
  • IP2Location: The contact details for the vendor can be found on its Contact page.
  • IPify: This vendor can be contacted via a request form at the bottom of its site.

According to a Trustradius comparison of three of the four vendors—WhoisXML API, MaxMind, and IP2Location—WhoisXML API had the top score of 9.1 out of 10. Points that made WhoisXML API stand out include:

  • It provided accurate and up-to-date information that was useful not only for marketing purposes but also for cybersecurity.
  • The pros indicated for all three products were similar. The cons were alike as well for WhoisXML API and MaxMind, while IP2Location was cited for lack of acceptable upload formats and better website navigation.
  • WhoisXML API scored high in terms of support provision and pricing, too.

Upon review of the four vendors one certainly wonders if there is such a thing as the best IP geolocation service provider. The short answer is no.

Each of our contenders—WhoisXML API, IP2Location, Maxmind, and IPify—have pros and cons and particular offerings. The right choice will depend on an organization’s business needs and budget.

How to Take a Screenshot of a Website Page without Visiting the URL http://www.zisu42.net/blog/how-to-take-screenshot-website-page/ Mon, 20 Jul 2020 09:04:55 +0000 http://www.zisu42.net/blog/?p=3305 Humans are visual-oriented creatures. With a highly developed visual cortex, our minds are equipped to process visual elements better than any other form of information. For this very reason, we tend to prefer to interact through visual media. That has … Continue reading ]]>

Humans are visual-oriented creatures. With a highly developed visual cortex, our minds are equipped to process visual elements better than any other form of information. For this very reason, we tend to prefer to interact through visual media. That has led to the use and sharing of visual content found on the Internet, which in turn leads to the question of how to take a screenshot of a website page.

In this pro-visual scene, website screenshots have emerged as a prime currency of communication. Whether used in how-to tutorials, web design, or even cybersecurity, the ubiquitous screenshot has propelled itself to a top position in the online ecosystem. Screenshots are also found in more and more business processes. With this in mind, let’s consider a few alternatives for automatic screenshot capture.

3 Ways How to Take a Screenshot of a Page

Option #1: Use an Internet Archive

The Wayback Machine is an Internet archive that saves screenshots of old homepages so you can look at them without actually visiting the website. It wasn’t designed to test a site’s security but as a means to obtain images of now-defunct pages.

Here’s a snippet of the full-page screenshot of http[:]//abcnews[.]com[.]co/ (dubbed a fake news site and no longer operating) obtained from the service:

Option #1: Use an Internet Archive

To save the full page, we followed these steps on Google Chrome:

  • Press Ctrl-Shift-I on a Windows PC or Cmd-Option-I on a Mac.
  • Press Ctrl-Shift-P on Windows or Cmd-Shift-P on a Mac.
  • Type the word “screenshot.”
  • Choose “Capture full-size screenshot” from the drop-down list that appears.

Option #2: Download a Browser Extension

One-click Screenshot is a browser extension that users can install and use free of charge. However, since it’s not designed for cybersecurity, users will need to visit a website to capture screenshots with it (and potentially risk computer infection should a site turn out to be dangerous).

Here’s a cropped version of a full-page screenshot of the Apple website taken with the tool:

Option #2: Download a Browser Extension

Option #3: Use a Screenshot Lookup Tool or API

Screenshot Lookup and Screenshot API fall into this category. Both screenshot tools let users capture high-quality full-sized screenshots and offer various features discussed later in this post. One of the perks of a freemium tool is letting users try out capabilities before proceeding with purchasing. In this case, users instantly get 500 free credits monthly after signing up.

How to Screenshot a Website Page with Screenshot Lookup

Users don’t need to be particularly tech-savvy to enjoy the benefits of our screenshot products. Here are simple step-by-step instructions on how to screenshot a website page by using Screenshot Lookup.

Step #1: Get a WhoisXML API Account

Register for free. Log in with your newly acquired credentials.

Step #2: Enter the Domain Name

Type the domain name into the input field and click “Capture.” We used “whoisxmlapi[.]com” for this demonstration.

Step #2: Enter the Domain Name

Step #3: Get Your Screenshot

Wait a few seconds. You should see a preview like this:

Step #3: Get Your Screenshot

Click “Download” and save the JPG file. Screenshot Lookup has the added benefit of creating a custom URL that users can share with others who want to access the report.

How to Integrate Website Screenshot API

If you are looking to integrate the above-illustrated capability into an existing product or system, Screenshot API works in any environment that can use RESTFul APIs. For instance, in a BASH script, you can get the screenshot of, e.g., whoisxmlapi[.]com with the following command:

curl –get “https://website-screenshot-api.whoisxmlapi.com/api/v1?apiKey=YOUR_API_KEY&url=whoisxmlapi.com” –output whoisxmlapi.com.jpg

This will result in a jpg file named “whoisxmlapi.com.jpg.” Note that YOUR_API_KEY has to be substituted with your unique API key (which you can get after registration).

In a Windows PowerShell environment, this can be done with the Invoke-WebRequest cmdlet (https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-5.1&redirectedfrom=MSDN). 

Consult the API documentation page (https://website-screenshot.whoisxmlapi.com/api/documentation/making-requests) for more details and code snippets.

What Puts Screenshot API and Screenshot Lookup among the Best Screenshot Tools?

Let’s take a look at the features that the products offer:

  • Full website screenshot: Using our screenshot tools, you can get a fully scrollable webpage screenshot that perfectly captures the target website’s details.
  • Minimum required input: Screenshot Lookup is easy to use and does not require installation. Meanwhile, Screenshot API can be easily integrated into existing applications by using our code libraries as a starting point.
  • Adjustable capture timing: Apart from giving users real-time screenshot captures, Screenshot API also has a delay capture feature of up to 10,000 milliseconds.
  • Varied download formats: All of the screenshots taken with Screenshot API can be downloaded in different forms, including PDF, JPG, or PNG. Screenshot Lookup’s reports, on the other hand, are downloadable in JPG.
  • Multiple device emulation options: Screenshot API and Lookup allow users to match the screenshots’ dimensions with their target screen sizes. Options include None (captures only the visible part of the website on the device it’s taken from), BlackBerry Q10 (720 x 720), HTC One (1080 x 1920), iPhone X (1125 x 2436), iPad Pro (2048 x 2732), and Desktop Full HD (1920 x 1080).
  • Chrome support: Screenshot API and Lookup use a Google Chrome rendering engine that supports CSS3, JavaScript, and Webfonts. That translates to screenshots that are the exact representations of browser outputs.

Use Cases of Our Screenshot Tools

Now that we discussed how to take a screenshot of a website, let’s talk about the reasons for doing so. Well-formatted screenshots of a webpage can have different use cases, ranging from simple presentations to legal documentation. More specifically, a screenshot tool can help in any of the following ways:

Case #1: Cybercrime Protection

While the volume of unsolicited communications with malicious attachments remains high, we also see spammers embedding malicious URLs in their messages. That is a good reason for users—businesses and individuals—to be wary of clicking links embedded in emails, chats, direct and text messages, and webpages. Many of them could be malware hosts that can put user systems and data at risk. Users thus need a way to view a website without actually visiting it.

Screenshot API and Lookup can help avoid these cyber risks by providing a quick and effective alternative for taking high-quality snapshots of any potentially dangerous online property. Let’s consider a few examples of threats that a screenshot application can help users better explore and mitigate.

1. Phishing

Many data breaches start with opening and clicking a link embedded in phishing emails. So, while you may have been tricked into viewing a phishing message, do not click on the link if you believe that it is suspicious. Query the site first to make sure it is safe to access.

Let’s say that you opened a supposed Internal Revenue Service (IRS) email. Its sender embedded the URL https[:]//irs-gov[.]uc[.]r[.]appspot[.]com, which you are prompted to click to settle a complaint.

A Screenshot Lookup or API query for the site should give you this result:


A comparison with the real IRS website would tell you that the page is likely forged as it doesn’t have a logo or footer, as shown below.


2. IoC Exploration

Among the indicators of compromise (IoCs) of a Maze ransomware attack is the domain mazedecrypt[.]top, cited on Threat Intelligence Platform. A screenshot lookup or API query of the domain displays the following:

IoC Exploration

While the website may pique your interest, the lack of relevant information should raise a red flag.

Case #2: Competitor Analysis

Screenshot Lookup and API can serve as invaluable sources of intelligence on competitors, as these provide real-time screenshots of their websites. The insights that the visual data gives can help decision-makers steer their business in the right direction. 

For instance, monitoring the core messaging of a competitor over time can inspire business owners to brainstorm about their company’s branding. What’s more, observing the changes that rivals have made on their websites could reveal strategic shifts and hint what they plan to venture into next.

To illustrate this, let’s take a look at how the Virgin America website has changed over the years.

Virgin America Site in 2007

Virgin America Site in 2007

Virgin America Site in 2017

Virgin America Site in 2017

Virgin America Website at the time of writing

Virgin America Website at the time of writing

Case #3: UX and UI Design Testing

User interface (UI) and user experience (UX) designers can use our screenshot tools to check how websites appear on different devices and varying screen sizes. That allows them to see if the sites are responsive and dynamically adjust, depending on the device on which users view the pages.

We tested our screenshot tools’ various device emulation formats on another top-ranking website in terms of design (https[:]//wovenmagazine[.]com/) to illustrate the capabilities for UI and UX designers.

BlackBerry Q10 (720 x 720)

BlackBerry Q10 (720 x 720)

HTC One (1080 x 1920)

HTC One (1080 x 1920)

iPhone X (1125 x 2436)

iPhone X (1125 x 2436)

iPad Pro (2038 x 2732)

iPad Pro (2038 x 2732)

Desktop Full HD (1920 x 1080)

Desktop Full HD (1920 x 1080)

Case #4: Digital Marketing

Proper digital marketing efforts are crucial to the success of any business. Digital marketers can use website screenshots to send visual data to clients in an easily digestible format, thus enabling more significant insights and timely decisions. Gathering screenshots of different versions of a site, for example, can also help monitor progress made in branding and other marketing aspects.

Search engine optimization (SEO) professionals, meanwhile, can use Screenshot API to capture PDFs with embedded links as proof of backlinking. An example would be an article written for our company on a third-party site:

Case #4: Digital Marketing

With Screenshot Lookup, digital marketers can even do away with heavy file attachments, which could be a problem for clients that limit email attachment sizes for security and other reasons. Instead of sending the image above, they can opt to send the lookup report custom URL like this one instead.


With instant screenshot facilities, easy sharing and integration capability, and a host of customizable features, Screenshot Lookup and API aim to create a rich and safe visual experience for web-based processes.

From a cybersecurity standpoint, it is often better to avoid visiting unknown websites without screening them first. Learning how to screenshot a website page with our screenshot tools can lessen an organization’s chances of letting threats into networks. When used alongside domain reputation capabilities as offered by Threat Intelligence Platform, the products can demonstrate how unsafe accessing a website can be. Integrating Screenshot API along with a malware check API into existing solutions, including those currently in development, can also help companies beef up their cybersecurity posture and offerings.

From the business angle, Screenshot Lookup and API could land your website on A-lists in terms of design. That may not only help boost your digital marketing efforts but also give your visitors the best UX possible. With the screenshot tools, taking websites in development for a test drive to ensure excellent UX and UI for any user is easily doable too.
Would you like to see how our products work in practice? Get started with our Screenshot Services today. We are also available for any information you might need, so don’t hesitate to contact us for more details.

Find Out More About an IP Address via WHOIS Lookup and WHOIS API http://www.zisu42.net/blog/find-out-more-about-an-ip-address-via-whois-lookup-and-whois-api/ Mon, 13 Jul 2020 09:40:07 +0000 http://www.zisu42.net/blog/?p=3293 IP addresses are unique identifiers for devices hooked to the internet. These addresses, which are represented by numerical values, allow computers to communicate over the Transmission Control Protocol via IP (TCP/IP). The protocol routes users looking for Internet-connected hosts or … Continue reading ]]>

IP addresses are unique identifiers for devices hooked to the internet. These addresses, which are represented by numerical values, allow computers to communicate over the Transmission Control Protocol via IP (TCP/IP). The protocol routes users looking for Internet-connected hosts or websites to the right destinations using IP addresses as a reference. 

However, notably because of inherent design flaws, attackers can spoof IP addresses with the intention of, for example, misdirecting users to dangerous sites. For this reason, among others, it is critical to routinely scan IP addresses passing your network filters to ensure their integrity and identify any potential links to malicious campaigns or networks. 

As part of this process, it is possible to do an IP lookup via WHOIS Lookup and WHOIS API to extract the ownership details of a given address for further inspection. What’s more, both products permit gathering all sorts of relevant details such as if an IP address hosts a domain and which regional Internet registry (RIR) manages the resource.

Why Run an IP Address WHOIS Lookup?

Let’s take a closer look at some use cases of an IP address WHOIS lookup.

1. Fraud Detection

Authorities can stay hot on the trail of criminals by tracking the origin of their IP addresses. Fraudsters paying for purchases using stolen payment card information are also identifiable based on the IP addresses logged in when they made orders. Investigators can first acquire the suspicious IP addresses from the merchant’s website and payment processor. Then they can run the IP address on WHOIS Lookup or WHOIS API to obtain the name and contact details of its owner and connected domains if any.

2. DNS Forensic Analysis

WHOIS Lookup or WHOIS API can enhance the data gathered from open-source intelligence (OSINT) databases to more comprehensively analyze IP addresses that are attempting to establish connections with their systems. 

In the wake of a malware attack, for example, you can use the said sources of intelligence in an attempt to establish whether or not your network might be making or receiving calls to or from any known command-and-control (C&C) servers by screening the IP addresses recorded in your logs. Users can also integrate the API into a network filtering tool for more timely detection of rogue IP addresses.

3. Spam Blocking

Email reputation services and the DNS-Based Blackhole List (DNSBL) closely monitor suspicious senders that figure in spam campaigns. You can augment the effectiveness of such services with WHOIS Lookup or WHOIS API. The products can be used to take indicators from your network, such as IP addresses, and query connected databases to retrieve relevant records and receive additional contextual information.

4. Thwarting IP Address Fraud

Fraudsters can go to great lengths to execute illegal schemes. One case, for instance, involved an IT firm that set up shell companies to fool a registry into allocating it 800,000 IP addresses. The company sold these to virtual private network (VPN) service providers, whose subscriber bases in need of anonymity comprised not just legitimate users but also hackers and cybercriminals.

Now say you come across the existence of similar fraudulent events and you want to alert the relevant entities, WHOIS Search or WHOIS API can help you retrieve the registration details of illegitimately obtained IP addresses. With an IP address’s corresponding records at hand, you can identify the registry governing its use. The API also provides information as to when the IP address was released and last updated.

How to Use WHOIS API to Perform an IP Address WHOIS Lookup

WHOIS API is available for integration into a variety of security solutions and website plugins including Splunk and WordPress. If you want to experience a free demo of the API, head over to the product’s homepage, then type in an IP address into the field and hit the Enter key.

Below is an example output in XML format for the blacklisted IP address 201[.]18[.]18[.]173 (according to IP Blacklist Cloud, users reported the IP address for abuse over 1,000 times).

How to Use WHOIS API to Perform an IP Address WHOIS Lookup
How to Use WHOIS API to Perform an IP Address WHOIS Lookup

The report shows that the Latin America and Caribbean Network Information Centre (LACNIC) is the regional internet registry behind the IP address. It also reveals the registrant’s name “Oi” to whom the IP address has been allocated. Oi is a major telco company and internet service provider (ISP) in Brazil and Latin America. Analysts and law enforcement agents can reach out to it to retrieve any additional information about the IP address for further investigation.

IP address WHOIS lookups can be part of robust processes in threat hunting, incident response, and cyber investigation. Indeed, WHOIS Lookup and WHOIS API enable infosec professionals and law enforcement agents to track the identities of criminals with as much as an IP address.  

ProPrivacy Open Data Project: Mapping Malicious Coronavirus Domains Using WHOIS Data http://www.zisu42.net/blog/proprivacy-open-data-project-mapping-malicious-coronavirus-domains-using-whois-data/ Mon, 13 Jul 2020 09:26:47 +0000 http://www.zisu42.net/blog/?p=3296 Continue reading ]]>
ProPrivacy Open Data Project: Mapping Malicious Coronavirus Domains Using WHOIS Data

The COVID-19 pandemic has driven many people to do almost everything within the confines of their homes. Nearly exclusive reliance on digital means to work, study, shop, and communicate amid uncertainty opened many avenues for cybercrime to take place—notably through the use of coronavirus-related domain names.

To demonstrate this trend, ProPrivacy has partnered with WhoisXML API and VirusTotal to investigate the extent to which cybercriminals are weaponizing the Domain Name System (DNS) in an open data project called “COVID-19 Malicious Domain Research Hub.”

The Open Data Project: Objectives

Domain names, especially newly registered ones, have long been used by cybercriminals in phishing campaigns, malware attacks, financial scams, and other nefarious activities. Even before the coronavirus pandemic, many newly registered domains (NRDs) were found to be malicious or suspicious, at the very least.

To gain a perspective on how many coronavirus-related domain names are being used maliciously, ProPrivacy started the open data project. The project has simple, interrelated objectives, enumerated below:

  • To obtain a continuously updated list of domain names related to the COVID-19 pandemic;
  • To determine whether or not these domains are used maliciously;
  • To share this information with the general public.

Partnering with WhoisXML API

By providing access to its extensive Whois Database via API calls, WhoisXML API has helped ProPrivacy monitor coronavirus-themed registrations among the hundreds of thousands of new registrations occurring daily.

Once a domain name has been tagged “malicious” by VirusTotal, ProPrivacy runs this domain via WhoisXML API’s domain intelligence to retrieve its complete WHOIS records. Such records include registration and expiration dates, registrant names, and email addresses. To ensure the robustness and accuracy of the dataset, ProPrivacy also used WhoisXML API’s historical WHOIS record-retrieving API.

The open data project further highlighted the fact that domain name registration behaviors are often closely related to news events. In particular, the team detected a 648% increase in coronavirus-inspired malicious domain names the same day the World Health Organization (WHO) named the disease COVID-19.

The Open Data Project: Findings

The ProPrivacy open project is ongoing and revealed the following findings so far:

  • ProPrivacy analyzed over 600,000 coronavirus-related domain names to date.
  • More than 125,000 of the domains analyzed were deemed malicious after cross-referencing data from WhoisXML API’s database and VirusTotal.

Check out the ProPrivacy COVID-19 Malicious Domain Research Hub here. The data can be accessed on their Github repository as well.

You can also learn more about WhoisXML API’s database offerings by visiting the following pages:

Relieving Network Concentration Risks Aided by IP Netblocks Lookup http://www.zisu42.net/blog/relieving-network-concentration-risks-aided-by-ip-netblocks-lookup/ Wed, 08 Jul 2020 17:03:29 +0000 http://www.zisu42.net/blog/?p=3290 It is normal for large enterprises, especially multinational corporations (MNCs), to maintain an IP netblock or several IP ranges for their website hosting requirements. This approach allows them to quickly set up sites as the need arises. There might be … Continue reading ]]>

It is normal for large enterprises, especially multinational corporations (MNCs), to maintain an IP netblock or several IP ranges for their website hosting requirements. This approach allows them to quickly set up sites as the need arises. There might be problems, though, when a company relies on a single service provider. Any operational disruption on the provider’s part means a halt to its business as well.

This post tackles the challenges that relying on a single web host brings and how access to an IP Netblocks WHOIS database may help alleviate them. In case you are not fully familiar with the notion of netblocks, check this post for an introduction to the subject.

Adverse Effects of Network Concentration

In this context, we define network concentration as solely obtaining IP addresses for an organization’s corporate infrastructure from a single provider. As you may already know, Internet service providers (ISPs) assign IP addresses to individuals and companies alike for their computers’ use. Unlike individual and small business users, though, large enterprises often purchase netblocks for their sole use. The biggest organizations in the world typically maintain several IP ranges, depending on their number of connected devices. Apple, for instance, owns at least 100 netblocks, including the following:

  • to (AT&T U.S.)
  • 2001:1890:1c17:cf00:: to 2001:1890:1c17:cfff:ffff:ffff:ffff:ffff (Apple)
  • to (Verizon)
  • to (Charter Communications)

As shown above, Apple doesn’t rely on a single ISP for its connectivity requirements. And that is good in that, should one go offline, the company’s entire operations won’t suffer.

Organizations that want to ensure business continuity should put redundancies in place; much like they won’t keep their data stored in a single cloud repository, they shouldn’t purchase all netblocks from the same provider. A company that keeps all its data on Amazon Web Services (AWS), for instance, may cease to operate if, for whatever reason, the provider goes offline (i.e., performs system maintenance or repairs).

Several scenarios, both caused by humans and natural disasters, could lead to Internet access disruption. A car ramming into a telephone line or a repairman accidentally hitting an underground fiber-optic cable, for instance, can prevent your employees from connecting to the Web. The same could happen due to an earthquake, flooding, or a hurricane. Any number of unwanted occurrences can easily pull the plug on a connected organization. But any company that has a redundant Internet connection setup can avoid the repercussions of losing connectivity.

How Access to an IP Netblocks WHOIS Database Can Alleviate Risks

The next question organizations need to answer is: How would you know if your network concentration risk is high? One way to do so is by identifying who is behind your company’s netblocks. And you can do that by using IP Netblocks WHOIS Database. You can access the repository in two ways:

  • Via IP Netblocks API (can be integrated into existing solutions or systems) or IP Netblocks Lookup (a Web-based service)
  • By downloading the database and integrating it into existing tools and platforms; or correlating it with other sources to build a database most suitable for your goals. You can find more about the instructions for building such a database here.

For demonstration purposes, we used IP Netblocks Lookup. All you need to identify your organization’s netblocks and their respective ISPs is your company name. Say you want to find out all of Google’s IP netblocks. Just type “Google” into the lookup tool to obtain the results.

Our query revealed that Google has at least 100 netblocks that include:

  • to (Verizon)
  • to (Zayo [Abovenet Communications Inc.])
  • 2001:2030:34:: to 2001:2030:34:ffff:ffff:ffff:ffff:ffff (Google)
  • to (Charter Communications)
  • to (TWC-11427-TEXAS)
  • to (Telia Carrier)
  • to (Etheric Networks)
  • to (Fiber Networx Inc.)
  • to (Comcast)
  • to (GTT Communications)
  • to (OVHcloud)
  • to (Windstream Communications)
  • to (Savvis)
  • to (AT&T U.S.)
  • to (TWC-11426-CAROLINAS)
  • to (Nextweb)

As shown above, Google maintains several IP blocks under different ISPs, which is predictable as it is the largest search engine operator in the world.

You may be wondering why we needed to list down Google’s IP ranges and see if they belonged to different ISPs. It’s quite simple, really. Google, like many Internet giants, always needs access to the Web to perform tasks and serve its customers and so requires network redundancies.

Spreading your connectivity requirements among several providers assures you that if one fails, your sites will remain online, your employees will have unhindered access to files and applications, and your customers and stakeholders can remain in constant contact with you.

Let us look at examples to demonstrate why maintaining IP netblocks with separate ISPs is ideal.

Setup #1: Websites on the Same or Adjacent IP Netblocks

Let us say that you are a Kamatera cloud service user. It maintains several websites (obtained via Reverse WHOIS Search), including:

  • Kamatera[.]com (the provider’s official website)
  • Terakama[.]com (an alternative site)

We know that these sites are hosted on the following IP addresses based on DNS Lookup API queries:

  • Kamatera[.]com:
  • Terakama[.]com:

Note that if you are the websites’ owner, you can skip the reverse WHOIS and Domain Name System (DNS) lookups because you have a list of all your sites and their corresponding IP addresses. To check if the IP addresses are in the same range and/or maintained by a single ISP, use IP Netblocks Lookup. Our queries showed that:

  • Kamatera[.]com is part of the IP range– maintained by Cloudflare.
Setup #1: Websites on the Same or Adjacent IP Netblocks
  • Terakama[.]com, meanwhile, though part of a different IP range, specifically–, is still on the same netblock maintained by Cloudflare.
Setup #1: Websites on the Same or Adjacent IP Netblocks

That means that if a cyberattack should hit all Cloudflare’s servers, both sites, among the others hosted on the same netblock, will become inaccessible. The same thing is likely to happen should the provider’s infrastructure be affected by a natural disaster or equipment failure. Such an incident is likely to affect its customers’ operations as well. So, imagine if all of your cloud service requirements were provided by Kamatera and its entire infrastructure is dependent on Cloudflare’s ability to stay online. If Cloudflare is knocked off the Web, you’ll lose access to Kamatera’s services, too.

We’ve seen this scenario unfold with the Synoptek ransomware attack. When the cloud hosting and IT management service provider lost access to its infrastructure, it’s having more than 1,100 customers across several industries in the U.S. also suffer. (Note, however, that the scenario above is hypothetical. Established providers typically distribute their network requirements to third parties as a failsafe.)

Setup #2: Websites on Different IP Netblocks

Now, let us say that you work for Woot Inc. It maintains several websites (obtained via Reverse WHOIS Search), including:

  • Woot[.]com (the company’s official website)
  • Activewoot[.]com (a duplicate site that the company maintains)

We know that these sites are hosted on the following IP addresses based on DNS Lookup API queries:

  • Woot[.]com:
  • Activewoot[.]com:

To check if the IP addresses are on the same netblock and/or maintained by a single ISP, use IP Netblocks Lookup. Our queries showed that:

  • Woot[.]com is part of the IP range– maintained by Amazon Technologies Inc.
Setup #2: Websites on Different IP Netblocks
  • Activewoot[.]com, meanwhile, is part of the IP range– (on a different netblock) maintained by Akamai Technologies Inc.
Setup #2: Websites on Different IP Netblocks

Maintaining a copy of your website on a different host is one way to avoid the damaging effects of a distributed denial-of-service (DDoS) or any other cyberattack for that matter. That might be a reason why Woot has a redundant site maintained by well-known anti-DDoS attack service provider Akamai. It also assures Woot that business will go on as usual even if its main website woot[.]com goes offline due to a problem with Amazon’s servers.

The scenarios we presented in this post may be simple, but they still illustrate the importance of avoiding overreliance on a single provider. Putting all of your eggs in one basket is no laughing matter in this sense. Any untoward occurrence that affects your provider is bound to put your business at great risk, too.