Monitoring Newly Registered Domains | WhoisXML API

Newly Registered & Just Expired Domains Blog

Monitoring Newly Registered Domains

Posted on November 5, 2019
Monitoring Newly Registered Domains

The first line of defense for companies that want to protect their staff or customers from bogus websites is monitoring domain names.Hackers will use variations of domain names to lure unsuspecting users onto portals whose purpose is to steal private information and drop viruses onto devices.

WhoisXML API offers a Newly Registered Domains Database and the Domain Research Suite that provide users with the ability to watch whether new domain names closely resemble existing registrations, which may be intended to trap internet users.

Why Monitor New Registrations?

There are a variety of use cases where information on newly registered domains can be of interest to particular individuals or businesses. Web development companies can utilize these lists to prospect for new business. Similarly, marketing companies can use the registration information to build email lists.

Monitoring new registrations, either through a newly registered domains database or new domain monitoring alerts, is particularly useful for security professionals. Hackers often register new domains to perform cyber attacks. Therefore, a new domain monitoring alert could play a vital role in a proactive security solution.

The Bad Guys Register Too

Hackers, like all other Internet users, need domains for their online operations. Carrying out web-based attacks using a domain name provides the hacker with much more flexibility than a fixed IP address. For example, if an attacker has set up a Distributed Denial of Service (DDoS) attack, they may need their proxies to acquire commands from a specific web address.

By utilizing a domain, they can rapidly change IP addresses and servers without needing to update any client settings. This flexibility allows them to avoid any defensive measures. It can also help the hackers evade the authorities, especially when the malicious servers and DNS services fall outside their jurisdiction. There are a few other nefarious reasons for registering domains, such as utilizing them for phishing campaigns.

Gone Phishing

A phishing campaign requires an unsuspecting user to click on a malicious link. If the link resembles the domain of an existing organization, the chances of successfully deceiving the user increase substantially. It is therefore imperative that businesses remain vigilant of any registration which closely matches their legitimate business name to defend against this type of attack.

When identifying a potentially malicious registration, a WHOIS query can quickly inform infosec professionals of its legitimacy. This record listing provides a treasure trove of data about the domain owner, which includes their contact details, the domain’s creation date, and which servers host the domain’s records.

The Best Defense

The WhoisXML API’s Domain Research Suite offers a set of tools that automatically report whether a registration that has appeared in the Whois database of registrations may be of questionable intent.

Domain Monitor

The Domain Monitor API watches out for companies that users specify they find of interest. Whenever the Whois record of the registrant changes, Domain Monitor sends an email alert to analysts about what security professionals may consider suspicious activity.

Cybersecurity staff receive details of any changes that have occurred for criteria they have used to filter the registration, including: the Updated Date, Created Date, Expiration Date, Registrant Information, the Domain Status, and more.

To illustrate, we have been monitoring the domain yahoodatabrachsettlement[.]com for months. The domain is among the typosquatting domains of Yahoo’s official data breach settlement site, yahoodatabreachsettlement[.]com.

On 2 September 2020, several changes to its WHOIS record were detected, leading to the conclusion that the domain was left to expire.

Domain Monitor: yahoodatabrachsettlement[.]com

Domain Monitor also alerted us that the malicious domain covid19[.]vegas was renewed at some point in October 2020. Given that the domain was previously flagged for phishing, it may be worth investigating why someone decided to extend the registration.

Domain Monitor: covid19[.]vegas

Brand Monitor

Hackers also tend to follow brands to piggy-back on the popularity of products and services. WhoisXML API offers a Brand Monitoring Tool that reports on exact and fuzzy matches of brand names. In short, the tool monitors variations and common misspellings of keywords. So, how does it work? The API alerts users when it returns keyword matches that reveal domains which either are newly registered or have recently expired.

A brand monitor for Microsoft, for example, yielded 156 look-alike domains that were either added or modified within the last 10 days. On the other hand, 70 domains were dropped. The chart below reflects these activities.

Brand Monitor: chart

Some examples of the domains are shown in the screenshot of the Brand Monitor below.

Brand Monitor: microsoft

Registrant Monitor

Some hackers have developed reputations or even profiles that enable infosec professionals to keep tabs on their activities. The Registrant Monitor Tool alerts cyberdefense specialists of all Whois database registrants who have newly registered, deleted or modified domains.

The API uses keywords based on the names of individuals or companies that white hats want to track. The tool sends alerts when the tracked names register new domains. The API even offers a report of when target names have updated existing domain registration information or any of their domain names expire.

Newly Registered Domains Database

Aside from the Domain Research Suite, WhoisXML API also offers a Newly Registered Domains Database so clients can access about 190,000 newly registered domains daily. Gaining insights into these can allow companies to enhance their brand protection and threat intelligence systems.

For one, it can help detect cybersquatting or typosquatting. On 17 March 2021 alone, the Newly Registered Domains Database contained 162,895 recently added domain names under the .com gTLD. Some of these are potentially typosquatting on the 10 most-spoofed brands.

Brand Name Number of possible
Typosquatting Domains
Detected on 17 March
Examples
Microsoft 8
  • belintonmicrosoft[.]com
  • file-microsoftonlines[.]com
  • microsofto1ine[.]com
DHL 12
  • dhlexpress-tracking[.]com
  • dhlinnovationcenter[.]com
  • dhlmaytrackingseiwss[.]com
Google 25
  • active-google[.]com
  • apps-google-play[.]com
  • googlecloudhexagon[.]com
PayPal 14
  • paypal-compte-restreint[.]com
  • tarot-paypal[.]com
  • singin02b-paypal09uihjy8uj8yujwdeds4te[.]com
Netflix 6
  • netflix-biilin[.]com
  • netflix-helpdesk[.]com
  • netflix-reminderrenewal[.]com
Facebook 15
  • ad-facebook40[.]com
  • facebook-marketplace-item35235[.]com
  • facebookmiami[.]com
Apple 71
  • applecore99[.]com
  • applecoreint[.]com
  • applecustomers-service[.]com
WhatsApp 7
  • whatsapa[.]com
  • whatsappclap[.]com
  • whatsappeando[.]com
Amazon 49
  • accountupdat-amazon[.]com
  • amazoncountertops[.]com
  • amazoncryptoquickpay[.]com
Instagram 7
  • buyinstagram[.]com
  • instagram-bussines-form[.]com
  • instagrammkeke[.]com

WhoisXML API offers dozens of tools to aid infosec professionals with their defense and forensics work. The Newly Registered Domains Database, Domain Monitor, Brand Monitor, and Registrant Monitor all provide organizations and individuals with effective protection where it counts most—before hackers can strike.

Try our WhoisXML API for free
Get started