One of the first go-to resources for law enforcers and cybercrime investigators is the WHOIS database. WHOIS domain search tools such as WHOIS Lookup provide rich information about a particular domain name or IP address. With just one of these, cybersecurity professionals can already glean essential data points that can aid in their investigations.

In phishing campaigns, for example, where e-forensics investigators would only have an IP address on hand, a WHOIS domain search is indispensable. Let’s take a look at how WHOIS records changed when the Internet Corporation for Assigned Names and Numbers (ICANN) decided to temporarily comply with the General Data Protection Regulation (GDPR).

WHOIS Domain Search Pre- and Post-GDPR Implementation

We used a phishing email received by Shikhil Sharma, which he posted on Twitter. The email contained instructions to click the link www[.]wellsfargo[.]com, which upon more scrutiny, redirected to jojoshomemade[.]com/ok/wells/.

WHOIS Records After GDPR

A WHOIS search for the email sender’s domain (pasbird[.]com) at present using WHOIS API would return the following result:

WHOIS Records Before GDPR

To compare the WHOIS record returned before ICANN implemented the Temporary Specification for Generic Top-Level Domain (gTLD) Registration Data in May 2018, we used WHOIS History Search, which allows users to find a domain’s owner at any time in the past.

At one point, an individual named Shaurabh Kumar from New Delhi who used the email address shaurabh128@gmail[.]com owned the domain pasbird[.]com.

Could he be the same registrant behind the phishing domain? We can’t be entirely sure as the domain may have changed hands between April 2017 (the last record with publicly available contact details) and today. However, it could provide investigators additional information. For one, they can try to contact Shaurabh Kumar to learn if he sold the domain to someone else and go on from there.

Has GDPR Made Cyber Investigations More Difficult to Do?

First off, we acknowledge the high probability that threat actors do not reveal their identities when registering domain names. However, they would repeatedly use some information in several domain registrations, which could aid investigations. For instance, threat actors may use the same dummy email address for several domain registrations since creating a dummy account for every domain would not be practical in terms of time and effort.

With the right tools and perspective, it would only be a matter of time before cybersecurity professionals can see a pattern and trace the perpetrators. Better yet, it would take one mistake for any threat actor to slip and expose himself/herself. A classic example would be Guccifer 2.0, the Russian hacker who forgot to turn on his virtual private network (VPN).

But then GDPR came, and the redaction of WHOIS registrant details became a requirement. For sure, this additional red tape adds a burden to cybercrime investigators. Law enforcement agencies, however, can contact the registrars and ask for details provided they can show authorization.

The internal cybersecurity personnel of organizations, however, would have a hard time obtaining such information. They would need to get in touch with law enforcers, since they may not have the authority to access the personally identifiable information (PII) of a registrant.

* * *

Cybercrime investigations have always been complicated with or without the redaction of WHOIS domain search details. But the ICANN’s Temporary Specification for gTLD Registration Data has added a new layer of difficulty and could potentially delay investigations. And we know that in cybersecurity, timely response means less damage and cost.

The rule is only a temporary solution, but one that has been in place for almost two years now. The ICANN would need to come up with a more robust and detailed guideline, including who are authorized to access nonredacted WHOIS registrant details, if redaction becomes permanent. If only law enforcement agencies would be permitted, how would the internal cybercrime investigators of organizations cope?