In this Quick Tips blog post (yep, that’s a thing now), I’ll be showing you a couple additional (and quite useful) functions of my favorite WHOIS Lookup site, and hopefully adding a little something new to your ever-growing OSINT methodology.
Much like my desire to stay in college, this blog is going to be over just about as soon as it starts.
Disclaimer/Warning: WHOIS records can be falsified, outdated, and in the case of things like common names they may not even be same person you’re investigating.
Stop saying “I learned it from the internet” when you get in trouble for not exercising your own critical thinking skills 🙂
Performing a WHOIS lookup can be a pretty hit-or-miss tactic in OSINT investigations, let’s be honest. These days, it’s becoming exceedingly rare to find useful contact information in a website’s historic WHOIS records (though you should always check). Unfortunately for those of us hunting for digital clues, the use of privacy-guard features are pretty much the standard when you register a domain now.
You can’t escape your digital past though, and my favorite site to perform WHOIS history searches to find those OPSEC mistakes is Whoxy. A lot of you are probably familiar with the site already, but did you know it offers more than just a query using a domain name? Have a look…
Searching by a person’s name is possible:
There are lots of places on the internet you can be searching the name of your target, from search engines to social media and everything between, but when was the last time you checked to see if the name you’re interested in comes in as registering a website? Selecting “Owner Name” from the dropdown and typing in a name will search for a match.
Searching by a company name is possible:
Investigating a business? Good chance they’ve got some kind of web presence, and that can mean registering domains! A tip here, since you do not know how their company name will appear, you may need to try a number of variants based on what you’re seeing in other business records to find just the right search terms.
Searching by an email address is possible:
Next time you find yourself with an email address, either work or personal, why not give Whoxy a try and see if there’s a website registered with it? You just never know, maybe your clever online criminal forgot about that time he registered a domain back in the day using his gmail, which you cleverly discover using this trick and then pivot over to captures of his old website on Archive.org to amaze your coworkers!
Searching by a domain keyword is also possible:
This one is by far my favorite! Think of how much we love using the inurl: Google search operator to look for keywords or phrases in URLs Google has indexed, and then think of just how much is being missed when we do that search. Domains that no longer exist, webpages with directives asking Google not to index them, domains who didn’t have any web pages on them at all but maybe had other uses, like email services running on them. Well, the “Domain Keyword” lookup is one hell of a powerful tool in those cases. Does your target have a username? Search it! Do you know their real name? Run it! Do you know their business name, telegram group, club name, or something else unique to them? RUN THEM ALL! Any of those things may appear in a domain name that Whoxy has some data on. The only thing limiting you here is your own creativity.
That’s it! That’s the blog. I sure hope this sparked some new ideas for you, and next time you’re doing OSINT research, remember… go beyond WHOIS!