Domain Privacy: What happens to public WHOIS records?

We live in a world today where information is power and power is unfortunately abused on a regular basis. When you buy a domain name you need to provide various details to complete the purchase and registration. For instance you will provide a name/company name, address, admin contact and an array of other useful contact details. The WHOIS domain is a very simple but extremely effective tool which has access to domain name registrars and allows you to check whether a particular domain name is in use and if so who owns it. This system dates back to the 1980s. Though, there are various conditions attached to reduce abuse, such as “promising” not to spam domain name owners, spammers still scrape information online. So what’s happening to public WHOIS records? You guessed it, the information is being abused!

As a consequence, the whole concept of the WHOIS domain platform is changing to introduce “cloaking” services. These services will hide all but the most basic contact details.

Is this overkill or a legitimate response to spamming?

It is unfortunate but there are now fairly simple and straightforward scraping tools available. These help spammers search for the contact details of domain names via their WHOIS records. Those who suggest it is simply a case of ignoring the spammers may not fully appreciate the potential risks. These risks include:-

  • Identification theft
  • Malware
  • Website hacking
  • Fraudulent emails

In many cases, website owners entered their telephone numbers to complete their domain registration records. This is the green light for spammers, fraudsters and a whole array of other potential criminals to contact you. Indeed if the DNS records to your domain names are also made public they can join the dots and have a coherent conversation with you.

A simple IP lookup, with your hosting server IP address part of the DNS records, could give the fraudsters information about the location of your host server. They could pretend be part of your hosting company, an associated party or even the police “chasing upon a lead”. Even though the vast majority of domain name owners are fully aware of the risks of giving information over the telephone, email or instant messaging, this still happens. If you did not request a communication then you should be very cautious.

Simple steps for the fraudsters/spammers

The process of finding the owner of a domain name and then contacting them is extremely simple. It consists of:-

Domain name search

Many websites including hosting companies offer a domain name search service. This lets users see if a particular domain has been taken and, assuming the information is public, by whom. You can also do this via domain registration services where you simply select the domain name you are after and you will be informed whether or not it is available.

Check the WHOIS records

When searching for a domain name which is already taken you will notice that the vast majority of domain registrars will give you the option of looking at the WHOIS records. Thankfully, the majority of hosting companies and domain name registrars services to “cloak” registrants’ contact information. However, not all domain name owners have taken up this option. In fact, many older websites still display private and confidential ownership details.

If you have public WHOIS records then spammers/fraudsters will likely have the owner’s name, address, email contact and sometimes even a telephone number. There will also be DNS records showing the name of the host provider and associated IP addresses.

Contacting domain name owners

Once all of the ownership information has been scraped it is simply a case of contacting website owners by whatever means. This may be email, telephone or instant message or any other lines of communication available. While many of the spammers will be relatively straightforward, offering their services for a particular price, this information is gold dust for fraudsters.

We have also seen situations where hackers have managed to obtain usernames and passwords for individuals. Unfortunately, despite various warnings, many people still use the same password for a number of their individual accounts. So, in theory, whether exactly the same username and password or a similar format involving the domain name as a username, it may be possible to obtain access to numerous website control panels and cause havoc.

Protecting yourself from spammers/fraudsters

The easiest way to protect your assets from spammers/fraudsters is to make use of the “cloaking” services offered by the vast majority of domain name registrars and web hosting companies. You will still need to give the same details when purchasing or renewing a domain name, the only difference is they will not be made public. In recent times we have seen a significant increase in the number of complaints to ICANN (the Internet Corporation for Assigned Names and Numbers) but this is not within the scope of ICANN.

How to protect yourself and your domain

There are other simple ways in which you can also inject a degree of protection against the spammers/fraudsters such as:-

  • If you feel you need ownership details to be public then only give the bare minimum.
  • Ensure that usernames and passwords are different for individual domain hosting accounts.
  • If you hold your website through a company name then use the company address rather than your personal details.
  • Never respond to unsolicited calls regarding your domain names, web hosting accounts or business activities.
  • If the communication does feel legitimate, ask for a contact telephone number or email address. You can even search on the Internet for confirmation.
  • Ensure that your website is backed up on a regular basis.
  • Consider using website monitoring tools to monitor suspicious activity.

Even though we live in a world where fraudsters and spammers will go to extreme lengths to defraud people, public WHOIS records are one of the lowest hanging fruits when it comes to the criminal fraternity. The chances are that people with malicious intent will scrape any information that you put into the public domain. Worse yet, someone may choose to copy your data and circulate it across the dark web. You could become the target of some very sophisticated and highly organised fraudsters.

Changes to restrict certain public WHOIS records

The WHOIS domain service has been around since the 1980s and unfortunately, due to circumstances out of the services control, it has gone from one extreme to another. We have seen a switch from full disclosure to the option of minimum disclosure which is very much at odds with the transparent nature of the Internet.

So, it will come as no surprise to learn that ICANN instigated a working group to create a new system which would offer greater transparency but also protection to domain name owners. Even though this is out with the scope of ICANN this has created a movement which is gathering pace and a new service is emerging.

Registration Directory Service (RDS)

The WHOIS domain could very soon be replaced by an RDS service which will be based on a “need-to-know basis”. This is the best description we have seen:-

“When you get to the front door you don’t get to just walk in, you have to tell us who you are and what you are using this information for”

The public area of the proposed RDS service would be very similar to the “cloaked” WHOIS records. Showing the bare bones of domain name ownership. As with banking records and other private information, law enforcement bodies/government agencies looking for further information would have access on a need-to-know basis after verifying their identity. There would also be access to this “gated data” by other legitimate parties who would also need to verify their identity and demonstrate a legitimate need to know basis.

RDS System Cloak

The RDS system is still in its infancy at the moment. We await further details and when it may be available. Until then it is advisable that you take up the offer from your web hosting provider to use a cloaking service and show only the most basic of details about your domain name ownership. In reality, no domain name ownership service will be perfect. However, the ability to limit access to “gated data” while still broadly adhering to the Internet principles of transparency is probably the best option available today.

Summary

It looks highly likely that the WHOIS domain name will be replaced at some point in the future with domain registration and DNS lookup details hidden behind some kind of gated system. The idea is simple; make it as difficult as possible for the fraudsters/spammers to gain access to legitimate domain name ownership details for deceitful and criminal activity. In many ways this has taken away the innocence of the early Internet and the naive belief that publicly available information about domain name ownership would not be abused.

Yes, we may live in a cynical world but you do need to protect yourself and your assets. The first step is to make public WHOIS records private or keep at a bare minimum.