By Byron V. Acohido
When Seattleite Jay Westerdal bootstrapped a company called DomainTools in 2002, it was to support his activities in the domain name speculation game that was red hot at the time.
DomainTools set out to gather domain “whois” records in order to serve those immersed in speculating on owning domain names, like chocolate.com. Unbeknown to the founders at the time, the company did a couple of things that would position DomainTools to reinvent itself down the road as a security vendor, once the domain name market ran its course.
First, the company kept historical records of everything. And, second, DomainTools started gathering, not just “whois” records, but also web server and email server records, all of which would prove to be valuable for tracking the activities of cyber criminals.
ThirdCertainty recently visited with Tim Helming, DomainTools’ director of product management, to outline how the company today sheds light on the cyber underground. Text edited for clarity and length.
3C: How do domain names come into play with malicious internet activities?
Tim Helming, DomainTools’ director of product managementHelming: Everything that happens on the internet happens with IP addresses and domain names. You’ve probably received phishing emails once or twice, right? We all have. So a phishing email has domains in a couple of places. Usually there’s a link that they want you to click on, and that link has some domain in it. Sometimes it’ll be an intentional typo that looks like a legitimate site. They want you to click on it. So that domain name actually is a key to a lot of valuable information about the attacker.
Related: DNS vulnerabilities expose businesses to attack
From that one domain, you can often expand and see other domains that they own. And that could tell you things like, ‘Oh these other domains are all targeting businesses in my industry. So this attacker’s interested in my industry.’ Or maybe they’ve got a … more