WHOIS Coming to Get You?
If you own an Internet domain, you’ve got a target painted on your back and cyber criminals are coming for you. The target is your Whois record, and the criminals are a growing network of spammers, scammers, phishers, and vishers.
The Internet Corporation of Assigned Names and Numbers (ICANN) requires domain registrars collect every registrant's contact information (name, email address, postal address, phone number) and publish it using a global online service called Whois. If you register a domain your personal information will be collected, published, and verified annually. If you fail to cooperate or provide false information, ICANN will take away your domain.
Cyber criminals have long used Whois records to target domain owners with a variety of scams, but lately the number and virulence of attacks is escalating. Some are harmless spam such as offers for marketing, logos, SEO, etc. Some are phishing emails that claim to offer services from a reputable provider, then lure gullible victims to fake web sites that deliver malware or steal passwords.
Whois reveals your phone number as well as email, so scammers can call you too. A current active scam calls you posing as your domain registrar (e.g., GoDaddy) demanding you pay a “domain activation fee”. They ask for a credit card number and other PII. Caller ID shows an 855 area code number that is misidentified on a web page and several YouTube videos as the “Toll Free Quicken Support Phone Number”. I alerted Intuit to this; hopefully Weebly will take down the fraudulent web page and Google will take down the YouTube videos.
You can protect your privacy on Whois to some extent, but it’s not cheap or easy. For example, you’re allowed to list a PO box instead of a street address. You can even have your domain provider list a commercial privacy service as a proxy owner in Whois, but this typically costs $8 or more per domain per year. And none of this matters if you do it after registering your domain. By then the toothpaste is out of the tube, because past versions of your Whois record are permanently archived and made publicly available.
The real solution is to fix Whois. Various proposals have been made to replace it, including Internet Registry Information Service (IRIS) and WHOIS-based Extensible Internet Registration Data Service (WEIRDS), but neither of those specifically addresses privacy or security. The public has a right to know who owns a particular Internet domain, but any next generation Whois replacement must balance that against the need to protect domain owners from spammers, stalkers, and cyber criminals.
Michael McCormick is in information security consultant, researcher, and founder of Taproot Security.