Warding Off Cyber Propaganda with WHOIS Search
December 19, 2019
Cyber propaganda refers to using modern electronic means to manipulate events or influence public perception toward a particular point of view. In the past, propagandists took to radio and television stations and newspapers (mostly tabloids) to further their ideologies.
Today, aided by advancements in technology and the ubiquity of the Internet, rumormongering is mostly carried out through fake news sites.
Cyberpropaganda, Fake News, and WHOIS
Two main tactics used by cyber propagandists nowadays are database & system hacking and spreading fake news. Database & system hacking can be difficult to orchestrate; it requires advanced technical know-how that not all propagandists have.
It’s often easier to spoof reputable news sites and publish fake stories then entice readers with sensational headlines to make them click the links to the bogus articles. The sad thing is that almost half of readers believe what they read and spread these before realizing they are fake. Could this happen to you?
Say you come across some breaking news that appears odd and you want to establish authenticity before spreading it. The story might come from a pretending established media outlet. Or it might be published on a website you never saw before.
Either way, though nothing seems amiss with the site at first (i.e., the design is ok, other posts make sense, etc.), a deeper investigation checking the WHOIS record of the domain in question can help dispel your doubts.
Our Investigative Tool: WHOIS Search
WHOIS Search reveals pertinent information about a domain’s owner, including his/her contact details, how old the domain is, and more.
For this post, we identified the publisher of one of 2018’s biggest fake news stories, abcnews[.]live, which posted “Protesters Vandalize Kavanaugh’s House, $11,000 Damage.”
The domain looks credible in comparison to the real online property, abcnews.go.com, which is ABC News’s online news portal, a subsidiary of Disney Media. Note, however, the distinct TLDs in use by the fake and the actual site — “.live” vs. “.com.” New gTLDs are often part of domain name abuses and impersonation schemes.
Here are some extracts of both sites’ WHOIS records:
What do the results tell us? The site that produced the fake news is by no way associated with the reputable site it’s trying to pass for. Let’s see why.
With over 8,000 days since it was first registered, abcnews.go.com is a much older domain than abcnews[.]live. In comparison, abcnews[.]live has only had 441 days of existence at the time of writing.
Note that 441 days can be already be considered a long time in the cybercriminal world. Possibly the registrant may have fooled people with his or her site for a while already. Or he or she may have waited for a bit before starting to post fake news so the domain wouldn’t be spotted as a totally “fresh” registration.
If the latter reason happens to be true, a long-term reader of abcnews.go.com may still find strange that such a long-lasting organization as ABC News has only been operating the site for a year only.
Looking at Registrant Contact for abcnews[.]live on its own doesn’t allow us to draw any reliable conclusion. The information is redacted either because the registrant is using a domain privacy service or the registrar is complying with new privacy rules following the entry in force of the General Data Protection Regulation (GDPR).
Yet, should a user wonder whether abcnews[.]live may be a spinoff of abcnews.go.com, the difference in Registrant Organization—ABC, Inc. vs. Disney Enterprises, Inc.—shows that it’s unlikely.
While it may be difficult to prove the integrity of an alternative news publisher, disproving their ties to big-named media outfits is possible with WHOIS Search. Apart from adhering to known best practices such as considering the source, reading beyond, and checking the author, learning more about a domain’s registration details can give a definite answer.
Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP) — a data, tool, and API provider that specializes in automated threat detection, security analysis and threat intelligence solutions for Fortune 1000 and cyber-security companies. TIP is part of the Whois API Inc. family which is a trusted intelligence vendor by over 50,000 clients.
July 9, 2021