Topic: [GUIDE] How to get WHOIS information of a domain (Read 154 times)

With 5 main things from OP, you can choose one or combine one of these five to investigate a website. It is a start of your works and if you don't find anything looks suspicious, you can do other investigations. If you find evidence of scam with 5 main things, you can stop your scam investigation. Don't need to waste more time if you already know it is a scam.

This is a very good write up, but I have few things to comment about. Normally, there are countries scammers can be able to have fake identities, also it can happen in many well regulate countries that scammers will have fake identities (but legit in the community). Normally, someone's home/workplace addresses can be fake without ICANN knowing, people can still use emails runining on dark web to be anonymous to certain extent, like the proton email, using Tor browser that will provide certain level of privacy. Also, people can have helpers in service providing companies to register real fake sims, some people can even go with fake documents and be lucky. This should be known.

Thousands of people could have been scammed before ICANN will seize the domain, this is not new but common. It is also worthy to know that many scam domains are still existing and nothing yet happen but they are still scamming people. ICANN may be trying but there are domains that still always be for scammers. Scamming is complicated and complex at times, and beyond simplicity.

You can fake real identity that is fake, check my illustration above. Scammers are wise and can manipulate. There are many of them that have fake mobile number that can not be traced to them, they have untraceable emails and fake addresses. ICANN will contact them but still act like they are real and legit. So, ICANN will not seize the domain until their aims are achieved.

Know that people are different, we are more talented than each other, also scammers are talented than each other. Many scammers have unsuspicious domain for long, and are using it to scam people. Some could be known but they would have gained a lot of money/bitcoin from victims.

Ultimately, people can fall being victim, we need to be careful of these scammers, never depending on any ICANN, we can be scammed at any time. We should check domain name, if created not long enough, we should not invest on such business(es) the site is offering. Also there are many domains existing for over a long time but ICANN can not do anything to stop them, it is us that will apply wisdom and knowledge. A good example are cloud mining, what are their domains no blocked till now.

There are many scam domain ICANN do not seize which are actually scam. It is us that need to be careful for not to be scammed.

WHOIS information is only helpful if the owner is okay in displaying the website and personal information in a public domain. In general, this information is always kept hidden by the owners due to the domain service provider promoting privacy. If this information is kept hidden does not mean that the website is promoting scam.

When someone registers a domain name with a registrar, they have to provide them with contact information such as the registrant's first and last name, phone number, street address, email, city, country and other personal details. It is required by ICANN, the organization that oversees domain name management, so that they can contact that person if they want to ask you questions about your website. Say you are running a site that provides financial services, ICANN might or might not contact you about this to make sure you are operating within the law. And if your site is not popular enough, chances are they won't notice your site at all. (I have a number of domains registered with fake contact information. As long as they don't get busy traffic or get indexed by search engines, and you don't do anything illegal, nobody will bother you about them.)

If you are running illegal activities on your website using a domain name, ICANN might seize the domain from you. So you will lose access to the domain name you paid for. In the case of bitcoin scammers these go largely unmoderated because they appear and disappear so fast that they're only up for a few months or so, and don't get enough traffic for ICANN to see their site at all. Scam sites get, say, a few hundred visits in their lifetime. That's why scam sites usually stay up.

Another thing scammers can do is register a domain name with fake contact information (fake name, address, phone number). Neither the domain registrar nor ICANN verifies your contact information to make sure it exists and is correct, but if you do that and ICANN ever has a problem with their site they want to contact or call you about, contact will be impossible so they will just seize your domain without warning.

Now, there are real reasons you want to hide your contact information, and/or replace it with fake ones. Maybe you don't want to reveal your real name, or phone number, given that this contact information can be seen by the entire internet in the form of WHOIS records. But instead of writing fake contact information, there is an alternative way to hide your personal details for privacy purpose. You can buy WHOIS protection for some domain TLDs (.com, .net and such), and in the WHOIS record the domain registrar replace the contact information you type with their own generic details. Some registrars give you WHOIS protection for free (like Porkbun).

This allows ICANN to still be able to contact you, instead of seizing your domain outright, while still keeping your contact information secret. Bear in mind though that if you do not respond to repeated attempts by ICANN to contact you, they will seize your domain anyway.

---

So now that I got that out of the way, getting information about the domains that scammers use on their sites is very valuable because this information can be interconnected with other domains, so now you can link multiple domains to the same scammers.


In this example I will search for information about the domain 1xbit.com.


1. Go to https://whois.domaintools.com

2. Type the name of the domain you want to get information for in the search box.


3. The information about the domain is now available on a separate page.


Now we go over the labeled entries in red.

1. Dates - This shows how many days old the domain is, the date it was created, and the date it will expire. A scam site usually uses a newly created domain.

2. Tech contact - Shows you the WHOIS information I was talking about earlier. It shows you the person's name "Domain Admin", their company (if applicable, as this field is not required if you aren't a company), the city, the email, and phone number of the person who registered this domain. These values here are all dummy values, because 1xbit.com is using WHOIS protection.

3. IP Address/IP Location - Shows you the IP address the website is running on, and who is the hosting company that's hosting the server. In this case, it is using a dedicated server from Melbicom EU hosting.

4. Domain Status - Shows you whether a website is running on this domain or scammers shut down the website and disconnected it from the domain. or whether they put it up for sale.

5. Registrar History/Hosting History - Shows you how many times a website moved between domain registrars and web hosts, and how many providers it moved between. Sometimes a website gets booted off of a domain registrar or a web host for legal reasons and the scammers have to transfer it elsewhere. Websites are usually hosted in data centers, not on residential internet lines because most residential ISPs prohibit that. So this won't show you a residential ISP as the host.

---

- The Tech contact information can be used to initiate a scam accusation against a website or be posted in Investigations
- The Domain Status and Registrar History information can be used to see if registrars and hosting companies are taking action against scam websites
- The Dates information can be used to detect the likelihood of a site being a scam. If it was registered recently but the website itself advertises being around for X years then that is a red flag.