Even for available domain names, it is not possible to leave the WHOIS history to chance


A lot of thought and energy often goes into finding the “best” internet domain name for a new brand, product or service. So isn’t it wonderful when the perfect match turns out to be immediately available for purchase from any major registrar?

What business owners and executives may not know, however, is that a domain’s past can affect its new owners, and in a negative way. Using WHOIS History Search In this article, we look at two ways a domain’s ownership history can negatively impact new registrants, even if they think it’s safe to buy their dream property online because no one told them otherwise.

Damage to reputation

Any organization, regardless of the industry to which it belongs, strives to acquire a excellent picture to attract customers. But perhaps companies involved in charitable and spiritual activities value their reputation the most.

Consider the heartspacespiritualcenter domain[.]org. This would suit an organization that focuses on spiritual well-being and rehabilitation. And it is available for recording when you run it on a domain availability tool.

Typically, buying the domain would be the next step after discovering that it is available. But what if you added an extra step by checking its recording history? By using the WHOIS history search, you can gain insight into the ownership history of the domain. heartspacespiritualcenter[.]org belonged to an individual named Al Perkins of St. Helier, Jersey, UK.

What can you learn from this information? A simple Google search using the search term “Al Perkins domains” would return these titles:

Al Perkins is a cybersquatter alias Wesley Perkins uses. One of his techniques is to buy domain names that companies accidentally fail to renew and redirect traffic to adult sites before demanding thousands of dollars when the previous owner starts negotiating.

Because Perkins owned it, it is possible that the domain heartspacespiritualcenter[.]org used to redirect visitors to adult sites. Such an association with disreputable content could harm the reputation of the spiritual organization, perhaps even today.

Links to cybercrime

Reviewing the domain ownership history would also ensure that your organization has no connection to cybercrime. Keep in mind that cybercriminals use 7 out of 10 newly registered domains (NRD) to spread malware or launch phishing attacks.

When malware and threat intelligence databases detect and block these weaponized domains, hackers typically delete them, making them available to future owners. And unbeknownst to a new registrant, a domain with ties to malicious activity could even be the target of cybercriminal investigations.

Take, for example, the domain name onenewpost[.]com, which appeared as available on the Domain Availability API. Checking the ownership history of his domain reveals that Xinxin Co. owned it in the past.

As the domain is relatively old, we used WHOIS history search gather as much information about it as possible. We found that the domain was first registered in September 2015 by a protected person based in Panama, a popular offshore country for domain registration. Many companies and organizations tend to register domain names there for various reasons. One of them is increased data privacy, which unfortunately also attracts criminals.

In October 2016, another anonymous owner, this time from Washington, USA, obtained the domain. In September 2017, Xinxin Co. finally took over the domain.

While the removal of ownership details from WHOIS is not a telltale sign of cybercrime, the change of hands that involved two offshore countries could be seen as a red flag. Further investigation should follow.

It turned out that the domain is labeled as “malicious” by Threat Intelligence Platform (COUNCIL) and VirusTotal. Digging deeper, we discovered that onenewpost[.]com is one of the indicators of compromise (IoCs) connected to Magecart Group 5a gang of cybercriminals specializing in credit card skimming.


In both scenarios explored above, organizations that purchase both domains after verifying that they are available would most likely face undesirable consequences. The new owners of heartspacespiritualcenter[.]org could, for example, start operating and gaining new customers and donors with the possibility of being associated with inappropriate adult content later on.

The hypothetical new owners of onenewpost[.]com, on the other hand, may wonder why their email marketing strategies aren’t working. Recipients could block their emails because the domain is considered malicious in threat intelligence databases. They might even end up being part of an investigation since Magecart Group 5 is not a little while group of pirates.

Previous InternetNZ reports boom in demand for .nz domain names
Next Power Management and IP Integration in SoCs: Part 2