A study also cites the cyber-engagement gap as a considerable challenge, and so less than 1% of cyber-attacks are investigated. Efforts to battle cybercrime are not well coordinated globally either. Yet another obstacle is that most law enforcers lack the tools to deal with cybersecurity threats. That is where tools like WHOIS Lookup come in to help.

The tool allows law enforcers to obtain much-needed leads to go after the bad guys. Armed with a domain name, IP address, or email address connected to a crime, they can get the registrant’s details. That information can help them get started with their in-depth investigation.

5 Steps in a Cybercrime Investigation

Like offline crimes, law enforcement agents need to follow steps to conduct a cybercrime investigation properly. These include:

• Assess the Situation

Officers must first determine specific elements of the crime and if the laws in their jurisdiction support prosecution. They need to know if charges will hold if guilt is proven. Given the technologies involved, most agencies may not have the necessary resources to catch offenders. Add to that the global nature of the Internet.

• Conduct an Initial Investigation

Law enforcers should still follow standard investigative methods. They need to ask who, what, where, when, why, and how questions. More specifically, investigators need to know:

• Who the potential suspects are
• What crimes were committed
• When were the crimes committed
• If the offenses are limited to their jurisdiction
• What evidence they can collect
• Where they may obtain physical and digital evidence
• What types of evidence were used
• If any evidence needs to be photographed or preserved immediately
• How to preserve evidence for court proceedings

A WHOIS domain search tool often comes handy in determining the answers to these questions.

• Identify Potential Evidence

Digital evidence comes in various file types and sizes. Some may be encrypted, protected, or otherwise hidden. If the agencies do not have the resources, tools, or specific expertise necessary to identify and collect evidence, they can consider partnering with other agencies or private companies that do have the required capabilities.

• Secure Devices and Obtain Court Orders

In many cases, investigators may seize electronic devices without warrants. But they must obtain permits to search these. In fact, they need multiple warrants for particular devices connected to several crimes.

Subpoenas are also a must in gathering digital evidence. Many Internet- and communication-based companies have guides to assist law enforcement in understanding their information-sharing policies.

Non-disclosure agreements (NDAs) may also be needed when officers request information from an electronic service provider (ESP), and they don’t want the suspect notified. Court orders are required to compel ESPs to provide more than basic subscriber information. That includes message headers or IP addresses but not content.

• Analyze Results with Prosecutor

It is also essential to work with the prosecutor to identify appropriate charges and determine what additional information or evidence is required before filing a case.

As shown, it takes a lot to build a case against suspected cybercriminals. That is why most cases last for years before they are charged and convicted. Let’s take a look at one example in particular.

Law Enforcers Catch Up with the GozNym Malware Cybercriminal Group

A cybercriminal gang comprising individuals from Russia, Georgia, the Ukraine, and Bulgaria, among others, stole US$100 million from victims between October 2015 and December 2016. They did so by taking the victims’ banking credentials.

The investigation revealed that the attackers sought the help of a coder they met in an underground forum to create the banking Trojan, GozNym. They then went on to recruit people to join their group. They played various roles, including money mules, crypters, and spammers, among others.

GozNym spread through spam emails. Recipients either downloaded an attachment (the malware in disguise) or clicked a link to a page that hosted the malicious file. GozNym stole victims’ online banking credentials, which the attackers used to make wire transfers to accounts under their control.

As of May 2019, the coordinated efforts of law enforcers from various parts of the globe caught the alleged cybercriminals who are now facing prosecution. Now, we come to the part where tools like WHOIS Lookup figure in investigations.

How Can a WHOIS Domain Search Tool Help Law Enforcers Catch the Bad Guys?

The chances of readily identifying attackers may be slim, but WHOIS Lookup can provide clues that can jumpstart investigations.

Take the GozNym malware campaign. About the time the gang was captured, an URL containing the domain ssbulah69[.]club was identified as an IoC. A WHOIS domain search would reveal that it was actually created on May 2, 2019 and registered using a domain privacy service based in Panama, an off-shore country. That said, even if cybercriminal use a domain privacy service, investigators can still partner with the registrar (in this case NameCheap) to see which other details could be gathered.

Additionally, while the original members of the group behind the 2015-2016 attacks are already in custody, other criminals are still using variants or predecessors of it. After all, GozNym is derived from two malware sources—Gozi and Nymaim. The former, Gozi, was once again identified as an adversary by VirusTotal for the domain securecloudbase[.]com. From there, a WHOIS domain search would reveal that the domain was created on 8 July 2019 with “Wang Wiet” identified as the registrant organization in the WHOIS record.

---

The exponential growth of cybercrime worldwide will cost victims a whopping US$6 trillion by 2021. Because of the increasing number of attacks, it’s hard for law enforcers to keep up. As we’ve shown, it takes a lot of research to get each piece of digital evidence to charge cybercriminals successfully. Nonetheless, WHOIS domain search tools like WHOIS Lookup can help get things going.

About the Author

 

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API family, a trusted intelligence vendor by over 50,000 clients.