“The results have been amazing since – we identified 135,000+ unique programs that speak to us, and as of September 4, 2024 we had 2.5 million queries,” the researchers wrote in their report. “A brief analysis of the results showed queries from (but certainly not limited to): Various .GOV and .MIL email servers for businesses using this WHOIS server to query domains from which they receive email; various internet security tools and companies still use this WHOIS server as an authority (VirusTotal, URLSCAN, Group-IB as examples).”
Domain registrars such as GoDaddy and Name.com, various online WHOIS and SEO tools, and a large number of universities were also asking for the old server address. Governments whose systems query the rogue WHOIS server now include the US, Ukraine, Israel, India, Pakistan, Bangladesh, Indonesia, Bhutan, the Philippines, and Ethiopia.
The researchers have since worked with the UK’s National Cyber Security Center and the Shadowserver Foundation to provide dotmobiregistry.net and prepare it to be a correct proxy for WHOIS responses from whois.nic.mobi.
Source link