Ever heard the term “hack-back”? Hacking back is the process of identifying attacks on a system and their origin. It can be likened to reverse engineering hacking efforts where security consultants and other professionals try to anticipate attacks and work on adequate responses.
There has been a lot of heated debate on the subject in recent years but for this post, we’ll focus on answering two questions: (1) Can a hack back be done with the help of a WHOIS database? (2) Is doing so a good idea?
Is Hacking Back Possible Using WHOIS Databases?
First off, let’s list down what information a WHOIS database provides. It gives you data on many of the existing TLDs on the Internet today, including complete WHOIS records of domains in both the gTLD and ccTLD spaces.
The only drawback would be, how would you know if the domain owner is truly guilty of the cybercrime? You probably can’t. We all know that cybercriminals are known for compromising legitimate websites and pages for their own malicious gains. In many cases, the owners of these digital assets are not aware that their intellectual property is being used to commit fraud. The domains could have just been pwned and are now spreading mayhem.
So even if a WHOIS database gives you all the information on a domain, a thorough investigation still needs to be done before you can tell if a domain is truly malicious or has just been compromised. That brings us to the second question.
Is Hacking Back a Good Idea?
This has been a much-debated topic in the past few years. Some experts opine that it isn’t because of reasons that include:
- Collateral damage: The domain’s owner may not be aware of illegal doings tied to its systems. This happened in Vitalwerks’s case in 2014 when Microsoft decided to hack-back the NJrat and NJw0rm attackers. Redirecting the traffic from the Vitalwerks domains to Microsoft’s own servers for malware detection caused problems for the victim’s customers. Sometimes, even the best of intentions can have serious and unwanted repercussions.
- Legal implications: Despite the introduction of the Active Cyber Defense Certainty Act in 2017, private companies still have no legal right to defend themselves against cyber attacks. Attribution remains the biggest challenge for law enforcement agencies to this day as unlike physical crimes, virtual crimes don’t leave much of a trace to tie suspects to a malicious deed. Putting someone in jail requires definitive evidence that, unfortunately, is a lot harder to get when you’re dealing with cyber attacks. Note too that as in real life, only those in law enforcement can actually launch investigations on suspected criminals.
There have been instances, however, where private cybersecurity companies have been tapped by agencies such as the FBI, INTERPOL, or Europol to help out in cybercriminal investigations. Even in these scenarios though, the companies only aided in obtaining circumstantial evidence and providing technical expertise. They weren’t allowed to hack the attackers’ systems back.
Putting two and two together gives us this: It’s perfectly legal for you to protect your own digital assets using all the tools at your disposal—and yes, WHOIS databases can help—but going after cybercriminals yourself may not be a good idea.
If you’re very sure an attacker is using a certain domain for a crime against your business, block it from accessing your website and pages but don’t go any further than that. Report its suspicious doings to the proper authorities, they usually have hotlines for this. Let them handle the situation and just hand in your findings if you’re asked for evidence.
Keep in mind that though WHOIS databases can be a great tool for beefing up your cyber defenses, taking the law into your own hands can have serious repercussions for you and the accused.