Fake News. PHOTO: Cybercrime Magazine.

Iranian Website Seizures: Are There Other Misinformation Sources?

Analyzing domain names in a quest for the truth

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Jul. 18, 2021

Dozens of Iranian websites were seized by the U.S. Department of Justice (DOJ) last month on the grounds of spreading misinformation. The domains mainly were for media sites affiliated with the Iranian government, particularly those owned by the Iranian Islamic Radio and Television Union (IRTVU).

Based on these events, WhoisXML API security researchers wanted to see how widespread the website seizure was and mapped out the infrastructure of some of the seized websites. In particular, we focused on four domains that were confirmed to be included in the list, namely:

  • presstv[.]com
  • alalam[.]net
  • lualuatv[.]com
  • almasirah[.]net

Not All Connected Domains Are Accessible

Before anything else, it has to be noted that connected domains in this context refer to domain names that share the seized domains’ IP address, nameserver, and WHOIS records. In particular, we used the historical WHOIS registrant name and email address or at least those found before the privacy redaction of their WHOIS records.

About 33 percent of the uncovered connected domains are unresolvable. They could have been dropped by the registrant or taken down by the registrar, among other reasons. Of the 87 resolvable domains, only three have been seized by the U.S. Justice Department. These are almasirah[.]info, almasireh[.]com, and alalamtv[.]net.

The rest of the domains either continue to host news-related content, result in forbidden requests, or are parked.

Domains Continue to Host News-Related Content

We tackled the topic of misinformation in a previous post, where we probed the domain footprint of one of the seized domains, presstv[.]com. Were the other domains connected to presstv[.]com taken over, too?

It seems not. For one, the domain presstv[.]ir, which once redirected to presstv[.]com, is still active. Below is a side-by-side screenshot of the two domains:

It also seems that other domains and subdomains associated with presstv[.]com, either through their IP address, nameserver, and historical WHOIS data were not affected by the shutdown. Domains that share the seized domain’s nameserver continue to host news-related content, as shown in the array of screenshots below.

The same is true for almasirah[.]com, which replaced the seized almasirah[.]net.

Whether these websites are being used to spread misinformation or not is subject to the evaluation of subject matter experts. However, the fact that they share the domain infrastructure of the seized domains may have a bearing on the investigation.

The Fight against Misinformation

It remains certain that misinformation and disinformation are real global issues that almost every government must address. The general public can’t be left fending for themselves, especially since in the U.S. alone, only 26 percent are very confident in their ability to spot fake news.

Organizations like NewsGuard are helping monitor websites that spread false information about a wide range of topics, including the coronavirus and national elections. For instance, around  448 websites are listed on NewsGuard’s website for reportedly publishing misinformation about COVID-19.

While not all the websites on this list could belong to bad guys, scrutinizing both their current and historical WHOIS records can provide more context. Mapping the websites’ domain footprint could also uncover other domains that can potentially be used to carry out misinformation campaigns.

In another study focused on the Endless Mayfly disinformation campaign, a similar domain expansion process uncovered hundreds of connected domains. Specifically,173 more domains were found sharing the same registrant email addresses as IoCs published earlier. Screenshot analyses revealed that over a dozen of these domains seem to host news-related content.

WhoisXML API’s WHOIS and DNS intelligence can provide a valuable starting point for investigating misinformation. Given a domain name, what other domains using the same IT infrastructure can you uncover? Contact us for more information.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of WhoisXML API—a domain and IP data intelligence provider that empowers all types of cybersecurity enterprises to build better products and achieve greater network security with the most comprehensive domain, IP, DNS, and cyber threat intelligence feeds.  WhoisXML API also offers a variety of APIs, tools, and capabilities, including Threat Intelligence Platform (TIP) and Domain Research Suite (DRS).

Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.