09 Feb 2022

Connecting the Dots with WhoisXML API: Iranian Misinformation Networks

Mario Rojas

In June 2021, the United States Government seized several Iranian sites, including presstv[.]com, claiming that the sites were spreading misinformation across their platforms.

Below, in the lower right corner, you can see the image that welcomes visitors when they attempt to visit the site. Behind it, the WayBackMachine offers a view of what the site looked like before it was seized.

the image that welcomes visitors when they attempt to visit the Iranian sites.

Investigating 37 Associated Domains Uncovered by WhoisXML API šŸ”—︎

Our friends at WhoisXML API performed a fantastic investigation. They uncovered over 35 additional domains associated with presstv[.]com, based on Whois data, some of which were still displaying live content at the time of their publication.

We will attempt to find additional domains and websites associated with presstv[.]com, starting with the 37 domains uncovered by WhoisXMLAPI. You can check their article in case you are curious about how to use Whois data for this type of investigation.

Want to see this investigation in detailed step-by-step? šŸ”—︎

Download and watch our joint webinar with WhoisXML API now!




In the Maltego graph below, you can find domains uncovered in their investigation.

 37 domains uncovered by WhoisXMLAPI in Maltego

This image shows multiple domains sharing two nameservers (ns1.presstv.ir and ns2.presstv.ir) and an email address (it@presstv.com.au) linked to presstv[.]com.

 Maltego imgae - multiple domains sharing two nameservers

Next, the image below shows a few domains registered by a person (Hami xxxxxxxx) who registered presstv[.]com. It is not clear from the domain names what company owns them. In contrast, in the case of presstvdoc[.]com or hausatv[.]com, where the name of the company is also the domain name, it is safe to assume that these are used to share information or TV-related content matching that of the original site.

 Maltego imgae - a few domains registered by a person who registered presstv[.]com

We also got a few additional domains linked to an organization called “Press TV”. This was entered as the organization when presstv[.]com was registered.

 Maltego imgae - additional domains linked to an organization called “Press TV”

Before we start our investigation, let’s bookmark our initial domains so that we can easily separate them from the rest once we are done. We will use a blue bookmark in this case, but you can use any other color.

We have a couple of options to select the domains on our graph, either by manual selection or using the “Select by Type” feature on our toolbar. We can then zoom into any of the domains and click the bookmark icon in the upper right corner of the Entity, which will automatically assign the same bookmark to all the other domains.

bookmark our initial domains in Maltego

Next, We will simplify our graph with the help of the Collections feature. Moving the Collections slider all the way to the left decreases the number of Entities required to create a collection, which, in turn, forms collection nodes on our graph.

simplify graph with the help of the Collections feature in Maltego

Pinpointing Websites Associated to the Known Domains šŸ”—︎

Let’s start by searching for websites associated with these domains. We have a couple of Maltego Standard Transforms available to do that:

  • To Website using domain [Bing]: Leverages the Bing API and searches for any website that contains the domain as part of the URL.
  • To Website [Quick lookup]: Adds a ā€œwww.ā€ in front of the domain name and attempts to resolve it.

We decided to run both because they use different techniques to find websites related to domains.

 searching for websites associated with Maltego Standard Transforms

Below is a clear example of why running both gives us better results. On the left are the results of running the To Website using domain [Bing] Transform, and on the right are the results from the To Website [Quick lookup] Transform on the ifilmtv[.]com domain.

result of running Maltego Standard Transforms

Use BuiltWith to Uncover Unknown Website Relationships šŸ”—︎

For the next step in our investigation, we will select the new websites and run the To Relationships [BuiltWith] Transform, which returned over 40 different Builtwith Relationship Entities.

 run the To Relationships [BuiltWith] Transform in Maltego

From the results, we can see a combination of IPs and tracking codes (Alexa, Google-tag-manager, Google-analytics, etc.). The IP Entities contain information about IP Addresses used by the website and additional details such as when the IP was first and last seen by the site according to BuiltWith’s records.

a combination of IPs and tracking codes results in Maltego

In addition to IPs, we have tracking codes, which are small snippets of code usually implemented as JavaScript in the source code of a website. Tracking codes allow advertisers, web admins, and marketers to analyze the flow of visitors to websites and how they interact with different pages.

Tracking codes are fundamental for our investigation as we can use them to find other websites owned or managed by the same organization and further connect them with confidence since these codes are unique to different organizations.

tracking codes in Maltego

Since we are only interested in the tracking codes, we can safely remove the IP Entities.

We can now select the remaining BuiltWith Entities, which should contain only tracking codes, and run the To Websites [BuiltWith] Transform. This will return other websites where the same tracking code has been used and might lead us to uncover previously unknown domains closely related to presstv[.]com.

As you can see below, we found 30 new websites. To make the results more readable, we will share them in two separate screenshots below.

The first part of the results shows multiple websites linked to ifilmtv, which, based on the subdomains (.en, .ar, .fa, .french), are probably versions of the same website but presented in different languages.

run the To Websites [BuiltWith] Transform in Maltego

The second part contains a mix of domains, some related to presstv and hispantv, and we also found a few previously unknown and interesting websites like iranneshanclub.ir, dkdlab.com, iktv.ir, and sahartv.ir. This is why tracking codes are so valuable for uncovering hidden links between websites.

found a few previously unknown and interesting websites in Maltego investigation

Map Out Correlations between Domains šŸ”—︎

Next, we will extract the domain names from the sites, as this will allow us to visualize the connections between some of the new websites by pointing them to the domain they are associated with.

Let’s select the website Entities and run the To Domains [DNS] Transform. Before we do that, we will also move the input websites to a new graph to make it easier to understand the latest results from each Transform.

run the To Domains [DNS] Transform in Maltego

We can see that around half of the websites point to unique domains, while the other half share a handful of domains. We also have three sites that did not return any results.

Using the bookmark colors to differentiate the confidence we have in our results (Green=High, Yellow=Medium, Red=Low), we bookmarked these new domains green.

We can now move the Entities back to the original graph with the standard CTRL+C and CTRL+V command.

Using the bookmark colors to differentiate the confidence in Maltego

Below is an extract of the results from merging the Entities with those already present in the Graph.

results from merging the Entities with those already present in Maltego Graph

Another great piece of infrastructure that we can use both for uncovering additional domains and for tying the links between our previous findings are Mail Servers (MX).

Mail Servers or MX are used for processing emails and usually sit inside an organization’s infrastructure as the information processed by these is highly confidential.

Luckily for us, there is a Standard Transform that checks for MX Records, the DNS representations of Mail Servers. Below is the result of running the To DNS Name - MX (mail server) Transform on all the Domains, we also moved them into a separate graph for ease of readability.

running the To DNS Name - MX (mail server) Transform in Maltego

We can see that most of the domains point to mail servers hosted on their infrastructure based on the mail server names, but there are 11 that point to email service providers such as OVH. These email service providers usually handle hundreds of customers who may be sharing the same infrastructure.

We are only interested in the mail servers hosted on their infrastructure as these reduce the chance of getting irrelevant results from our next step.

Let’s now select the MX records, and we will exclude the below ones since we suspect them to be email service providers.

  • smtpin.rzone.de
  • mail.h-email.net
  • mx.hover.com.cust.hostedemail.com
  • mx3.mail.ovh.net
  • mx4.mail.ovh.net

We will then run the To Domains [Sharing this MX] Transform on the remaining ones, which, as shown below, returned 31 additional domains.

run the To Domains [Sharing this MX] Transform in Maltego

We will bookmark the newly discovered domains with a yellow flag since we have a high confidence in these being owned and used for the same purpose as the initial domains, but we should take additional steps to confirm our findings.

As we can see, the new domains share the mail servers with irib[.]ir, which after a quick Google search we confirmed to be the Islamic Republic of Iran Broadcasting (IRIB).

new domains share the mail servers with irib[.]ir

Examining Other Relevant Top-Level Domains šŸ”—︎

We have uncovered 41 additional domains so far, but we can take one extra step to find more domains.

We have observed the organization/group behind these domains consistently using multiple Top-Level Domains (TLD), such as (.com, .net, .ir, .org, .tv, .in, .us, .mx). This is sometimes leveraged by companies to have different websites serving specific audiences but is also a way to circumvent sanctions or restrictions.

A good example of TLDs being used to target specific regions or audiences for legitimate purposes are the apple.com and apple.cn websites.

example of TLDs being used to target specific regions

But, if you are familiar with this case, you know that after the US Government seized the presstv[.]com domain, there was a new one presstv[.]ir that took its place in a matter of hours and started serving the same content as the one that was taken down.

Let’s check if we can uncover additional domains registered with other TLDs. We will once again move our Entities to a new graph before running the Transforms, so that we can easily understand the results. This also allows us to see how the bookmarks help us differentiate between our original domains and the ones we have uncovered so far.

uncover additional domains registered with other TLDs

We will select our domains one more time and run the To Domain (Find other TLDs) [WhoisXML] Transform, which looks for domains with the same name as the input, registered under different TLDs.

We have found 360 additional domains by running the last Transform, to make it easier to read, we will split the results into two separate images.

run the To Domain (Find other TLDs) [WhoisXML] Transform in Maltego_1

run the To Domain (Find other TLDs) [WhoisXML] Transform in Maltego_2

Before moving these domains back to our original graph, we will first bookmark them red (low confidence).

We will have to spend additional time on these if we want to confirm their relationship with our initial servers.

Let’s look at our final graph. As you can see, it has substantially grown thanks to all the domains discovered throughout our investigation in which we used only Maltego Standard Transforms.

 all the domains discovered throughout investigation in Maltego

Real-Life Investigation Using Maltego and OSINT šŸ”—︎

We hope you enjoyed this article and that the techniques used here serve you well in your future investigations.

As your next step, you can watch our live session with WhoisXML API, where we take an even deeper look into these websites and connections between them using the capabilities of Maltego and historical WHOIS data from WhoisXML API live.

Download the resource

DE +49
Albania +355
Algeria +213
Andorra +376
Angola +244
Anguilla +1264
Antigua And Barbuda +1268
Argentina +54
Armenia +374
Aruba +297
Australia +61
Austria +43
Azerbaijan +994
Bahamas +1242
Bahrain +973
Bangladesh +880
Barbados +1246
Belarus +375
Belgium +32
Belize +501
Benin +229
Bermuda +1441
Bhutan +975
Bolivia +591
Bosnia and Herzegovina +387
Botswana +267
Brazil +55
Brunei Darussalam +673
Bulgaria +359
Burkina Faso +226
Burundi +257
Cambodia +855
Cameroon +237
Canada +1
Cape Verde +238
Cayman Islands +1345
Central African Republic +236
Chile +56
China +86
Cote d'Ivoire +225
Colombia +57
Comoros +269
Congo +242
Cook Islands +682
Costa Rica +506
Croatia +385
Cuba +53
Cyprus +90392
Czech Republic +42
Denmark +45
Djibouti +253
Dominica +1809
Dominican Republic +1809
Ecuador +593
Egypt +20
El Salvador +503
Equatorial Guinea +240
Eritrea +291
Estonia +372
Ethiopia +251
Falkland Islands (Malvinas) +500
Faroe Islands +298
Fiji +679
Finland +358
France +33
French Guiana +594
French Polynesia +689
Gabon +241
Gambia +220
Georgia +995
Germany +49
Ghana +233
Gibraltar +350
Greece +30
Greenland +299
Grenada +1473
Guadeloupe +590
Guam +671
Guatemala +502
Guinea +224
Guinea-Bissau +245
Guyana +592
Haiti +509
Honduras +504
Hong Kong +852
Hungary +36
Iceland +354
India +91
Indonesia +62
Iran, Islamic Republic of +98
Iraq +964
Ireland +353
Israel +972
Italy +39
Jamaica +1876
Japan +81
Jordan +962
Kazakhstan +7
Kenya +254
Kiribati +686
Korea, Democratic People's Republic of +850
Korea, Republic of +82
Kuwait +965
Kyrgyzstan +996
Lao People's Democratic Republic +856
Latvia +371
Lebanon +961
Lesotho +266
Liberia +231
Libyan Arab Jamahiriya +218
Liechtenstein +417
Lithuania +370
Luxembourg +352
Macao +853
Macedonia, the former Yugoslav Republic of +389
Madagascar +261
Malawi +265
Malaysia +60
Maldives +960
Mali +223
Malta +356
Marshall Islands +692
Martinique +596
Mauritania +222
Mauritius +230
Mayotte +269
Mexico +52
Micronesia, Federated States of +691
Moldova, Republic of +373
Monaco +377
Mongolia +976
Montserrat +1664
Morocco +212
Mozambique +258
Myanmar +95
Namibia +264
Nauru +674
Nepal +977
Netherlands +31
New Caledonia +687
New Zealand +64
Nicaragua +505
Niger +227
Nigeria +234
Niue +683
Norfolk Island +672
Northern Mariana Islands +670
Norway +47
Oman +968
Pakistan +92
Palau +680
Panama +507
Papua New Guinea +675
Paraguay +595
Peru +51
Philippines +63
Poland +48
Portugal +351
Puerto Rico +1787
Qatar +974
Reunion +262
Romania +40
Russian Federation +7
Rwanda +250
San Marino +378
Sao Tome and Principe +239
Saudi Arabia +966
Senegal +221
Serbia +381
Seychelles +248
Sierra Leone +232
Singapore +65
Slovakia +421
Slovenia +386
Solomon Islands +677
Somalia +252
South Africa +27
Spain +34
Sri Lanka +94
Saint Helena +290
Saint Kitts and Nevis +1869
Saint Lucia +1758
Sudan +249
Suriname +597
Swaziland +268
Sweden +46
Switzerland +41
Syrian Arab Republic +963
Taiwan +886
Tajikistan +7
Thailand +66
Togo +228
Tonga +676
Trinidad and Tobago +1868
Tunisia +216
Turkey +90
Turkmenistan +993
Turks and Caicos Islands +1649
Tuvalu +688
Uganda +256
United Kingdom +44
Ukraine +380
United Arab Emirates +971
Uruguay +598
United States +1
Uzbekistan +7
Vanuatu +678
Holy See (Vatican City State) +379
Venezuela +58
Viet Nam +84
Virgin Islands, British +84
Virgin Islands, U.S. +84
Wallis and Futuna +681
Yemen +967
Zambia +260
Zimbabwe +263

By clicking on "Access", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

Don’t forget to follow us Twitter and LinkedIn and sign up to our email newsletter to stay updated on new use cases, tutorials, and event information!

Happy Hunting!

About the Author šŸ”—︎

Mario Rojas šŸ”—︎

Mario Rojas is a Cyber Security Subject Matter Expert at Maltego with more than eleven years of experience in the cyber security field, specializing in risk management and threat analysis and is known for creative solutions that stem from his expert technical knowledge.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.