Use Cases and Examples

Brand Protection : Domain Monitoring or Domain Protection

Webhose’s domain monitoring can identify whether your domain is at risk through its breach repository, so you can get early notifications on any potential database leak. Our solution collects on average up to 8 Million new records per day.

It does this by automatically collecting data from both breaches and leak snippets across the dark networks, sites and applications where the domain is mentioned as part of a new breach.

Here are a few types of queries that can help you understand more:

Querying a specific domain

To query for a specific domain, use the "domain" parameter:

For example, if you want to search for all compromised emails of a specific domain, use the query: https://webhose.io/dbdocFilter?token=[Your Token]&domain=mydomain.com

The data provided from the query includes all compromised entities related to the domain.

Querying for a specific time period

To query for a specific time period, use the "since" parameter" to ensure that only updated entities will be provided.

For example, if you wanted to monitor a domain (mydomain.com) for updates on compromised entities in the last 24 hours (Today’s date being July 13, 2020), use the query: ttps://webhose.io/dbdocFilter?token=[Your Token]&domain=mydomain.com&since=1594567628000

*To stay updated on the latest data results, we recommend performing this query at least once a day.

Here are some sample data results from Webhose’s domain monitoring in JSON format:

Querying a domain
Monitoring my domain for updates on compromised entities, in the last 24 hours (today=13/7/2020).
use the query: https://webhose.io/dbdocFilter?token=[Your Token]&domain=mydomain.com&since=1594567628000

Here is a sample data from the Domain Monitoring (format is Json):

{
docs: [
{
value: "[email protected]",
type: "Email",
uuid: "6f4ea343d1ced10a1379c3ee47288d861481df3b",
crawled: "2020-07-12T05:19:43.627+03:00",
updated: "2020-07-12T05:19:43.627+03:00",
leaks: [
{
uuid: "683891c5453c712e6135504c588d1328baa7b636",
name: "Mathway.com 16.5M",
filename: "mathway 16,5 mil.txt",
breach_date: "2020-05-22T03:00:00.000+03:00",
fields: [
"password",
"email",
],
network: null,
domain: null,
cyber_doc_ref: null,
crawled: "2020-07-09T17:50:04.000+03:00",
additional_info: [
{
password: "s*****23",
is_hashed: false,
}
],
}
],
},
{
value: "[email protected]",
type: "Email",
uuid: "aee10aebc35056231d15d3d5ee6f13803f6b6cef",
crawled: "2020-07-11T22:31:12.937+03:00",
updated: "2020-07-11T22:31:12.937+03:00",
leaks: [
{
uuid: "683891c5453c712e6135504c588d1328baa7b636",
name: "Mathway.com 16.5M",
filename: "mathway 16,5 mil.txt",
breach_date: "2020-05-22T03:00:00.000+03:00",
fields: [
"password",
"email",
],
network: null,
domain: null,
cyber_doc_ref: null,
crawled: "2020-07-09T17:50:04.000+03:00",
additional_info: [
{
password: "f*****n1",
is_hashed: false,
}
],
}
],
},
{
value: "[email protected]",
type: "Email",
uuid: "40ea584977571232c0f326ef6e8cb5408abb671d",
crawled: "2020-07-10T21:58:11.099+03:00",
updated: "2020-07-10T21:58:11.099+03:00",
leaks: [
{
uuid: "683891c5453c712e6135504c588d1328baa7b636",
name: "Mathway.com 16.5M",
filename: "mathway 16,5 mil.txt",
breach_date: "2020-05-22T03:00:00.000+03:00",
fields: [
"password",
"email",
],
network: null,
domain: null,
cyber_doc_ref: null,
crawled: "2020-07-09T17:50:04.000+03:00",
additional_info: [
{
password: "M******9!",
is_hashed: false,
}
],
}
],
},
{
value: "[email protected]",
type: "Email",
uuid: "58af109958956653557d963ce4eb1d5adea42e61",
crawled: "2020-07-10T14:37:58.006+03:00",
updated: "2020-07-10T14:37:58.006+03:00",
leaks: [
{
uuid: "683891c5453c712e6135504c588d1328baa7b636",
name: "Mathway.com 16.5M",
filename: "mathway 16,5 mil.txt",
breach_date: "2020-05-22T03:00:00.000+03:00",
fields: [
"password",
"email",
],
network: null,
domain: null,
cyber_doc_ref: null,
crawled: "2020-07-09T17:50:04.000+03:00",
additional_info: [
{
password: "Co*********2$",
is_hashed: false,
}
],
}
],
},
{
value: "[email protected]",
type: "Email",
uuid: "a167771ea435ee18d8a526de89bbc0989f9f26ad",
crawled: "2020-07-10T10:33:33.893+03:00",
updated: "2020-07-10T10:33:33.893+03:00",
leaks: [
{
uuid: "683891c5453c712e6135504c588d1328baa7b636",
name: "Mathway.com 16.5M",
filename: "mathway 16,5 mil.txt",
breach_date: "2020-05-22T03:00:00.000+03:00",
fields: [
"password",
"email",
],
network: null,
domain: null,
cyber_doc_ref: null,
crawled: "2020-07-09T17:50:04.000+03:00",
additional_info: [
{
password: "******",
is_hashed: false,
}
],
}
],
},
"_comment": "Many More leaked records ..."
],
totalDocs: 462,
moreDocsAvailable: 452,
next: "/dbdocFilter?token=[Your Token]&ts=1594320096467&domain=ibm.com",
requestsLeft: 999187,
}

Fraud Detection : Tracking Stolen Credit / Debit Cards

Compromised credit card and debit card information is traded in the dark networks : forums, chats, and marketplaces. Statistics show that identity theft and fraud as well as credit and debit card fraud are getting worse.

Webhose continually monitors chatter in several chat apps as well as anonymous networks. As soon as a credit card or debit card is detected, the data is sanitized, meaning that its details are partially hidden to prevent malicious use by a third party.

Here are a few types of queries that can help you understand more:

Querying for credit card by the card number:

To query for the card number of a specific credit card data, use the parameter “CC”.

For example, to query credit card number 1234567891234567, use the query: https://webhose.io/dbdocFilter?token=[Your Token]&cc=1234567891234567

Querying for compromised information of a specific bin:

To query for the specific bin or section of a card number, you can either use the query “bin6” for the first 6 digits of the card or the query “bin8” to query for the last 8 digits of the card.

For example, to query bin number 60112089, use the query:
https://webhose.io/dbdocFilter?token=[Your Token]&bin8=60112089

Daily monitoring of credit cards

Monitoring specific credit cards should be conducted daily. This includes monitoring the bin as well.

To retrieve only the most updated compromised data, use the "Since" parameter:

Monitoring a bin should be done at least once a day. In addition, the "Since" parameter can be used to retrieve only updated compromised data.

Here is a sample data results from a credit card query in JSON format:

{
docs: [
{
value: "459413*****21281",
type: "Creditcard",
uuid: "26916972de208c1413bb28307b0feb59210dba85403abc781812834332ce06f1",
crawled: "2020-03-27T09:43:12.134+03:00",
updated: "2020-03-27T09:43:12.125+03:00",
leaks: [
{
uuid: "8bd2a5c7d459ef0f4c1bf79a1490fa124e3a2fe5",
name: null,
filename: null,
breach_date: "2020-03-27T09:33:00.000+03:00",
fields: [
"credit card"
],
network: "irc",
domain: "chknet",
cyber_doc_ref: "irc://chknet/unix#5000106dd9ce0ae09de8ae95868ada1e#post-0",
crawled: "2020-03-27T09:43:12.134+03:00",
additional_info: [
{
expy: null,
expm: null,
password: null,
is_hashed: null,
}
],
},
{
uuid: "33be016ce107a8811ebf9caa6ab69b4efb72336a",
name: null,
filename: null,
breach_date: "2020-03-27T09:30:00.000+03:00",
fields: [
"credit card"
],
network: "irc",
domain: "chknet",
cyber_doc_ref: "irc://chknet/unix#f8364c1669b742ce17207dd45c4a0f51#post-0",
crawled: "2020-03-27T09:43:12.125+03:00",
additional_info: [
{
expy: null,
expm: null,
password: null,
is_hashed: null,
}
],
},
],
}
],
totalDocs: 1,
moreDocsAvailable: 0,
next: "/dbdocFilter?token=[Your Token]&ts=1594654785066",
requestsLeft: 999189,
}

Threat Intelligence : Enrich Actors or Indicators, Discover new ones

Cybercriminals use the dark networks methodically to coordinate the selling of both breaches and hacking tools like DDoS platform attacks or SQL injections. Webhose’s Cyber API can extract compromised data found in the Data Breach Detection repository to discover actor details and further analyze the threat in the forum or chat app.

This can lead to better estimates of the risk behind a specific threat as well as early notification of other similar threats.

Here is an example process:

1. Tracking a Compromised SSN using the Cyber API

The Data Breach Detection service can identify leaks of specific social security numbers (SSNs).
For example, let’s take SSN: 53***23 (its a sanitized SSN).

This results in the following data:

2. Enriching Data to Gain Full Context
We can now take the cyber_doc_ref from above and enrich it with more information using the Cyber API.
How?
First, we can search for the specific URL using the thread.url filter to reveal the context, forum, thread, and actor name. A search with this filter reveals that the actor connected to the cyber_doc_ref is expl0itx ni and he posted in a hacking forum named bhf.io.

Second, when we use the Cyber API to search by actor username in the last year, we find that he is active on multiple forums, including a dedicated Telegram channel. We also learn that he
sells hacking services such as DDOS, trades in credit cards, SSN, and more.

The actor that was found is expl0itx in a hacking forum named bhf.io

3. Further Cyber Enrichment of Actor or other indicators
By continuing to investigate the actor on additional discussion threads, we can continuously reveal new insights relevant to an organization or person. The enriched data you receive can be added to your Threat Intelligence solution and integrated with your risk analytics or alerts for your customers.

Updated 21 days ago

Use Cases and Examples


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.