The purpose of this post is to identify ways of getting more information about a company by researching its website. This post will address how to find the identities of people that own or manage a company website, get more information about them, learn about changes that occurred in a company over time, and find indications that a company is a shell company.
A quick note on shell companies’ websites: People that maintain shell companies often create websites for those companies to create the façade of a legitimate company. So the purpose of these techniques is to uncover evidence that the company does not exist.
Who Owns the Website Domain
Domain names are publicly registered to the owner, with their name, contact info, and address listed. The owner of a company’s website domain is usually someone senior in the company or possibly the owner. The standard way to search is to use a website like who.is to look up the current registration, also known as the “who is” record.
Unfortunately, many websites (including this one) use a service to hide the identity of the domain owner. Notice that the record above provides the name and contact information for a privacy service rather than my own information.
One way to get around this problem is to look up the past registrations for a domain because many people initially register with their own name before eventually using a service to hide it. Most websites that offer past whois registrations will require a fee. As of October 2020 the website Whoxy allows users to do a few free searches on past registrations.
Michael Bazzell suggests another method to get past domain registrations, on episode 139 of his podcast Privacy Security & OSINT Show, by using Internet archives. He suggests searching for the current registration with a common service like who.is and then take the url from the results page and search for it in the Internet Archive or a similar site. In theory this would find the same webpage but during a time in the past when the current registration was different.
What Has Changed on The Website
A company’s website provides a snapshot of its status at that moment. But if you view that website and how it changes over time you can see a history of the company. The changes in a website identify employees that arrived, departed, and/or changed positions. The progression of the company as its self-description and identified facilities change as the company grows, shrinks, or moves into different fields.
Generally, during a company’s history you can expect website changes to include company name and aliases, company description, location, addresses, contact details, industry, registration numbers, key people, clients, partners, and investors.
AIHIT monitors and documents changes in companies’ websites and specifically highlights those changes. If AIHIT disappears or starts to charge for this service, you can use the Internet archives archive.today and archive.org to view snapshots of a company website from different dates. You can also submit a website url to these archives in order to save a copy of the site from that time.
If you have to use the more manual approach of looking for website changes via an Internet archive, it is often useful to specifically look up the website’s current “about us” page or any other page within the site that identifies current staff. Open the current page in one tab and look at past iterations of the page in a second tab or window.
When was the website created?
There is a online tool that looks for historical evidence of a website and tries to find out when the site was created.
The tool is called Carbon Dating the Web (http://carbondate.cs.odu.edu/)
Carbon Dating the Web is a very interesting project by the Web Science and Digital Libraries group at Old Dominion University. (specifically this department here – https://ws-dl.cs.odu.edu/). The tool’s goal is to guess when a website was created and the creators describe how this estimation process works in a post here. Thank you to @tools4reporters for bring this tool to my attention.
This tool will identify, if possible, the dates when the website first appeared in Twitter, Google, Bing, backlinks, and a few others. If it finds something, it will only give you a date, nothing else.
Carbon Dating the Web will also look for instances where the site was captured on the two internet archives archive.org and archive.is. If the tools finds instances when the website was captured and archived, it will identify the dates and list the url for the archived site for you.
See the results below for Search-ish.com:
In the case of Search-ish.com it guessed July 17th 2020 (the true date was back in March). Not a bad guess for a new website. It only seemed to find results from two instances when internet archives captured the website. The earliest one is from July 17th 2020, which probably accounts for the estimated creation date of July 17th 2020 because that is the date of the earliest evidence of the site.
Using one of the links provided for archive.org or archive.is will also bring you the archives’ timelines for that site (mentioned in the previous section above).
In one example, these timelines were useful because a suspicious nonprofit did not seem to be doing any actual work. For context, you should know that the nonprofit always made efforts to publicize whenever it did actual work. The timelines helped to support the conclusion that the nonprofit was not very active because over a ten year period, the website only added one new project to its list despite its claims of “substantial financial support” for “large scale projects”. Additional research into tax records later proved this to be accurate.
However, that example admittedly delves into the website content, so we will return to the focus on information that is not derived from the website’s content.
Find Email Addresses
If a company has a website, there is very likely at least one “work email address” for someone that works for the company. Even for a small company, the process of setting up a website often involves setting up an email for the company owner or someone involved in a company. This is a good lead for more information about who is behind the company. More information about finding the emails linked to websites is available in a previous post, Email Addresses Registered to Website Domains: Part 2.
How to find the owner of an email address: as noted in a separate post (Find Email Addresses Linked To U.S. Phone Numbers) if you have only an email address there are plenty of ways to lookup the owner. You can use people-searching websites like That’s Them, Search People Free, and Public Email Records. There are also three methods (see linked guides that are effective as of October 2020) to find if an email address is affiliated with a LinkedIn page, Twitter account, or Facebook account.
Depending on the size of the company, the IP address for the website might also be the IP used by employees to access the internet. So with a larger company you might want to look up the website’s IP and then search that IP on Thatsthem.com, which will identify people that use that IP for their work accounts.
Check the Postal Address
The company’s address listed on its website is worth a quick check. The address listed on the website is specifically intended for the public, as compared to the registration which lists an address for legal purposes and therefore may be the address of the company’s lawyer or registration agent.
One can do a quick google maps search and street view of a company’s address to confirm that it exists and maybe learn a bit about the size of the company.
Addresses for Shell Companies
For example, in A Deal with the Devil, the authors showed that a quick search of the address listed for a company on its website might reveal that the address does not exist. Or, a street view of the address showed that the address was real but no company existed there since it was an empty lot.
Similarly, the google street view might reveal that the address is for a building that is a UPS store or U.S. Postal Service office, which means that the address is for a P.O. box. In other cases the address was for a registration agent (a registration agent can register a company and receive correspondence on behalf of the true owner).
You will know that an address is for a registration agent when you google it and you see google results for several other companies with the same address. While there are legitimate reasons for companies to use P.O. boxes and registration agents, it is important to recognize that these are common tactics for shell companies too.
Addresses for Real Companies
With the real companies checking the address can be a quick way to confirm the company has a physical location and maybe pick up on tidbits about the company. For example, it is reflective of the size of the company if it owns a large building or a small office in a strip mall.
these methods will help to identify people affiliated with the companies and information about them that can be informative.
Reverse Search Photos
Company websites often have photos of staff or sites company facilities. For a profile photo, one can search for the person or the background location to find more information.
A quick note about the basics of doing a reverse image search: A reverse image search refers to using a search engine to search for a specific image or similar ones on the internet. Most search engines will include that function and all you have to do is right click on a photo, copy, and paste it into a website or search engine’s reverse image search function.
Bellingcat.com created a great guide (click here to read it) comparing the capabilities of different sites and concluded that Yandex is the best. Other sources agree with this assessment. Yandex will also let you crop a photo so you can focus your search on something specific, such as the face of your person of interest, rather than their background.
Other websites take this process a step further by offering different ways to alter the photo. Photoscissors.com and remove.bg will let you completely remove a background to heighten the focus on a person or object.
Additionally, theinpaint.com allows you to remove or blur out the person in a photo so you can search the background. Here are two quick examples:
By blurring out the person in this photo, it was possible for find that the person here…
…was standing here:
Searching for the location in the background of the photo can be useful when you only have the address of the company’s registration agent and you do not know anything about where the company or its personnel are actually located. Similarly, if there are photos on the website of the actual business or stock photos. For example sometimes there are photos of trucks driving or people talking (ostensible some form of commerce is occurring). A reverse image search of these photos will quickly show if they are stock images, which means the photos are not proof that the company exists.
By searching for the person in the photo you can find additional websites where the same or a similar photo is used. You may find the same person on social media, resume hosting sites, alumni websites, board memberships, etc. This is particularly useful when the person’s different accounts have different usernames.
Alternatively, websites that are created for shell/fake companies often use a website software product designed for company websites. These products will include generic profile photos of models posing as employees for a fake example company. Shell companies will typically keep these photos to create the facade of real staff members.
You will be able to identify if this is the case if a reverse photo search of a profile leads to either 1) other websites for unrelated companies showing the same staff photos, or 2) an advertisement for the website software package. Keep in mind that this may also be merely evidence of laziness on the part of the website administrator rather than evidence of a shell company.
In a more interesting case, Jane Myer of The New Yorker showed that a search on the background of the darkened profile photo for the alleged owner of “Surefire Intelligence” revealed the original photo before the person was darkened out of the photo.
In this case, the image search proved that the profile linked to the photo was fake. This profile photo was actually a darkened version of a photo of the real perpetrator behind what is now known to be the hoax Surefire Intelligence company If this were a real company, the background could be evidence of the location.
Note that a separate post, How To Read Barcodes in Photos, addresses what to do if you see a photo with a barcode visible in it, on an ID badge for example.
Does the Domain Owner Have Other Websites?
People that run fake companies or fake company websites will often run several others at the same time. There are several ways to check if one website is run by a person that oversees many others, even if you do not know the person’s identity.
Google Analytics (and similar products, like ADsense) provide services for a website owner and will enable then to oversee several websites at once. For our purposes, this is relevant because you can use the ID number assigned to an account holder and find all of the websites maintained on their account. Every website that is maintained under one account will have the Google Analytics ID written into its source code.
There are several tools like Spyonweb.com that will do the searching for you and find if a site has a Google Analytics ID and then check if there are other sites with the same ID. For example, we see below a screenshot of a search of the website OpenCorporates on Spyonweb.com. The results show that OpenCorporates is on the same Google Analytics account as two other websites.
SSL certificates offer another way of checking for related websites. You can use a website like censys.io or shodan.io to look up a website’s SSL certificate and see if there are other domains for completely different websites on the same certificate.
An SSL certificate is a kind of digital certificate that provides website authentication (and its responsible for the “s” in “https”). The way SSL certificates work is that every domain under one certificate will be owned by the same owner.
In order to check the certificate, go to censys or shodan and search for the company website’s url. You will see the certificate identified in your results, then lookup the certificate itself. The result for the certificate should have a section called “Names,” where you will find other domains under the same certificate. Here is a standard example:
See the screenshot below of an example, provided by osintcuro.us, of a more suspicious certificate with very different domains.
That’s it, good luck