The purpose of this post is to identify ways of getting more information about a company by researching its website. This post will address how to find the identities of people that own or manage a company website, get more information about them, learn about changes that occurred in a company over time, and find indications that a business is actually a shell company.
A quick note on shell companies’ websites: People that maintain shell companies often create websites for those companies to create the façade of a legitimate company. So the purpose of some of these techniques is to uncover evidence that the company does not exist.
You can look up a U.S. companies in government databases. Company registrations are housed in U.S. state corporate registries and you can search them all at once with opencorporates.com. You can also search for court records at judyrecords.com. Property records are located in county-level databases, you find each individual database at blackbookonline.info/USA-Property.aspx.
Who Owns the Website Domain
“Who Is” Record. Domain names are publicly registered to the owner, (hopefully) with their name, contact info, and address listed. The owner of a company’s website domain is usually someone senior in the company or possibly the owner. The standard way to search is to use a website like who.is to look up the current registration, also known as the “who is” record.
Unfortunately, many websites (including the one in the example here) use a service to hide the identity of the domain owner. This screenshot above shows the Who Is recorde for a sample website. Notice that the record above provides the name and contact information for a privacy service rather than the actual domain owner.
Historic Who Is Records. One way to get around this problem is to look up the past registrations for a domain because many people initially register with their own name before eventually using a service to hide it. Most websites that offer past whois registrations will require a fee. As of December 2020 the website Whoxy allows users to do a few free searches on past registrations.
Michael Bazzell suggests another method to get past domain registrations, on episode 139 of his podcast Privacy Security & OSINT Show, by using Internet archives. He suggests searching for the current registration with a common service like who.is and then take the url from the results page and search for it in the Internet Archive or a similar site. In theory this would find the same webpage but during a time in the past when the current registration was different.
What Has Changed on The Website
A company’s website provides a snapshot of its status at that moment. But if you view that website and how it changes over time you can see a history of the company. The changes in a website identify employees that arrived, departed, and/or changed positions. The progression of the company as its self-description and identified facilities change as the company grows, shrinks, or moves into different fields.
Generally, during a company’s history you can expect website changes to include company name and aliases, company description, location, addresses, contact details, industry, registration numbers, key people, clients, partners, and investors.
AIHIT monitors and documents changes in companies’ websites and specifically highlights those changes. If AIHIT disappears or starts to charge for this service, you can use the Internet archives archive.today and archive.org to view snapshots of a company website from different dates. You can also submit a website url to these archives in order to save a copy of the site from that time.
If you plan to continue watching the website for a little while, there are free tools like Distill, which will start monitoring the website for you and notify you when changes occur.
If you have to use the more manual approach of looking for website changes via an Internet archive, it is often useful to specifically look up the website’s current “about us” page or any other page within the site that identifies current staff. Open the current page in one tab and look at past iterations of the page in a second tab or window.
When was the website created?
There is an online tool that looks for historical evidence of a website and tries to find out when the site was created. It is a great idea to obtain the original whois record for the domain, but the following is a great alternative. Even if you can obtain the whois, this tool can provide a lot of useful information.
The tool is called Carbon Dating the Web (http://carbondate.cs.odu.edu/)
Carbon Dating the Web is a very interesting project by the Web Science and Digital Libraries group at Old Dominion University. (specifically this department here – https://ws-dl.cs.odu.edu/). The tool’s goal is to guess when a website was created and the creators describe how this estimation process works in a post here. (Thank you to @tools4reporters for originally highlighting this tool and bringing it to my attention.)
This tool will identify, if possible, the dates when the website first appeared in Twitter, Google, Bing, backlinks, and a few others. If it finds something, it will only give you a date, nothing else.
Carbon Dating the Web will also look for instances where the site was captured on the two internet archives archive.org and archive.is. If the tools finds instances when the website was captured and archived, it will identify the dates and list the url for the archived site for you.
See the results below for the website Search-ish.com:
In the case of Search-ish.com it guessed July 17th 2020 (the true date was back in March). Not a bad guess for a new website. It only seemed to find results from two instances when internet archives captured the website. The earliest one is from July 17th 2020, which probably accounts for the estimated creation date of July 17th 2020 because that is the date of the earliest evidence of the site.
SIDE NOTE: If you need to try a second tool for this same kind of job, try Finitmus. According to the website Tools For Reporters, Finitmus is similar but maybe slightly less accurate than Carbon Dating the Web.
Find Email Addresses
If a company has a website, there is very likely at least one “work email address” for someone that works for the company. Even for a small company, the process of setting up a website often involves setting up an email for the company owner or someone involved in a company. This is a good lead for more information about who is behind the company.
Please Note – the purpose here is to find the company owner or someone linked to them so that you can learn about the company, this is not an invitation to stalk people working at the company.
You can usually find out if a website has any of these email addresses by an MX Lookup, which checks for the Mail Exchange (MX) record on the website server. The MX record on the server tells the incoming email messages where the mail server for that website is located, it is generally required if these email addresses exist. If the record is not set up, the website probably does not have these email addresses.
Websites like MXtoolbox.com will run a lookup, you search for the url of your website of interest and if the search finds any results (which will be the names of servers), that means the record has been set up.
When you search for email addresses linked to the website, note that they will have the same domain as the website itself. These email addresses are generally not available on the Open Web (the part you can search for with Google) so probably will not find them with a search engine. Instead, you can use some specialized tools like Normshield, Snov, and Hunter.
Once you find an email address, you can try searching if it is associated with a professional profile by Googling the username (which is often based on the person’s real name). You can also check if the email is registered to a LinkedIn account by using this method, click here, created by Intelligence With Steve.
You can also look up if the same person registered other websites, which implies a direct link to your company’s site. You can find these link a reverse whois lookup, this means you will search for any other whois records that list the same person’s email address or phone number. There are many sites that offer reverse whois lookups, such as View DNS Tools.
The site Exposing The Invisible provides more in-depth guidance on finding links between different websites, including a shared IP address or shared hosting company.
Check the Postal Address
The company’s address listed on its website is worth a quick check. The address listed on the website is specifically intended for the public, as compared to the registration which lists an address for legal purposes and therefore may be the address of the company’s lawyer or registration agent.
One can do a quick google maps search and street view of a company’s address to confirm that it exists and maybe learn a bit about the size of the company.
Addresses for Shell Companies. For example, in A Deal with the Devil, the authors showed that a quick search of the address listed for a company on its website might reveal that the address does not exist. Or, a street view of the address showed that the address was real but no company existed there since it was an empty lot.
For example, the street view for one company, “9710 Traville Gateway Dr, 231” showed that the “231” was actually a P.O. Box, not an office.
Similarly, the google street view might reveal that the address is for a building that is a UPS store or U.S. Postal Service office, which means that the address is for a P.O. box. In other cases the address was for a registration agent (a registration agent can register a company and receive correspondence on behalf of the true owner).
You will know that an address is for a registration agent when you google it and you see google results for several other companies with the same address. While there are legitimate reasons for companies to use P.O. boxes and registration agents, it is important to recognize that these are common tactics for shell companies too.
Addresses for Real Companies. With the real companies, checking the address can be a quick way to confirm the company has a physical location and maybe pick up on tidbits about the company. For example, it is reflective of the size of the company if it owns a large building or a small office in a strip mall.
Registration. When you have the name and general location for a company you can confirm it’s address, or find a new address as well, by looking up the company’s registration in OpenCorporates.com. The registration will provide the registered address for the company, in addition to other information including names of owners/registered agents and the company’s status.
Reverse Search Photos
Company websites often have photos of staff or sites company facilities. For a profile photo, one can search for the person or the background location to find more information.
A quick note about the basics of doing a reverse image search. A reverse image search refers to using a search engine to search for a specific image or similar ones on the internet. Most search engines will include that function and all you have to do is right click on a photo, copy, and paste it into a website or search engine’s reverse image search function.
Bellingcat.com created a great guide (click here to read it) comparing the capabilities of different sites and concluded that Yandex is the best. Other sources agree with this assessment. Yandex will also let you crop a photo so you can focus your search on something specific, such as the face of your person of interest, rather than their background.
Other websites take this process a step further by offering different ways to alter the photo. Photoscissors.com and remove.bg will let you completely remove a background to heighten the focus on a person or object.
Additionally, theinpaint.com allows you to remove or blur out the person in a photo so you can search the background. Here are two quick examples:
By blurring out the person in this photo, it was possible for find that the person here…
…was standing here:
Searching for the location in the background of the photo can be useful when you only have the address of the company’s registration agent and you do not know anything about where the company or its personnel are actually located. Similarly, if there are photos on the website of the actual business or stock photos. For example sometimes there are photos of trucks driving or people talking (ostensible some form of commerce is occurring). A reverse image search of these photos will quickly show if they are stock images, which means the photos are not proof that the company exists.
By searching for the person in the photo you can find additional websites where the same or a similar photo is used. You may find the same person on social media, resume hosting sites, alumni websites, board memberships, etc. This is particularly useful when the person’s different accounts have different usernames.
Alternatively, websites that are created for shell/fake companies often use a website software product designed for company websites. These products will include generic profile photos of models posing as employees for a fake example company. Shell companies will typically keep these photos to create the facade of real staff members.
You will be able to identify if this is the case if a reverse photo search of a profile leads to either 1) other websites for unrelated companies showing the same staff photos, or 2) an advertisement for the website software package. Keep in mind that this may also be merely evidence of laziness on the part of the website administrator rather than evidence of a shell company.
In a more interesting case, Jane Myer of The New Yorker showed that a search on the background of the darkened profile photo for the alleged owner of “Surefire Intelligence” revealed the original photo before the person was darkened out of the photo.
In this case, the image search proved that the profile linked to the photo was fake. This profile photo was actually a darkened version of a photo of the real perpetrator behind what is now known to be the hoax Surefire Intelligence company If this were a real company, the background could be evidence of the location.
Note that a separate post, How To Read Barcodes in Photos, addresses what to do if you see a photo with a barcode visible in it, on an ID badge for example.
Does the Domain Owner Have Other Websites?
People that run fake companies or fake company websites will often run several others at the same time. There are several ways to check if one website is run by a person that oversees many others, even if you do not know the person’s identity.
Google Analytics (and similar products, like ADsense). provide services for a website owner and will enable then to oversee several websites at once. For our purposes, this is relevant because you can use the ID number assigned to an account holder and find all of the websites maintained on their account. Every website that is maintained under one account will have the Google Analytics ID written into its source code.
Source code for website with a Google Analytics ID
There are several tools like Spyonweb.com that will do the searching for you and find if a site has a Google Analytics ID and then check if there are other sites with the same ID. For example, we see below a screenshot of a search of the website OpenCorporates on Spyonweb.com. The results show that OpenCorporates is on the same Google Analytics account as two other websites.
Screenshot from a search in SpyOnWeb.com for the url “opencorporates.com”
SSL certificates. offer another way of checking for related websites. You can use a website like censys.io or shodan.io to look up a website’s SSL certificate and see if there are other domains for completely different websites on the same certificate.
An SSL certificate is a kind of digital certificate that provides website authentication (and its responsible for the “s” in “https”). The way SSL certificates work is that every domain under one certificate will be owned by the same owner.
In order to check the certificate, go to censys or shodan and search for the company website’s url. You will see the certificate identified in your results, then lookup the certificate itself. The result for the certificate should have a section called “Names,” where you will find other domains under the same certificate. Here is a standard example:
See the screenshot below of an example, provided by osintcuro.us, of a more suspicious certificate with very different domains.
In this article I’ve shown some of the main techniques and tools to dig out information about a company and possibly help your investigations, keep in mind also that most of what you have learned can be used for other type of researches too.
OSINT data, tools and means to access information are constantly growing and the ability to adapt the tools and techniques you have learned to your specific research needs is a crucial one.
For more techniques, informations and ideas on OSINT corporate research, reach “Overview of Corporate Research Articles” which acts as an introduction to the topic and index for the resources we isolated and described.