Media Coverage

Shadowserver in the news

Skimmer May Have Put NutriBullet Customers' Card Data at Risk for Nearly a Month

Dark Reading, March 19, 2020

Blender maker is the latest victim of Magecart. Blender manufacturer NutriBullet on Wednesday said it had identified and removed malicious code on its website that allowed attackers to steal data from customers entering payment card information on it when purchasing products. Researchers at RiskIQ, working in concert with ShadowServer and — two malware fighting nonprofits — instead took down the domain the attackers were using to store stolen credit card data.

How Microsoft Dismantled the Infamous Necurs Botnet

Wired, March 18, 2020
A years-long investigation and global cooperation disrupted one of the biggest botnets ever. At the height of its powers, Necurs was one of the most disruptive forces on the internet. A sort of Swiss Army botnet, over the years it has harnessed more than 9 million computers unwittingly under its control to send spam, distribute ransomware, attack financial institutions, and more. Last week, Microsoft pulled its plug. Necurs has been silent lately—its most recent significant activity petered out last March—but it still has 2 million infected systems awaiting its next command. By disrupting what remains of the botnet—in coordination with law enforcement and internet service providers across 35 countries, and with the help of cybersecurity firms like BitSight and ShadowServer—Microsoft has effectively prevented Necurs from rising again.

The Web’s Bot Containment Unit Needs Your Help

Brian Krebs, March 16, 2020

Anyone who’s seen the 1984 hit movie Ghostbusters likely recalls the pivotal scene where a government bureaucrat orders the shutdown of the ghost containment unit, effectively unleashing a pent-up phantom menace on New York City. Now, something similar is in danger of happening in cyberspace:, an all-volunteer nonprofit organization that works to help Internet service providers (ISPs) identify and quarantine malware infections and botnets, has lost its longtime primary source of funding.

Shadowserver has time and again been the trusted partner when national law enforcement agencies needed someone to manage the technical side of things while people with guns and badges seized hard drives at the affected ISPs and hosting providers.

Anyone interested in supporting that migration effort can do so directly here; Shadowserver’s contact page is here.

A Critical Internet Safeguard Is Running Out of Time

Wired, March 16, 2020

Keeping the internet safe may sometimes feel like a game of Whac-A-Mole, reacting to attacks as they arise, then moving on to the next. In reality, though, it’s an ongoing process that involves not just identifying threats but grabbing and retaining control of the infrastructure behind them. For years a small nonprofit called Shadowserver has quietly carried out a surprisingly large portion of that work. But now the organization faces permanent extinction in a matter of weeks.

There’s a pivotal scene in Ghostbusters in which Environmental Protection Agency inspector Walter Peck marches into the group’s headquarters, armed with a cease and desist order. “Shut this off,” Peck tells the utility worker accompanying him. “Shut this all off.” They cut power to the Ghostbusters’ protection grid, and all the ghosts are released. Think of Shadowserver as the internet’s protection grid.

Magecart and British Airways GDPR fine

Janet CSIRT, February 12, 2020

Janet CSIRT: “The largest UK GDPR fine was £183M in 2018 when the British Airways booking website was hit by Magecart credit card skimming code. @RiskIQ worked with and Shadowserver to take down the malicious domains”. “Listen to DarknetDiaries Episode 52: Magecart. Credit card skimming on your online purchases? Ya it’s happening. With the amazing and fearless @ydklijnsma from @RiskIQ.”

OWASP Amass: in-depth attack surface mapping and asset discovery

Andrea Fortuna, February 11, 2020

The OWASP Amass Project is tool developed to help information security professionals during the mapping process of attack perimeter. It allows DNS enumeration, attack surface mapping & external assets discovery, using open source information gathering and active reconnaissance techniques.

OWASP Amass tries to collect useful information including the following techniques: DNS, Scraping, Certificates, Web Archives and APIs.

  • APIs: AlienVault, BinaryEdge, BufferOver, CIRCL, CommonCrawl, DNSDB, GitHub, HackerTarget, IPToASN, Mnemonic, NetworksDB, PassiveTotal, Pastebin, RADb, Robtex, SecurityTrails, ShadowServer, Shodan, Spyse (CertDB & FindSubdomains), Sublist3rAPI, TeamCymru, ThreatCrowd, Twitter, Umbrella, URLScan, VirusTotal, WhoisXML

Ransomware Attacks Factor Honeypot

Duo Security, January 21, 2020

Me-Tech —a small prototyping company—was attacked several times over the space of seven months. The network was actually a honeypot consisting of real industrial control systems (ICS) hardware and a mix of physical hosts and virtual machines, set up by Trend Micro Research to mimic the operations of a small factory. The researchers monitored the attacks against the honeypot to determine how “knowledgeable and imaginative” attackers had to be to compromise a manufacturing operation, and to monitor firsthand what kind of attacks manufacturing companies dealt with on a regular basis. The threats didn’t come from sophisticated state-sponsored groups, but rather cybercriminals intent on fraud and financial gain. The researchers identified scanning traffic from 9,452 unique IP addresses, of which 610 were linked to scanners such as ip-ip, Rapid 7, Shadow Server, Shodan, and ZoomEye

CAIDA Spoofer

CAIDA, January 14, 2020

Seeking to minimize Internet’s susceptibility to spoofed DDoS attacks, we are developing and supporting open-source software tools to assess and report on the deployment of source address validation (SAV) best anti-spoofing practices. This project includes applied research, software development, new data analytics, systems integration, operations and maintenance, and an interactive analysis and reporting service.

We generate a summary report on the current “state” of Internet IP source address spoofing/filtering using data from an active measurement tool. Since 2015 when UCSD/CAIDA took over development and support of the spoofer infrastructure, we’ve collected data from 7468 autonomous systems in 207 countries. More details and published results from our research are also available. The CAIDA IP Spoofer report is highlighted by ShadowServer.

ProgrammableWeb's Most Clicked, Shared and Talked About APIs of 2019: Security and Privacy

ProgrammableWeb, January 3, 2020

ProgrammableWeb present the full list of the Most Clicked, Shared and Talked About APIs of 2019 in Security and Privacy, that piqued the interest of our readers, followers, and editors. Shadowserver is a non-profit, watchdog group of security professionals that gather, track, and report on malware, botnet activity, and e-fraud. The Shadowserver API provides a lookup mechanism to test an executable file against a list of known software applications. The details are serialized in JSON for integration with your application.

IntelMQ – Framework to Collect and Process Security Feeds

SecTechno, January 3, 2020

IntelMQ is a solution for IT security teams (CERTs & CSIRTs, SOCs, abuse departments, etc.) for collecting and processing security feeds (such as log files) using a message queuing protocol. It’s a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs/CSIRTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs. Current supported feeds include: ShadowServer.