Media Coverage

Shadowserver in the news

International hacker-for-hire jailed for cyber attacks on Liberian telecommunications provider

NCA, January 14, 2019

A British cyber criminal has been sentenced to two years and eight months for conducting attacks that disrupted a Liberian telecommunications provider, resulting in losses estimated at tens of millions of US dollars. The 30-year-old expert hacker was hired by a senior official at Cellcom, a rival Liberian network provider, and paid a monthly retainer. From September 2016, Kaye used his own Mirai botnet, made up of a network of infected Dahua security cameras, to carry out consistent attacks on Lonestar. In November 2016, the traffic from Kaye’s botnet was so high in volume that it disabled internet access across Liberia.

FBI swats down massive, botnet-fueled ad fraud operation

SC Magazine, November 28, 2018

With a heavy assist from private-sector cybersecurity and tech organizations, the FBI has dismantled a highly complex fraud network responsible for generating billions upon billions of fake online ad placements.In conjunction with the takedown, the U.S. Department of Justice yesterday announced a 13-count indictment filed against eight individuals, each a resident of either Russia, Ukraine or Kazakhstan. Charges include wire fraud, money laundering conspiracy, aggravated identity theft, and conspiracy to commit computer intrusions. Collectively known as 3ve (pronounced “Eve”), the cybercriminal operation had fraudulently earned at least $36 million in ad view revenues since 2014, largely with the help of global botnets composed of machines infected with either Kovter or Boaxxe/Miuref malware.

FBI dismantles gigantic ad fraud scheme operating across over one million IPs

ZDNet, November 28, 2018

The FBI, Google, and 20 tech industry partners have collaborated to take down a giant cyber-criminal network involved in generating fake ad views and clicks that have been used to defraud ad networks and advertisers for the past four years and make millions in illicit revenue for the scheme’s perpetrators. Some of the infosec and ad industry’s biggest players were invited, such as Microsoft, ESET, Symantec, Proofpoint, Trend Micro, F-Secure, Malwarebytes, CenturyLink, MediaMath, White Ops, Amazon, Adobe, Trade Desk, Oath, The Shadowserver Foundation, and the National Cyber-Forensics and Training Alliance.

Industry collaboration leads to takedown of the “3ve” ad fraud operation

Google, November 27, 2018

Last year, we identified one of the most complex and sophisticated ad fraud operations we have seen to date, working with cyber security firm White Ops, and referred the case to law enforcement. Today, the U.S. Attorney’s Office for the Eastern District of New York announced criminal charges associated with this fraud operation. This takedown marks a major milestone in the industry’s fight against ad fraud, and we’re proud to have been a key contributor.

Inside Magecart: RiskIQ and Flashpoint Release Comprehensive Report on Cybercrime and the Assault on E-Commerce

RiskIQ, November 13, 2018

In a brand new RiskIQ and Flashpoint joint report, ‘Inside Magecart,‘ we build a timeline of the Magecart phenomenon from the inception of digital credit-card skimming—its evolution from a Cart32 shopping cart software backdoor to Magecart’s current all-out assault on e-commerce that compromises thousands of sites directly and via breaches of third-party suppliers. We’ll also profile the six leading Magecart groups along with notable related unclassified threat groups, highlighting their skimmers, tactics, targets, and what makes them unique. As we felt it was not our position to ingest this data, we partnered with two non-commercial organizations, AbuseCH and Shadowserver, which perform the sinkholing and reporting. We are merely a data provider; they do the heavy lifting.

How Magecart groups are stealing your card details from online stores

ZDNet, November 13, 2018

A joint report released today by cyber-security firms RiskIQ and Flashpoint provides a 60-page deep technical dive into the activities of several cyber-criminal groups that have been active in the past three years hacking online stores to secretly log and steal payment card details entered inside checkout forms. The report refers to these hacks and cyber-criminal groups using the term Magecart. RiskIQ, the company that’s been tracking most of these attacks since 2015, says it’s currently working with AbuseCH and the Shadowserver Foundation to take down the server infrastructure of most of these groups.

7 places to find threat intel beyond vulnerability databases

CSO Online, October 26, 2018

National Vulnerability Databases (NVDs) can be slow and miss things. Use these sources to supplement your threat and vulnerability intelligence efforts.

Sinkholes and Internet Hygiene

Abuse.CH, September 13, 2018

Keeping the Internet hygiene good can be challenging. There is a lot of badness around, harming not only internet users, organisations or corporate networks but also services that rely on the internet and sometimes even the integrity and stability of the internet itself. It is therefore essential to keep a certain level of internet hygiene. Among other things, internet services providers (ISPs) and national computer emergency response teams (CERTs) try to achieve that by collecting information about infected computers (so-called “bots”) in order to notify the associated broadband subscriber or network owner about compromised machines. To deliver information about infected machines to network owners and national CERTs, partners with Shadowserver and Spamhaus.

Andromeda Botnet Operator Released With a Slap on the Wrist

Bleeping Computer, August 27, 2018

Sergey Yarets, also known as Ar3s, a hacker arrested last year for running an instance of the Andromeda botnet, was released by Belarusian authorities with nothing more than a slap on the wrist. Authorities dropped all charged after Yarets cooperated with investigators, and after he handed over all the profits he made from renting the Andromeda botnet to other cybercriminals. The sum accounted to around 11,000 Belarusian rubles (~$5,400).

Israel cyber week: A tale of persistence

SC Magazine, July 19, 2018

In an amusingly told, but ultimately worrying presentation Mirko Manske, first detective chief inspector from the German Federal Criminal Police Office detailed how he – and a cast of what seemed like thousands, tracked down and ultimately incarcerated the cyber-criminal who caused telecom services to crash for 1.2 million Deutsche Telekom users.