Media Coverage

Shadowserver in the news

Not all Roads Lead to Magento: All Payment Platforms are Targets for Magecart Attacks

RiskIQ, May 1, 2019

With our internet-wide telemetry, RiskIQ has discovered some of the most significant Magecart attacks ever carried out. These involved a host of different tools and tactics including several different inject types, skimmers of varying sophistication, and countless intrusion methods. But for every Magecart attack that makes headlines, we detect thousands more that we don’t disclose. A considerable portion of these lesser-known breaches involves third-party payment platforms. The most notorious of these payment platforms is Magento. RiskIQ’s first blog post on Magecart introduced it as a new breed of threat centered around attacks on Magento, and recent developments show that stores running Magento are still a prime target for skimming groups. Considering the frequency with which Magecart groups target Magento, many security professionals associate Magecart (and web skimming in general) with Magento. The domain has been taken offline as part of this publication. We would like to thank AbuseCH and the Shadowserver Foundation for their continued support on these actions.

Open DNS resolver vulnerability alert

Virgin Media, April 19, 2019

You may have recently received a letter and/or email from Virgin Media explaining that we have been notified that a device on your network has a vulnerability known as an Open DNS Resolver. If you have received such a communication from us, read the advice given on this page to help resolve the issue. Note: This article is intended to provide advice. We suspect a device connected to your home network may have an open DNS resolver vulnerability. For more information on these reports please visit

FIRST/TF-CSIRT: The Changing Face of Cybersecurity

Internet Society, February 21, 2019

The ShadowServer Foundation is an organisation of volunteers that gathers and analyses data on botnets and malware propagation. The collected data is sent to National CSIRTs and network owners via a daily free remediation feed, and has been used to support law enforcement investigations. The talk by Piotr Kijewski focused on how ShadowServer operates, what data it collects, and its achievements in taking down botnets.

Botnet Infects Half a Million Servers to Mine Thousands of Monero

Coindesk, February 2, 2019
More than half a million machines have been hijacked by a cryptocurrency miner botnet, forcing them to mine nearly 9,000 monero tokens (worth roughly $3.6 million), according to a new report. The Smominru botnet, which infected more than 526,000 Windows servers at its peak, has been used to mine 8,900 monero tokens since it first started appearing in May 2017,

Smominru Monero mining botnet making millions for operators

Proofpoint, January 30, 2019

Recently, Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power of which has earned millions of dollars for its operators. With the help of and the ShadowServer Foundation, we conducted a sinkholing operation to determine the botnet size and location of the individual nodes. The botnet includes more than 526,000 infected Windows hosts, most of which we believe are servers. These nodes are distributed worldwide but we observed the highest numbers in Russia, India, and Taiwan.

Advertising network compromised to deliver credit card stealing code

ZDNet, January 16, 2019

A Paris-based online advertising company was hacked, and its infrastructure used to deliver malicious JavaScript code to online stores, code that was designed to steal payment card details entered in checkout pages. Last year, one group that RiskIQ tracked as Magecart Group 5, pioneered this tactic and was responsible for hacks at 12 third-party companies, hacks through which Group 5 delivered its malicious card stealing code to thousands of online store. Now, RiskIQ says that a new group, which they’re tracking as Magecart Group 12, appears to have copied Group 5’s modus operandi and has breached Adverline to exploit its infrastructure in a similar fashion. RiskIQ says it’s been working with AbuseCH and the ShadowServer Foundation to take down Group 12’s server infrastructure, which appears to have been set up two months before the Adverline hack, in September 2018.

Top UK hacker-for-hire jailed

Computer Weekly, January 14, 2019

Notorious British hacker-for-hire jailed for cyber attacks on a Liberian telco after an international criminal justice operation. British cyber criminal Daniel Kaye has been jailed for two years and eight months for attacks that took Liberia offline and severely disrupted a Liberian telecommunications provider, resulting in losses estimated at tens of millions of dollars.

International hacker-for-hire jailed for cyber attacks on Liberian telecommunications provider

NCA, January 14, 2019

A British cyber criminal has been sentenced to two years and eight months for conducting attacks that disrupted a Liberian telecommunications provider, resulting in losses estimated at tens of millions of US dollars. The 30-year-old expert hacker was hired by a senior official at Cellcom, a rival Liberian network provider, and paid a monthly retainer. From September 2016, Kaye used his own Mirai botnet, made up of a network of infected Dahua security cameras, to carry out consistent attacks on Lonestar. In November 2016, the traffic from Kaye’s botnet was so high in volume that it disabled internet access across Liberia.

FBI swats down massive, botnet-fueled ad fraud operation

SC Magazine, November 28, 2018

With a heavy assist from private-sector cybersecurity and tech organizations, the FBI has dismantled a highly complex fraud network responsible for generating billions upon billions of fake online ad placements.In conjunction with the takedown, the U.S. Department of Justice yesterday announced a 13-count indictment filed against eight individuals, each a resident of either Russia, Ukraine or Kazakhstan. Charges include wire fraud, money laundering conspiracy, aggravated identity theft, and conspiracy to commit computer intrusions. Collectively known as 3ve (pronounced “Eve”), the cybercriminal operation had fraudulently earned at least $36 million in ad view revenues since 2014, largely with the help of global botnets composed of machines infected with either Kovter or Boaxxe/Miuref malware.

FBI dismantles gigantic ad fraud scheme operating across over one million IPs

ZDNet, November 28, 2018

The FBI, Google, and 20 tech industry partners have collaborated to take down a giant cyber-criminal network involved in generating fake ad views and clicks that have been used to defraud ad networks and advertisers for the past four years and make millions in illicit revenue for the scheme’s perpetrators. Some of the infosec and ad industry’s biggest players were invited, such as Microsoft, ESET, Symantec, Proofpoint, Trend Micro, F-Secure, Malwarebytes, CenturyLink, MediaMath, White Ops, Amazon, Adobe, Trade Desk, Oath, The Shadowserver Foundation, and the National Cyber-Forensics and Training Alliance.