Media Coverage

Shadowserver in the news

International Operation Dismantles Cyber-Criminal Network Targeting America from Europe

Conservative Daily News, May 16, 2019

A complex transnational organized cybercrime network that used GozNym malware in an attempt to steal an estimated $100 million from unsuspecting victims in the United States and around the world has been dismantled as part of an international law enforcement operation.  GozNym infected tens of thousands of victim computers worldwide, primarily in the United States and Europe.  The operation was highlighted by the unprecedented initiation of criminal prosecutions against members of the network in four different countries as a result of cooperation between the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol and Eurojust. Other agencies and organizations partnering in this effort include the United States Secret Service, the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh and the Shadowserver Foundation

GozNym Cyber-Criminal Network Operating out of Europe Targeting American Entities Dismantled in International Operation

US Department of Justice, May 16, 2019

A complex transnational organized cybercrime network that used GozNym malware in an attempt to steal an estimated $100 million from unsuspecting victims in the United States and around the world has been dismantled as part of an international law enforcement operation.  GozNym infected tens of thousands of victim computers worldwide, primarily in the United States and Europe.  The operation was highlighted by the unprecedented initiation of criminal prosecutions against members of the network in four different countries as a result of cooperation between the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol and Eurojust. Other agencies and organizations partnering in this effort include the United States Secret Service, the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh and the Shadowserver Foundation.

Magecart Supply-chain Frenzy Continues With AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS & Picreel

RiskIQ, May 14, 2019

Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.

Web-based supply-chain attacks, which compromise vendors that supply code that adds or improves website functionality, gives attackers access to a wide range of victims at once because the compromised code often integrates with thousands of sites. In this blog, we’ll break down the Magecart skimming activity on these seven providers and detail when and how the compromises occurred, including how some of them could have been far worse.

The same skimmer was used for attacks against both services, which indicates it was the same Magecart Group. The exfiltration domain where stolen card data would have been sent was font-assets.com, which is associated with ww1-filecloud.com, another domain owned by the same attackers.

Both domains have been taken down and/or sinkholed with the help of Abuse.CH and the Shadowserver Foundation.

Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada

TrendMicro, May 9, 2019

We uncovered a recent activity involving the notorious online credit card skimming attack known as Magecart. The attack, facilitated by a new cybercrime group, impacted 201 online campus stores in the United States and Canada.

We started detecting the attacks against multiple campus store websites on April 14, during which the sites were injected with a malicious skimming script (detected by Trend Micro as Trojan.JS.MIRRORTHEIF.AA) at their payment checkout pages.

With special thanks to our colleagues at abuse.ch and The Shadowserver Foundation for helping with the sinkholing of Mirrothief’s malicious domain and remediation reporting.

When "Customers" Attack DNS

Security Boulevard, May 8, 2019

Akamai DNS Team: Be real. A Communications Service Provider’s (CSP’s) customer will not use their home to attack the Domain Name System (DNS). They might as well unplug from the Internet. Yet, customers get infected, CPEs get violated, and miscreants all over the Internet reflect attacks off CSP customers to attack others. This abuse happens every day. It is part of the “noise” of the Internet. It is also a major threat to the Internet. What does a CSP do when 30% of their customers are infected with malware?  The good news for CSPs is that organizations like CyberGreen and Shadowserver Foundation provide infection data and metrics as a public service.

Magecart Group 12 Targets OpenCart Websites

Bleeping Computer, May 2, 2019

Gangs using malicious JavaScript code to steal payment info target multiple online shopping platforms used by thousands of small stores; more advanced ones rely on tactics to remain undetected for a longer period. Generically known as Magecart because the Magento payment platform is a frequent target, the web skimming scripts are injected on checkout pages and collect credit and debit card details when customers pay for an order. In a report today, RiskIQ researcher Yonathan Klijnsma details a large-scale operation Magecart Group 12 led against OpenCart online stores. It used stealth tactics to keep its activity under the radar and pilfer as much payment info as possible. The domain used by the attacker is no longer active as RiskIQ together with AbuseCH and the Shadowserver Foundation took it offline.

Not all Roads Lead to Magento: All Payment Platforms are Targets for Magecart Attacks

RiskIQ, May 1, 2019

With our internet-wide telemetry, RiskIQ has discovered some of the most significant Magecart attacks ever carried out. These involved a host of different tools and tactics including several different inject types, skimmers of varying sophistication, and countless intrusion methods. But for every Magecart attack that makes headlines, we detect thousands more that we don’t disclose. A considerable portion of these lesser-known breaches involves third-party payment platforms. The most notorious of these payment platforms is Magento. RiskIQ’s first blog post on Magecart introduced it as a new breed of threat centered around attacks on Magento, and recent developments show that stores running Magento are still a prime target for skimming groups. Considering the frequency with which Magecart groups target Magento, many security professionals associate Magecart (and web skimming in general) with Magento. The domain batbing.com has been taken offline as part of this publication. We would like to thank AbuseCH and the Shadowserver Foundation for their continued support on these actions.

Open DNS resolver vulnerability alert

Virgin Media, April 19, 2019

You may have recently received a letter and/or email from Virgin Media explaining that we have been notified that a device on your network has a vulnerability known as an Open DNS Resolver. If you have received such a communication from us, read the advice given on this page to help resolve the issue. Note: This article is intended to provide advice. We suspect a device connected to your home network may have an open DNS resolver vulnerability. For more information on these reports please visit dnsscan.shadowserver.org

FIRST/TF-CSIRT: The Changing Face of Cybersecurity

Internet Society, February 21, 2019

The ShadowServer Foundation is an organisation of volunteers that gathers and analyses data on botnets and malware propagation. The collected data is sent to National CSIRTs and network owners via a daily free remediation feed, and has been used to support law enforcement investigations. The talk by Piotr Kijewski focused on how ShadowServer operates, what data it collects, and its achievements in taking down botnets.

Botnet Infects Half a Million Servers to Mine Thousands of Monero

Coindesk, February 2, 2019
More than half a million machines have been hijacked by a cryptocurrency miner botnet, forcing them to mine nearly 9,000 monero tokens (worth roughly $3.6 million), according to a new report. The Smominru botnet, which infected more than 526,000 Windows servers at its peak, has been used to mine 8,900 monero tokens since it first started appearing in May 2017,