www.criminalip.io
Open in
urlscan Pro
2606:4700:10::ac43:84a
Public Scan
URL:
https://www.criminalip.io/en
Submission: On August 06 via manual from US — Scanned from DE
Submission: On August 06 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="form">
<div class="searchStyle__SearchInputWrap-sc-r3o27t-5 hpsDNa SearchInputWrap "><input data-role="inputbox" maxlength="100" placeholder="Try to search assets with the following filter examples below" autocomplete="off" name="query"
class="searchStyle__SearchInput-sc-r3o27t-6 bXBZZK" value=""><button id="SearchButton" type="submit" title="search" class="searchStyle__SearchButton-sc-r3o27t-7 hMvWBr"></button></div>
</form>Text Content
Cybersecurity Search Engine | Criminal IP
Search
Intelligence
Attack Surface Management
Developer
Resource
About
* English
* English
* Français
* 日本語
* 한국어
* العربية
* Pricing
* LoginRegister
Check out Criminal IP: AI-based Phishing Link Checker!
Detect malicious URLs with ease!
Free Download
SEARCH FOR INFORMATION ON EVERYTHING CONNECTED TO THE PUBLIC INTERNET.
SEARCH FOR INFORMATION ON COMPUTERS
CONNECTED TO THE PUBLIC INTERNET.
Top10KeywordIP
10
"authinfo"
10
156.56.40.79
1
webcam
1
1.116.181.211
2
IP Camera
2
220.73.175.201
3
webcamxp
3
191.57.35.232
4
hilton.com
4
74.14.3.4
5
"hipcam realserver"
5
37.44.238.203
6
SSH-2.0_OpenSSH_9.1
6
211.238.135.103
7
netwave
7
94.152.43.16
8
camera
8
123.9.43.209
9
' src="/jquery.min.js'
9
15.207.14.216
10
"authinfo"
10
156.56.40.79
1
webcam
1
1.116.181.211
AssetDomainImageCertificateExploit
AssetDomainImageCertificateExploit;
Look up my IP addressCreate a Free Account
CYBERSECURITY REPORT
Cybersecurity Report
CRIMINAL IP PARTNER PROGRAM | JOIN US AS A CYBER SECURITY SALES PARTNER!
Criminal IP is actively seeking a partner to enhance customers’ security network
with advanced threat intelligence.�We are committed to building a global network
of partners that can provide various security solutions to address the dynamic
challenges of cybersecurity.�Criminal IP Partner ProgramCri
2023.06.30
Cybersecurity Report
ORACLE WEBLOGIC RCE VULNERABILITY: CVE-2023-21839
In this article, we will cover the latest vulnerability of Oracle’s WebLogic
Server, which is one of the serious remote code vulnerabilities. CVE-2023-21839,
which targets WebLogic Server, a Java web application server developed by
Oracle, was first mentioned about three months ago as a vulnerabilit
2023.06.14
Cybersecurity Report
ATXSG 2023 | AI SPERA DEMONSTRATES AI-POWERED SECURITY SOLUTIONS IN SINGAPORE
AI SPERA, a leading provider of AI-driven security solutions, is returning to
Asia Tech x�Singapore�(ATxSG) 2023 for the second time to demonstrate its
advanced�AI-powered Attack Surface Management solution. Following the success of
its participation in the Singapore Fintech Festival 2022 and previo
2023.06.01
Cybersecurity Report
THE ALARMING RISE OF ILLEGAL HIDDEN CAMERAS: UNCOVERING ILLEGAL HIDDEN CAMERAS
WITH CRIMINAL IP
Illegal hidden cameras, also known as ‘spy cameras,’ are one of the most serious
issues not only in Korea but also in the world.�The volume of leaked videos per
day is alarmingly high. You may have been left speechless at least once while
watching the cunning methods of recording and disseminating t
2023.03.31
Cybersecurity Report
CAUSE OF THE GANGNAM PLASTIC SURGERY CCTV LEAK, 400,000 IP CAMERAS EXPOSED TO
THE INTERNET
On March 7, a CCTV leak occurred at a plastic surgery clinic in Gangnam, South
Korea. The leaked video was posted on an Internet community, with about 31
videos showing 30 female victims. As some celebrities are among the victims, the
case has become more of an issue.�Part of the leaked Gangnam plas
2023.03.10
Cybersecurity Report
MORE THAN 3,700 ESXIARGS RANSOMWARE INFECTED SERVERS FOUND
ESXiArgs ransomware is a new ransomware that takes advantage of the Heap
Overflow vulnerability of OpenSLP services used on VMware ESXi servers.�The
vulnerability, also known as CVE-2021-21974, enables Remote Code Execution (RCE)
attacks, which have been exploited by many threat actors and discovere
2023.02.24
Cybersecurity Report
CRIMINAL IP PARTNER PROGRAM | JOIN US AS A CYBER SECURITY SALES PARTNER!
Criminal IP is actively seeking a partner to enhance customers’ security network
with advanced threat intelligence.�We are committed to building a global network
of partners that can provide various security solutions to address the dynamic
challenges of cybersecurity.�Criminal IP Partner ProgramCri
2023.06.30
Cybersecurity Report
ORACLE WEBLOGIC RCE VULNERABILITY: CVE-2023-21839
In this article, we will cover the latest vulnerability of Oracle’s WebLogic
Server, which is one of the serious remote code vulnerabilities. CVE-2023-21839,
which targets WebLogic Server, a Java web application server developed by
Oracle, was first mentioned about three months ago as a vulnerabilit
2023.06.14
Cybersecurity Report
ATXSG 2023 | AI SPERA DEMONSTRATES AI-POWERED SECURITY SOLUTIONS IN SINGAPORE
AI SPERA, a leading provider of AI-driven security solutions, is returning to
Asia Tech x�Singapore�(ATxSG) 2023 for the second time to demonstrate its
advanced�AI-powered Attack Surface Management solution. Following the success of
its participation in the Singapore Fintech Festival 2022 and previo
2023.06.01
Cybersecurity Report
THE ALARMING RISE OF ILLEGAL HIDDEN CAMERAS: UNCOVERING ILLEGAL HIDDEN CAMERAS
WITH CRIMINAL IP
Illegal hidden cameras, also known as ‘spy cameras,’ are one of the most serious
issues not only in Korea but also in the world.�The volume of leaked videos per
day is alarmingly high. You may have been left speechless at least once while
watching the cunning methods of recording and disseminating t
2023.03.31
Cybersecurity Report
CAUSE OF THE GANGNAM PLASTIC SURGERY CCTV LEAK, 400,000 IP CAMERAS EXPOSED TO
THE INTERNET
On March 7, a CCTV leak occurred at a plastic surgery clinic in Gangnam, South
Korea. The leaked video was posted on an Internet community, with about 31
videos showing 30 female victims. As some celebrities are among the victims, the
case has become more of an issue.�Part of the leaked Gangnam plas
2023.03.10
Cybersecurity Report
MORE THAN 3,700 ESXIARGS RANSOMWARE INFECTED SERVERS FOUND
ESXiArgs ransomware is a new ransomware that takes advantage of the Heap
Overflow vulnerability of OpenSLP services used on VMware ESXi servers.�The
vulnerability, also known as CVE-2021-21974, enables Remote Code Execution (RCE)
attacks, which have been exploited by many threat actors and discovere
2023.02.24
Cybersecurity Report
CRIMINAL IP PARTNER PROGRAM | JOIN US AS A CYBER SECURITY SALES PARTNER!
Criminal IP is actively seeking a partner to enhance customers’ security network
with advanced threat intelligence.�We are committed to building a global network
of partners that can provide various security solutions to address the dynamic
challenges of cybersecurity.�Criminal IP Partner ProgramCri
2023.06.30
Cybersecurity Report
ORACLE WEBLOGIC RCE VULNERABILITY: CVE-2023-21839
In this article, we will cover the latest vulnerability of Oracle’s WebLogic
Server, which is one of the serious remote code vulnerabilities. CVE-2023-21839,
which targets WebLogic Server, a Java web application server developed by
Oracle, was first mentioned about three months ago as a vulnerabilit
2023.06.14
Cybersecurity Report
ATXSG 2023 | AI SPERA DEMONSTRATES AI-POWERED SECURITY SOLUTIONS IN SINGAPORE
AI SPERA, a leading provider of AI-driven security solutions, is returning to
Asia Tech x�Singapore�(ATxSG) 2023 for the second time to demonstrate its
advanced�AI-powered Attack Surface Management solution. Following the success of
its participation in the Singapore Fintech Festival 2022 and previo
2023.06.01
Cybersecurity Report
THE ALARMING RISE OF ILLEGAL HIDDEN CAMERAS: UNCOVERING ILLEGAL HIDDEN CAMERAS
WITH CRIMINAL IP
Illegal hidden cameras, also known as ‘spy cameras,’ are one of the most serious
issues not only in Korea but also in the world.�The volume of leaked videos per
day is alarmingly high. You may have been left speechless at least once while
watching the cunning methods of recording and disseminating t
2023.03.31
Cybersecurity Report
CAUSE OF THE GANGNAM PLASTIC SURGERY CCTV LEAK, 400,000 IP CAMERAS EXPOSED TO
THE INTERNET
On March 7, a CCTV leak occurred at a plastic surgery clinic in Gangnam, South
Korea. The leaked video was posted on an Internet community, with about 31
videos showing 30 female victims. As some celebrities are among the victims, the
case has become more of an issue.�Part of the leaked Gangnam plas
2023.03.10
Cybersecurity Report
MORE THAN 3,700 ESXIARGS RANSOMWARE INFECTED SERVERS FOUND
ESXiArgs ransomware is a new ransomware that takes advantage of the Heap
Overflow vulnerability of OpenSLP services used on VMware ESXi servers.�The
vulnerability, also known as CVE-2021-21974, enables Remote Code Execution (RCE)
attacks, which have been exploited by many threat actors and discovere
2023.02.24
CRIMINAL IP SEARCH TIP
CHILEAN ARMY DOCUMENTS LEAK: EXPLOITING COBALT STRIKE WITH RHYSIDA RANSOMWARE
Last month,�the Chilean Army (Ejército de Chile) suffered damage from military
documents leaking to the dark web due to a Cobalt Strike ransomware attack known
as Rhysida. The Rhysida ransomware gang stole 360,000 pieces, about 30% of the
documents, from the Chilean Army’s network and exposed the stolen files on the
dark web data breach site. This ransomware is presumed to have penetrated the
network from a phishing attack through Cobalt Strike and C2 framework
deployment. When the malware used in the attack is executed, a PDF ransomware
note called “CriticalBreachDetected.pdf” is displayed,�encrypting the user’s
files.�Since military documents are sensitive information equivalent to state
secrets, they can be seen as cases showing the severity of ransomware through
Cobalt Strike and misuse of C2 servers.Cobalt Strike, which has been covered
in�the previous article on how to detect Cobalt Strike malware, is a commercial
penetration testing tool that was originally used for building a C2 server.
Because of its ability to build a unique C2 server, it is also often exploited
by ransomware and PC infection attacks. On the OSINT cybersecurity search engine
Criminal IP, you can find IP addresses infected by the exploited Cobalt Strike,
and you can check the detailed reason why the IP address is determined to be a
“Critical” risk. In this article, we will cover malware that exploited Cobalt
Strike and C2 servers, such as Rhysida ransomware, and IP addresses infected by
ransomware.Detecting IP Addresses Infected With Cobalt Strike Ransomware and
MalwareWhen you search for Cobalt Strike with a tag search in Criminal IP,
botnets commonly used on C2 servers are
identified.��https://criminalip.io/en/asset/search?query=tag%3A+cobalt+strikeSearch
Query: tag: cobalt strikeSearch results of “tag: cobalt strike” on the Threat
Intelligence search engine Criminal IPYou can notice that most of the search
results show both the Inbound and Outbound scores as “Critical”. Of course,
using Cobalt Strike alone doesn’t make an IP address dangerous; its score is
determined based on complex information.�For example, IP addresses identified as
malicious by Reputation, such as the Snort rule or MISP, are likely to be
associated with malware that exploited Cobalt Strike. Moreover, by adding a
“snort_rule: C2 filter” to “tag: cobalt strike” in your search, you can find IP
addresses corresponding to malicious network activity by exploiting the C2
servers.https://www.criminalip.io/en/asset/search?query=tag%3A+cobalt+strike+snort_rule%3A+C2Search
results of “tag: cobalt strike snort_rule: C2” on the Threat Intelligence search
engine Criminal IPSearch Query: tag: cobalt strike snort_rule: C2Details of IP
Addresses Infected With Cobalt Strike Ransomware and MalwareTo check the IP
addresses infected with Cobalt Strike ransomware and malware in more detail, we
clicked on one of the search results to view the details.You can verify that the
external reputation information mentioned above was also detected at that IP
address. This indicates that Snort’s IDS (Intrusion Detection System) has
detected access to the Cobalt Strike C2 server.Cobalt Strike C2 server detected
in Snort’s IDS (Intrusion Detection System)Also, since the IP address has a
history of being linked to a phishing domain, it was confirmed in the connected
Domain and Abuse Record sections that the IP address is associated with illegal
activities and illicit services.IP address infected with the Cobalt Strike
malware that has a history of being connected to a phishing domainFurthermore,
if you look at the open port banner found at the IP address, you can see that a
beacon that communicated with HTTP and HTTPS was detected. A beacon is an agent
that performs the attack command of Cobalt Strike and can be seen as practical
malicious code.Open ports in which the Cobalt Strike beacon malware was
detectedPreventing Cobalt Strike Ransomware and Malware Through Threat
Intelligence IntegrationIf an IP address infected with Cobalt Strike ransomware
and malware is blacklisted by an authorized security agency or service provider,
it is possible to detect and block access to that IP address by linking the
blacklist database to a firewall or existing security solutions. However, in the
case of a new infected IP address that has not yet been blacklisted, it may be
difficult to block even if the blacklist database is linked.�On the other hand,
Criminal IP’s threat intelligence (TI) has the advantage of not only providing
existing blacklist information, but also updating new infected IP addresses and
malicious IP addresses not on existing blacklists through real-time analysis.
Therefore, integrating Criminal IP’s TI data to a security solution being used,
such as a firewall, IPS, or SOAR, can be highly beneficial in blocking outbound
access to sites and IP addresses infected with Cobalt Strike ransomware, even if
it is not Cobalt Strike ransomware registered in a blacklist database.Please
refer to our video on detecting servers infected with Cobalt Strike malware
(botnet servers) for more information.�Source: Criminal IP
(https://www.criminalip.io)Related video:�
2023.07.27
Read More
Search
HOW TO BE SAFE FROM GOOGLE ADS SCAMS (METAMASK PHISHING SITE)
With its unrivaled search algorithm, Google occupies 92% of the global search
engine market and is favored by many internet users. Consequently, websites
exposed at the top of search results by Google’s algorithm are visited by tens
of thousands or even millions of Google search engine users a day. Google is
constantly improving its algorithm to exclude malicious or phishing sites from
top exposure. Still, cyber attackers skillfully abuse Google’s exposure logic to
allow as many victims as possible to visit malicious websites. Among them,
phishing website attacks that abuse Google Ads are malicious attack methods that
continue to increase.�Recently, security media Bleeping Computer reported
that�Bitwarden password vaults were targeted in Google Ads phishing attacks to
steal users’ credentials. In addition, there have been many phishing attacks in
which search engine users have been victimized by phishing and fraud by
exploiting Google Ads, but such cleverly created fake sites continue to appear
at the top of Google search results without appropriate measures.MetaMask
Phishing Sites on Google Search AdsMetaMask is a popular cryptocurrency wallet
provider with more than 3 million monthly visitors. Many users access the
MetaMask website through the Google search engine. Searching for ‘MetaMask’ or
‘MetaMask Wallet’ on Google, you will undoubtedly think that MetaMask’s official
website will be exposed. If the searched site at the top has an entirely
different title or description, the users will scroll to find the website they
want, but what if the search result is displayed with the same title and
description as the official site?In fact, MetaMask Google Ads phishing incidents
have been reported several times since 2020. After the phishing site ads are
blocked, the attacker continues the attack by exposing ads using a new domain
after a certain time. Let’s look at Google search results in Korea, a case of
MetaMask Google Ads scam we found. As shown in the image below, if you enter “메타
마스크,” which means MetaMask in Korean, into the Google search box, the website
with the title MetaMask is displayed with an “Ad” mark at the top of the search
results.Google search results of “메타 마스크,” which means MetaMask in Korean:
Google Ad is shown firstGoogle users could click on the site exposed at the top
with little doubt to access MetaMask.�However, if you access this website, you
will be connected to a fake website, not the official website of MetaMask, as
shown below.�Screenshot of a fake MetaMask website exposed at the top of Google
search resultsCan users who click on Google search Ads find anything strange
after accessing it? It will be hard. Compared to the actual MetaMask website,
the favicon, title, and web UI/UX are all made the same.The only thing that is
bound to differ from an official website is the URL.�The URL of the Google Ads
phishing site uses the URL mètamaśk[.]com to look as similar as possible to the
actual website.At first glance, it is difficult to distinguish it from the
actual website URL,�metamask.io, but upon closer inspection, ‘è’ and ‘ś’ are
used instead of ‘e’ and ‘s.’How to Identify a Phishing Site in Google Search
AdsAs in the case of the MetaMask phishing site above, threat actors are
actively exploiting Google Ads for phishing attacks. There is a way to connect
directly and compare non-reproducible elements such as URLs to distinguish
plausible phishing sites that appear at the top of Google search results.
However, using a URL scanner such as Criminal IP is more accurate.�We searched
for the fake MetaMask URL “mètamaśk[.]com”�in�Criminal IP Domain
Search.mètamaśk[.]com�scan
result:�https://www.criminalip.io/domain/report?scan_id=3043175Criminal IP
Domain Search result of MetaMask phishing site: It is detected as a phishing
siteAs a result of scanning the MetaMask phishing site exposed in Google search
Ads,�it is detected with a 99% risk, and the phishing probability is 75%.�This
domain appears to be recently created for phishing attacks.��Screenshot of
MetaMask phishing siteAbove all, Criminal IP Domain Search allows you to check
screenshots of phishing sites without accessing them. Although this domain is
connected to an IP address with no abuse history, most phishing sites often have
malicious IP addresses. Therefore, before accessing the website displayed at the
top of the Google search Ads, it is safe to detect phishing with a URL scanner
such as Criminal IP. Be especially careful when connecting to ad websites
because malicious codes such as ransomware can be downloaded with just one
click.Another Cyberattack Abusing Google Ads: Google Ads Manager Invitation
SpamThere is another cyberattack that exploits Google ads.�This is a method of
using the Google Ads manager invitation email.A Google Ads advertiser will send
an invitation email, as shown below, to the recipient’s Gmail address to invite
the co-administrator. An attacker exploits this to register a malicious website
(an adult site in this case) as a website to advertise and then sends admin
invites to an unspecified number of people.�Since the sender of the manager
invitation email is ‘Google Ads�ads-account-noreply@google.com,’ it bypasses the
Gmail spam filter and is usually received in the inbox. Because of this, people
who receive the email think they have been invited to the real Google Ad Manager
and access the spam link.�People using Google ads in their companies are more
likely to fall victim to attacks like this.Google Ads spam email that abuses
advertiser invitationIf you scan the link used in the above spam email with
Criminal IP Domain Search, you can check whether the website is malicious
without accessing it.�Criminal IP Domain Search results of the link in Google
Ads spam email�It is an adult site, and the attacker has tried to promote it by
exploiting the Google Ads manager invitation email or collecting the visitor’s
personal information. �How To Prevent Google Ads Phishing AttacksIn some cases,
the Google Ads blocker, also known as AdBlock, is used to prevent Google Ads
phishing attacks.�While this is another good option, requiring everyone to block
Google Ads is not advisable. Instead, the fundamental solution will be for
Google to strengthen censorship against spam and phishing so that advertisers
and consumers can safely use the advertising platform.To prevent phishing and
spam attacks on your own, it is recommended to use real-time URL scanners and
website inspection tools such as Criminal IP.Please refer to our article on�how
to detect Flipper Zero phishing sites�for relevant information.SourceCriminal IP
(https://www.criminalip.io/)Bleeping Computer
(https://www.bleepingcomputer.com/news/security/bitwarden-password-vaults-targeted-in-google-ads-phishing-attack/,�https://www.bleepingcomputer.com/news/security/google-ads-invites-being-abused-to-push-spam-adult-sites/)Related
Article :�Check ‘Flipper Zero (Hacker’s Tamagochi)’ Phishing Site
2023.02.03
Read More
Search
KIOSK HACKING: TIPS TO IMPROVE YOUR KIOSK SECURITY
A kiosk is a small machine with an interactive display screen that businesses
place in public areas such as government agencies, banks, department stores, and
restaurants to provide information or offer self-service options. The use of
kiosks keeps increasing in corporates and organizations for its advantages like
self-service.As risks always accompany new technologies, security threats to
kiosks are constantly raised. Kiosks are very suitable to be targeted by
attackers because they store and process personal information as their primary
purpose is reservation and payment services. Some kiosks are sold without
adequate security measures installed. There are several other ways to hack
kiosks. However, this article deals with detecting kiosk systems and admin pages
exposed to attack surfaces to prevent threats.�Admin Page of the Kiosk Exposed
on the InternetOne of the reasons for kiosk hacking is the exposed kiosk admin
page on the internet. Kiosk distributors or organizations using kiosks offer
services like reservation and payment to the end user. The kiosk must block
external access, and the admin page has to be secured with an authentication
system.However, several kiosks are exposed to attack surfaces, and you can find
those by searching the keyword ‘Tile: Kiosk management console UI‘ on the OSINT
search tool Criminal IP.Search Query :�Title: Kiosk management console
UIhttps://www.criminalip.io/asset/search?query=title%3AKiosk+management+console+UIThe
search result of exposed kiosk management systemWith the other keyword, “Title:
KIOSK Management System“, it was possible to find the website that shows the
admin page of the kiosk like the image below.Search Query :�Title: Kiosk
Management
Systemhttps://www.criminalip.io/asset/search?query=Title%3A+Kiosk+Management+SystemThe
kiosk admin page exposed on the internet. The kiosk exposed to cyber
threats.Also, you can search�“Title: Kiosk Terminal Management System“�and get
the below result with information for the authentication page of the
kiosk.Search Query:�Title: KIOSK Terminal Management
Systemhttps://www.criminalip.io/asset/search?query=%22Kiosk%20Terminal%20Management%20System%22The
result of searching ‘Title: Kiosk Terminal Management System’ on Criminal IP
Asset SearchAuthentication page of the kiosk system is accessible from the
outside and is exposed to kiosk hacking threatsTargeting the Kiosk Operated by
Specific CorporateHackers can find the kiosk that operates by a specific company
or organization.�If they succeed, hackers can cause system errors, take customer
information from a connected server, and even infiltrate the main server for a
severe attack.By adding ‘Hotel’ with the keyword, it was possible to find the
kiosk system of a hotel located in Malaysia.Search Query: Title: Uptown Kiosk –
Hotel
Systemhttps://www.criminalip.io/asset/search?query=title:%20Uptown%20Kiosk%20-%20Hotel%20SystemThe
kiosk authentication page, Hotel located in MalaysiaEven you can find the kiosk
with the specific title of the company by searching it with the keyword above.
The image below shows the information on the German vehicle company’s kiosk
system in Korea.Result on Criminal IP Asset Search for vehicle manufacturer ‘V”s
kiosk systemThe kiosk authentication page of vehicle manufacturer ‘V’, Exposed
on the internetKiosk without Authentication, Easy to HackThe kiosk system
exposure is a critical security issue.�We even found the kiosk system without a
proper authentication procedure. It was defenseless. The website searched on CIP
seems to be a kiosk system for company S. It shows a critical security issue
that allows one to enter the website without the authentication procedure.�The
kiosk system for Large Enterprise ‘S’, Possible to access without
authenticationThe image below is the theater admin system for a kiosk.�It can be
accessed without authentication, making it vulnerable to hacking.Theater kiosk
admin page, Possible to access without authenticationThe purpose of kiosk is to
increase the efficiency of the company and the convenience of the customer.
However, it is necessary to keep it safe from the cyber attacks to avoid severe
damage. The fact that various IoT devices such as kiosks can be easily found
through the OSINT tool means that hackers can also easily attack assets that are
exposed to the attack surface.�Enterprises and institutions are advised to
thoroughly ensure that all assets are exposed with an attack surface management
solution such as Criminal IP ASM, and consider security when introducing IoT
equipment such as kiosks.�If the kiosk is outdated, consider replacing it. Also,
you should check the regular security patch updates for kiosk system.Please
refer to Default welcome page exposure: A Significant Security Risk, for more
information.Source :�Criminal IP (https://www.criminalip.io/)Related article
:�Default welcome page exposure: A Significant Security Risk
2023.01.13
Read More
Search
CHECK ‘FLIPPER ZERO (HACKER’S TAMAGOCHI)’ PHISHING SITE
Flipper Zero, a portable multitool for pentester is priced at $200, is a popular
product that has recently been sold out among penetration testers and hackers.
This, called ‘hacker’s Tamagochi’ due to its appearance, has been reviewed on
various security communities such as TikTok, Twitter, and Telegram. Popularity
skyrocketed, and ‘Flipper zero’ is flying off the shelves in an online store. A
recent article by Bleeping Computer reported that phishing attackers seek
chances, from this situation, to fool customers through ‘Flipper Zero’ Phishing
site that look like official sales sites to induce people to pay in
cryptocurrencies such as Bitcoin. Of course, a purchaser will get nothing.It’s
an interesting irony that these hackers are targeting hackers, penetration
testers and security researchers vying to purchase Flipper Zeroes for
themselves.Flipper Zero Phishing Site vs. Official SiteWe visited several
Flipper Zero phishing sites found on SNS like Twitter.They camouflage with
similar URLs and favicons that, if you are not a frequent visitor, it is almost
impossible to notice the phishing site as below.�Flipper Zero phishing
siteOfficial Flipper Zero online storeFlipper Zero phishing site (Left) and
Official Flipper Zero online store (Right)Smart Way to Check Fake Flipper Zero
WebsitesWe can spot differences between the official site and the phishing sites
in the URL, page UI, logo, etc.A more accurate and faster way to check is to use
the OSINT search tool.�On Criminal IP’s Domain Search,
input�‘flipperzerovendoronline[.]com‘, or ‘flipperzeroinstock[.]net‘�which is
not yet known as phishing on Twitter and other�social networks.��Then it will
lead you to the result below.flipperzerovendoronline[.]com Search Results
:�https://www.criminalip.io/domain/report?scan_id=2878623flipperzeroinsock[.]net
Search Results :�https://www.criminalip.io/domain/report?scan_id=2880403Search
Results of Flipper Zero Phishing Site on Criminal IPThe result shows that
phishing sites are using malicious domains, and the algorithm tells us the
phishing probability is over 50%.In particular, the Newborn Domain information
shows that it has been for one and a half months. Still, there are attempts to
generate new ‘Flipper Zero’ phishing sites that recommend being aware of the
OSINT tool to prevent being a victim.Some detecting tools for phishing rely on
user reports, Google results, and phishing check websites, but these are the
reactive approaches that only can detect after being reported. In other words,
it is impossible to detect newborn phishing sites.Domain Search results of
malicious IP associated with Flipper Zero phishing site of screenshotsCriminal
IP, a proactive way of detecting phishing sites, shows real-time screenshots,
technology used, and mapped IPs on ‘Domain Search’. This includes recently
emerging domains.Flipper Zero Phishing Attack Likely to SpreadIn TikTok, a video
platform, several users review the ‘Flipper Zero’ to upload hacking videos and
get thousands and millions of views. ‘Flipper Zero’ gets famous not only to
hackers but also to generals, so it is necessary to be aware of ways to check
phishing sites to prevent being victims.Also, the fact that such phishing damage
continues is one of the reasons why phishing prevention methods using the OSINT
search engine are necessary not only for those in security-related occupations
but also for general internet users.Check out this article on�Instagram Phishing
Scams�for relevant information.
2023.01.06
Read More
Search
BEST PRACTICES
[CRIMINAL IP V1.33.1] 2023-06-29 RELEASE NOTE
[Criminal IP v1.33.1] Regular Maintenance and Update Release Note�Maintenance
Period: 2023.06.29 06:00~08:00 AM (UTC)[New Changes]New User Interface With
Enterprise Plan Included on�the Pricing pageThis new UI,�Choose Your Plan on the
Pricing page,�allows�you to compare our three monthly and enterpr
2023.06.29
VULNERABILITY DETECTION USING ATTACK SURFACE MANAGEMENT: CRIMINAL IP ASM USE
CASE (1)
Attack Surface Management (ASM)�is the proactive practice of identifying and
managing the potential attack surface of an organization’s IT assets to prevent
and mitigate potential attacks by hackers. It is essential to minimize the
exposure of valuable assets as targets for hackers. However, despite
2023.05.24
DETECT PERSONAL INFORMATION LEAKAGE WITH OSINT ATTACK SURFACE MANAGEMENT
It has recently been confirmed in Korea that personal information, including an
identity photo, resident registration number, address, and phone number of an
individual who submitted an application form to a public institution four years
ago, had been publicly exposed on the internet for the past fo
2023.05.09
USING OSINT SEARCH ENGINES TO COLLECT CYBER THREAT INTELLIGENCE
OSINT (Open Source Intelligence), refers to the intelligence information
collected and analyzed from publicly available sources. The internet itself is a
huge big data platform and a space of collective intelligence. Most of the
information on the internet, including media, search engines like Googl
2023.03.22
WHAT'S NEW ON CRIMINAL IP
2023.08.04[#Criminal_IP v1.36.1 Release Note] ✅GitHub Reference Page: Check out
Criminal IP's official GitHub, with API usage scripts and OSINT recommendations.
✅New API Integration: Analyze threat intelligence in the STIX language.
🔽Release Note:https://t.co/H0BdtT1qAV2023.07.21[#Criminal_IP v1.35.1 Release
Note] Criminal IP French service Launched! Enjoy all features in French! New Tag
for C2 server identification and 6 new APIs for Lite and Quick scan have been
added. For more details, please refer to the release note.
https://t.co/hKVfkzhHwm2023.07.06[#Criminal_IP v1.34.1 Release Note] - Exposure
Feature Added: Detect exposed sensitive information on websites. Check also the
other updated UI and features. https://t.co/538j9Lfy1N2023.06.29[#Criminal_IP
v.1.33.1 Release Note] -New API Integrations Page: Explore global platforms
integrated with the Criminal IP API. -Updated Pricing Page: Users can now see
the information on the Criminal IP Enterprise Plan. https://t.co/IJWbALeop7
Subscribe
CYBERSECURITY NEWS
2023.07.27Zimbra patches zero-day vulnerability exploited in XSS attacks
Two weeks after the initial disclosure, Zimbra has released security updates
that patch a zero-day vulnerability exploited in attacks targeting Zimbra
Collaboration Suite (ZCS) email servers.
2023.07.27ALPHV/BlackCat ransomware deployed by new Nitrogen malware
North American technology and non-profit organizations have been targeted by the
novel Nitrogen initial access malware campaign, which leverages web search ads
of fake software websites to facilitate the delivery of ALPHV/BlackCat
ransomware, BleepingComputer reports.
2023.07.21Azure AD Token Forging Technique in Microsoft Attack Extends Beyond
Outlook, Wiz Reports
Chinese nation-state actor Storm-0558's attack on Microsoft's email
infrastructure is more extensive than previously believed. Researchers at Wiz
reve
API INTEGRATION
We provide straightforward, easy-to-use APIs that are designed to block
risk-scored IPs or malicious domain links. Use Criminal IP code samples to
seamlessly integrate all other functions and the database in your organization's
infrastructure.
Get StartedCode Samples
* Identification of VPN/hosting/Tor of the accessed IP
* Detection of malicious domain links
* Management of attack surface vulnerabilities within an organizational
infrastructure
→ root@criminalip ~ % |
{
"ip": "5.5.5.5",
"score": { "inbound": 0, "outbound": 0 },
"country": "de",
"country_code": "de",
"isp": "O2 Deutschland",
"status": 200
}
→ root@criminalip ~ % |
HOW API WORKS
Criminal IP’s API integration will detect and block potential malicious users
accessing login services in real time.
FAQMOST FREQUENTLY ASKED QUESTIONS ABOUT CRIMINAL IP
Frequently Asked Questions
What is Criminal IP?
Criminal IP is a Cyber Threat Intelligence (CTI) search engine that scans the
open ports of IP addresses worldwide daily to discover all devices connected to
the Internet. Using AI-based technology, it identifies malicious IP addresses
and domains and provides a 5-level risk assessment. The data is indexed with
various filters and tags for effective searching. Additionally, it can be
integrated with other systems through an API.
What are some functions of Criminal IP?
You can search for vulnerabilities and all devices connected to the Internet,
such as IP addresses, domains, IoT, and ICS. It provides four search functions:
Asset, Domain, Image, and Exploit, and five intelligence functions: Banner
Explorer, Vulnerability, Statistics, Element Analysis, and Maps, along with an
API.
Where can Criminal IP be used?
Criminal IP allows you to search or inquire via an API threat intelligence on
all devices, servers, and domains connected to the Internet. It can be used for
cyber security, attack surface management, penetration testing, vulnerability
and malware analysis, as well as for investigation and research. For example,
when a new vulnerability or ransomware is discovered, you can determine how many
PCs or servers are vulnerable or infected, and check whether the IP address or
domain in use is also vulnerable. Additionally, it scans in real-time for
malicious URLs generated by hackers and phishing URLs, allowing you to analyze
threat information without directly accessing them. To see more examples on how
to use Criminal IP, please refer to the Best Practice page.
How frequently does Criminal IP update data?
Criminal IP constantly collects and updates data in real-time.
Which Internet browsers can be used for Criminal IP?
As Criminal IP is a web-based search engine, it is accessible via computers,
mobile devices, and tablets. It is specially optimized for Chrome browsers.
Do I need a separate program installation?
Criminal IP does not require a separate program installation. It is available as
a SaaS service, accessible from anywhere with Internet access via web, tablet,
or mobile devices.
Do you have any sample codes for Criminal IP?
Criminal IP provides sample codes for each Search and Intelligence function,
including API. For more information, please refer to the Sample Code page.
How do I create a Criminal IP account?
You can create a Criminal IP account on the Register page using your email,
Google, or Twitter account.
I want to change my account email.
Once an email account is created, you cannot change your registered email. If
you still need to change it, please contact Customer Support.
I would like to receive recent news about Criminal IP.
Follow Criminal IP's official Twitter account to receive the latest news about
Criminal IP. In addition, you can receive the weekly Criminal IP newsletter by
activating the 'Subscribe to the CIP Newsletter' checkbox on the My Information
page.
Criminal IP Search Quick Guide
What is "Asset Search"?
Asset Search is a search feature that provides the risk level of an IP address
in 5 stages and comprehensive information including Domain, Open Ports,
vulnerabilities, WHOIS information, and screenshots associated with that IP
address. For more information, please refer to the Asset Search page.
What is "Domain Search"?
Domain Search is a search feature that provides information about URLs. By
scanning a URL, you can check in real-time whether a site is a phishing site or
contains malware, as well as the connected IP addresses, subdomains, network
logs, and technologies that were used. For more information, please refer to the
Domain Search page.
What is "Image Search"?
Image Search is a search feature that provides image information on devices,
websites, and corporate or personal information that are exposed to the
Internet. For more information, please refer to the Image Search page.
What is "Exploit Search"?
Exploit Search is a search feature that maps exploitable vulnerabilities based
on searches for CVE IDs, vulnerability types, platforms, and more in real-time.
For more information, please refer to the Exploit Search page.
What is "Banner Explorer"?
Banner Explorer is an intelligence feature that provides threat intelligence
information classified into product and service categories such as
cryptocurrency, database, and IoT. For more information, please refer to the
Banner Explorer page.
What is "Vulnerability"?
Vulnerability is an intelligence feature that provides information on attack
surface exposure and vulnerability of assets via classification by CVE ID and
product name, which helps proactively monitor vulnerabilities of the
applications in use. For more information, please refer to the Vulnerability
page.
What is "Statistics"?
Statistics is an intelligence feature that provides a dashboard with 10-day
statistical graphs that determine the maliciousness of IP addresses and domain
information, as well as the presence of VPNs. For more information, please refer
to the Statistics page.
What is "Element Analysis"?
Element Analysis is an intelligence feature that provides the results of
analyzing assets and vulnerability data according to the desired filters and
elements. For more information, please refer to the Element Analysis page.
What is "Maps"?
Maps is an intelligence feature that provides a visual representation of the
country and location information for an IP address on a map, as well as
statistics by AS name, product, and country. For more information, please refer
to the Maps page.
Which filters are available for "Asset Search"?
Asset Search provides filters to enhance search accuracy and convenience. Please
refer to the Filters page.
Which filters are available for "Image Search"?
Image Search provides filters to enhance search accuracy and convenience. Please
refer to the Filters page.
Which filters are available for "Exploit Search"?
Exploit Search provides filters to enhance search accuracy and convenience.
Please refer to the Filters page.
Which tags can I use for "Asset Search"?
Asset Search provides tags to enhance search accuracy and convenience. Please
refer to the Tags page.
Which tags can I use for "Image Search"?
Image Search provides tags to enhance search accuracy and convenience. Please
refer to the Tags page.
What categories are searchable through "Banner Explorer"?
Banner Explorer provides category-specific searches for cryptocurrencies,
databases, industrial control systems, IoT, network infrastructure, and video
games. For more information, please refer to the Banner Explorer page.
Which products are searchable through "Vulnerability"?
Vulnerability provides various major product categories such as MySQL, Linux,
WebLogic Server, and HTTP server that help you easily search for vulnerabilities
in specific products. For more information, please refer to the Vulnerability
page.
What can I search for on the "Element Analysis" page?
You can search for all assets and vulnerabilities collected by Criminal IP by
country, service, ASN, product, and port number.
API Quick Guide
Where can I get an API Key?
You can copy your API Key on the My Information page after signing up and
logging in to your account.
Where can I get the API codes?
You can use API codes for each function on the API page.
Do I need to use a separate software for API?
No separate software is required.
How do I make API calls?
After copying the issued API Key, you can use the command line on the API page
or use various application codes in the GitHub to call the API and check the
results as a JSON response.
Is there a limit on the number of API calls?
The number of available API calls varies depending on the credits provided by
each plan. Please refer to the Pricing page for the number of credits provided
by each plan.
What is the API call speed?
When using the Enterprise plan, high-speed APIs within 1 second are supported.
For more information, please refer to the Pricing page.
Which data can be provided through the API?
All threat intelligence of Criminal IP is equally provided as APIs. For more
information, please refer to the API page.
How can the Criminal IP API be utilized?
Criminal IP API can be easily applied to databases and security systems in use.
It can be used to block account takeover, credential stuffing, and malicious
access by determining the maliciousness and vulnerability information of IPs and
domains in real-time, and protect customers and assets.
Questions for Membership
Do you have a free plan?
If a customer creates an account but does not pay for a plan, the Free
Membership plan will be automatically applied. Free Membership provides a
certain amount of credits that can be used to access Criminal IP features. Once
all the free credits have been used, customers can upgrade to a paid plan at any
time. Upgrading to a paid plan will provide access to more search criteria and
search results.
What if the free plan does not meet my needs?
You can use three paid plans for monthly subscriptions, Lite, Medium, and Pro.
These plans offer a much larger amount of credits than the Free Membership plan
and allow you to use more features and filters. Additionally, with the
Enterprise plan, you can use all features without any limit on data volume. For
more information, please refer to the Pricing page.
Is it possible to get unlimited access to the database?
Yes, it is possible. With the Enterprise plan, you can use all the data and
features without any limitations. For more information, please refer to the
Pricing page.
How can I check my payment information?
You can check your current paid plan, payment history, and payment method
information on the My Order page.
What if I want to change my plan?
If you are currently using the Free Membership, you can choose the appropriate
plan on the Pricing page to start subscribing to a paid plan. If you are already
using a paid plan, you can change or cancel your plan on the My Order page.
Which payment methods are accepted?
Criminal IP offers various payment methods by country. Credit card payment is
available by default and simple payment methods such as PayPal are supported.
Enterprise customers can Contact Us to select a separate payment option.
I want to cancel my plan.
You can cancel your plan anytime on the My Order page after logging in to
Criminal IP. Even if you cancel your plan, you can continue to use the service
until the next regular payment date. If you have any additional questions
regarding plan cancellation, please contact customer support at any time.
I want to delete my account.
After logging into your account, you can access the membership withdrawal page
and proceed after agreeing. When you delete your account, all your search and
account history as well as remaining credits will be deleted and permanently
removed.
I have a question about the Enterprise plan.
Please contact us through the Contact Us page.
More questions?
What if I have other questions?
If you already have a Criminal IP account, please contact us through the
customer support page for inquiries. For inquiries regarding the Enterprise
membership, or if you do not have an account, please contact us through the
Contact Us page.
go to top
PRIVACY
We use cookies to provide you with the best experience on our websites. Click
‘Accept All’ to accept all cookies. If you want to choose which others we use,
you can do so through 'Cookie settings'.
Please see our Cookie Policy for more information.
Cookie SettingsAccept All
* Search
* Asset Search
* Domain Search
* Image Search
* Exploit Search
* Intelligence
* Banner Explorer
* Vulnerability
* Statistics
* Element Analysis
* Maps
* Attack Surface Management
* Criminal IP ASM
* Developer
* Best Practice
* Filters, Tags
* API
* Code Samples
* API Integrations
* GitHub Reference
* Resource
* Blog
* Chrome Extension
* About
* AI Spera
* Contact Us
* Partners
* Terms of Use
* Privacy Policy
* Cookie Policy
* Responsible Disclosure
Contact Ussupport@aispera.com
© 2022, All Rights Reserved - AI Spera Inc.
v1.36.1 - 2023.08.03