www.criminalip.io Open in urlscan Pro
2606:4700:10::6816:214  Public Scan

Submitted URL: http://criminalip.io/
Effective URL: https://www.criminalip.io/
Submission: On May 06 via manual from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form class="form">
  <div class="searchStyle__SearchInputWrap-sc-2fe4b922-5 julCkv SearchInputWrap "><input data-role="inputbox" maxlength="500" placeholder="Try to search assets with the following filter examples below" autocomplete="off" name="query"
      class="searchStyle__SearchInput-sc-2fe4b922-6 ignLtX" value=""><button id="SearchButton" class="searchStyle__SearchButton-sc-2fe4b922-7 gfydR gtm-click-search-button" type="submit" title="search"></button></div>
</form>

Text Content

Cybersecurity Search Engine | Criminal IP
Search Engine
Products
Resources
About
Contact Us

 * English
 * Français
 * 日本語
 * 한국어
 * العربية

Pricing
Login


SEARCH FOR INFORMATION ON EVERYTHING CONNECTED TO THE PUBLIC INTERNET.


SEARCH FOR INFORMATION ON COMPUTERS
CONNECTED TO THE PUBLIC INTERNET.

Top 10KeywordIP
1
webcamXP 5’
1
154.26.164.117
2
webcamxp
2
194.61.24.102
3
webcam
3
85.239.54.2
4
IP Camera
4
162.0.209.47
5
transmission interface
5
109.74.204.123
6
powermta
6
45.143.9.30
7
jenkins
7
91.215.85.142
8
Elasticsearch
8
162.19.101.129
9
open webif
9
164.68.102.223
10
iresponse
10
72.167.150.12

AssetDomainImageHacking GroupExploit
AssetDomainImageActorsExploit;
Look up my IP addressCreate a Free Account


CYBERSECURITY REPORT

Cybersecurity Report


DETECTING DEVICES VULNERABLE TO PALO ALTO NETWORKS OS COMMAND INJECTION
VULNERABILITY CVE-2024-3400

Recently, a random file creation vulnerability ‘CVE-2024-3400′ was discovered in
the GlobalProtect function of Palo Alto Networks’ PAN-OS version software. This
vulnerability allows an unverified attacker to inject malicious commands and
execute arbitrary code with root privileges in the firewall. I

2024.04.26

Cybersecurity Report


DETECTING VULNERABLE TELESQUARE DEVICES VIA HTTP SERVER RESPONSE CONTENT LENGTH

Recently, a vulnerability that could be remotely attacked was discovered in
Telesquare’s wired/wireless Internet router model ‘TLR-2005KSH’. Telesquare is a
router product from Korea that supports wired data communication by connecting
to 3G/LTE wireless networks. The vulnerability allows unauthoriz

2024.04.15

Cybersecurity Report


DETECTING A SERVER EXPOSED TO THE CVSS 10-POINT SCREENCONNECT VULNERABILITY
(CVE-2024-1709)

A month ago, the security industry faced a major issue with attacks exploiting
the ScreenConnect vulnerability in ConnectWise, a company providing remote
desktop solutions. ConnectWise ScreenConnect consists of server and client
software components, enabling remote desktop access for various compani

2024.03.28

Cybersecurity Report


OVER 1,000 DEVICES VULNERABLE TO FORTINET RCE BUG (CVE-2024-21762)

Many FortiOS and FortiProxy secure web gateway systems have been discovered
still vulnerable to a new Fortinet RCE bug (CVE-2024-21762) disclosed on
February 9, 2024. This Fortinet RCE bug is a critical vulnerability that could
allow an unauthenticated attacker to remotely execute arbitrary code. CI

2024.03.20

Cybersecurity Report


MICROSOFT EXCHANGE SERVER ZERO-DAY: 160,000 UNITS EXPOSED (CVE-2024-21410)

Since its disclosure on February 14, 2024, the privilege escalation zero-day
vulnerability CVE-2024-21410 for Microsoft Exchange Server has been exploited
actively. As per findings from multiple security firms and researchers, around
100,000 Microsoft Exchange servers remain unpatched and vulnerable

2024.02.23

Cybersecurity Report


[NOTICE] CHANGES TO CRIMINAL IP PAID PLANS

Dear Criminal IP users, First, we would like to express our gratitude to all the
users who utilize our service.Extensive data and enhanced search and
intelligence capabilities have been added since the official launch of Criminal
IP in 2023.We have already made these features accessible to a large n

2024.01.12

Cybersecurity Report


DETECTING DEVICES VULNERABLE TO PALO ALTO NETWORKS OS COMMAND INJECTION
VULNERABILITY CVE-2024-3400

Recently, a random file creation vulnerability ‘CVE-2024-3400′ was discovered in
the GlobalProtect function of Palo Alto Networks’ PAN-OS version software. This
vulnerability allows an unverified attacker to inject malicious commands and
execute arbitrary code with root privileges in the firewall. I

2024.04.26

Cybersecurity Report


DETECTING VULNERABLE TELESQUARE DEVICES VIA HTTP SERVER RESPONSE CONTENT LENGTH

Recently, a vulnerability that could be remotely attacked was discovered in
Telesquare’s wired/wireless Internet router model ‘TLR-2005KSH’. Telesquare is a
router product from Korea that supports wired data communication by connecting
to 3G/LTE wireless networks. The vulnerability allows unauthoriz

2024.04.15

Cybersecurity Report


DETECTING A SERVER EXPOSED TO THE CVSS 10-POINT SCREENCONNECT VULNERABILITY
(CVE-2024-1709)

A month ago, the security industry faced a major issue with attacks exploiting
the ScreenConnect vulnerability in ConnectWise, a company providing remote
desktop solutions. ConnectWise ScreenConnect consists of server and client
software components, enabling remote desktop access for various compani

2024.03.28

Cybersecurity Report


OVER 1,000 DEVICES VULNERABLE TO FORTINET RCE BUG (CVE-2024-21762)

Many FortiOS and FortiProxy secure web gateway systems have been discovered
still vulnerable to a new Fortinet RCE bug (CVE-2024-21762) disclosed on
February 9, 2024. This Fortinet RCE bug is a critical vulnerability that could
allow an unauthenticated attacker to remotely execute arbitrary code. CI

2024.03.20

Cybersecurity Report


MICROSOFT EXCHANGE SERVER ZERO-DAY: 160,000 UNITS EXPOSED (CVE-2024-21410)

Since its disclosure on February 14, 2024, the privilege escalation zero-day
vulnerability CVE-2024-21410 for Microsoft Exchange Server has been exploited
actively. As per findings from multiple security firms and researchers, around
100,000 Microsoft Exchange servers remain unpatched and vulnerable

2024.02.23

Cybersecurity Report


[NOTICE] CHANGES TO CRIMINAL IP PAID PLANS

Dear Criminal IP users, First, we would like to express our gratitude to all the
users who utilize our service.Extensive data and enhanced search and
intelligence capabilities have been added since the official launch of Criminal
IP in 2023.We have already made these features accessible to a large n

2024.01.12


CRIMINAL IP SEARCH TIP


HOW TO USE A LINK SCANNER TO IDENTIFY USPS PHISHING SITES AND TEXT SCAMS

Recently, the results of a security company investigation showing that the
traffic of domains impersonating USPS was significantly higher than the actual
traffic on the official website was reported in various global media, and it has
become an issue.In this article, we aim to explore how phishing attackers are
exploiting USPS impersonation domains. Additionally, we will share how to use
the Domain Search link scanner feature of the threat intelligence search engine
Criminal IP to identify text scams exploiting suspicious phishing sites.Subtle
Techniques of USPS Phishing Sites and Text ScamsIn 2001, USPS reportedly sent
over 103.6 billion delivery status emails to users. This high volume indicates
the widespread use of USPS services in the United States. Nowadays, with the
prevalence of mobile text services that are more convenient than email systems,
checking real-time delivery status has become easier. However, along with the
convenience of mobile services, there is also a rise in text scams targeting
parcel users. If you examine the URLs inserted in text messages sent as USPS
text scams, you’ll often find domains using keywords like “Track,” “Monitor,” or
“Package” to entice users waiting for their parcels to click on them.Examples of
SMS messages sent by domains impersonating USPSAccording to a report, Akamai, a
distributed computing specialist, analyzed suspicious USPS phishing SMS messages
redirecting to domains containing malicious JavaScript code for five months. The
analysis revealed that the total number of queries from USPS phishing sites
using popular top-level domains (TLDs) such as “.com,” “.top,” “.shop,” “.xyz,”
“.org,” and “.info” exceeded one million. Moreover, starting from late November
into the winter holiday season, the total queries from phishing sites surpassed
those from the official site usps.com. Clicking on the malicious URLs inserted
in SMS messages could lead to the leakage of sensitive information such as user
account details and card information linked to mobile devices.Statistics on the
number of queries for USPS impersonation domains. Source: AkamaiStatistics of
USPS Phishing Sites Detected by AI Link ScannersWe analyzed USPS phishing sites
detected by the AI link scanner extension Criminal IP over the past 8 months.
Similar to Akamai’s analysis insights, there was a significant increase in
phishing sites during the year-end and early-year period when parcel usage was
high. In January, which saw the highest detection of phishing sites, a total of
323 domains impersonating USPS were discovered in one month. Recently, there
have been around 100 to 200 phishing sites detected per month. USPS phishing
site statistics detected by AI link scanner extension Criminal IPThe more famous
the service, the easier it is for cyber attackers to be targeted by phishing
attacks. Also, as can be seen from statistics, during periods when attacks occur
a lot, the number of domains blocked due to victims’ reports or cyber
investigations also increases, and more new phishing sites are
created.Identifying USPS Phishing Sites With a Real-time Link ScannerDue to
their notoriety, USPS phishing sites are swiftly generated and taken down. This
rapid turnover means that victims are repeatedly targeted with new smishing
attacks featuring freshly inserted phishing sites, making it increasingly
difficult to discern legitimate links from fraudulent ones. What’s needed in
such situations is a real-time link scanner and URL inspection tool. Criminal
IP’s Domain Search allows users to input suspicious URLs and scan them to detect
phishing sites in real-time. We recently scanned the domain of the USPS phishing
site used in the smithing attack into Domain Search.The URL for the phishing
site is usps-pr [.] helptme [.] top/address.html, which uses the .top top-level
domain, and the URI also contains USPS strings and keywords that induce users to
click, such as helpme.Check the USPS phishing site link scanner scan results:
https://www.criminalip.io/domain/report?scan_id=12637492USPS phishing site
scanned using real-time link scanner Criminal IP Domain SearchThe scan results
reveal that the site has been assessed with a critical domain score of 99% in
terms of risk level and is a newly created domain, active for less than a month.
Furthermore, within the HTML code, there are embedded redirection events
commonly associated with malicious intent. The site’s favicon is also identified
as a fraudulent favicon. Most importantly, the AI analysis indicates a very high
likelihood of phishing with a Probability of Phishing URL at 96.38%.Phishing
attacks such as USPS phishing and text scams, which are popular among attackers,
frequently employ new domains. Therefore, it’s wise to employ scanning tools or
threat intelligence to prevent such attacks. If you receive a text containing an
unsolicited package or mail delivery tracking link, it’s crucial to scan it with
Criminal IP before clicking to verify the legitimacy of the elements mentioned.
It’s important to avoid clicking on domains used in phishing attacks because
they can lead to the download of malicious code or the leakage of information
just by accessing them. The Criminal IP link scan results include screenshot
data, enabling you to view the access screen of the domain without actually
visiting the phishing site. The left image shows the actual USPS official site’s
shipment tracking screen, while the right image displays the screen of the
phishing site scanned with Domain Search. Comparing the two screens, you can see
that USPS phishing sites are crafted with sophistication, making them appear
genuine enough to prompt victims to enter personal information without
suspicion.Comparison between the actual USPS shipment tracking screen (left) and
the phishing site’s screen (right)Prevent Text Scam With Criminal IP Domain
SearchThe rapid advancement of AI technology has led to a significant increase
in domains impersonating not just USPS but also numerous global brands,
resulting in a rise in phishing attack incidents. As phishing sites become more
sophisticated and faster, it’s crucial to enhance prevention methods
accordingly. When identifying suspicious domains, using Criminal IP’s Domain
Search as a link scanner enables you to not only detect phishing but also access
detailed security intelligence about each component of the domain. It is
advisable to utilize Criminal IP Domain Search to scan the domain address and
mitigate the risk of falling victim to text scams when accessing a suspicious
site.For more information, check out the article: Can Threat Intelligence Detect
QR Code Phishing That Evades Spam Blocking Solutions?This report is based on
data from Criminal IP, a Cyber Threat Intelligence search engine. Create afree
Criminal IP accounttodayto access the search results cited in the report and
search for more extensive threat Intelligence.Data source: Criminal IP
(https://www.criminalip.io)Related articles:Can Threat Intelligence Detect QR
Code Phishing That Evades Spam Blocking Solutions?

2024.05.03
Read More
Search

DETECTING MESHAGENT C2: HOW TO PREVENT POTENTIAL MALWARE ATTACKS

Recently, an incident occurred in which the North Korean hacking group Andariel
used the MeshAgent C2 server to spread malware to Korean companies. It is known
that Andariel downloaded the MeshAgent C2 server under the name “fav.ico” from
an external source and distributed malware such as AndarLoader and ModeLoader to
the attack target during the lateral movement.MeshAgent C2 Server Installation
LogMeshAgent is a remote management tool that provides a variety of functions
such as collecting basic information for remote control, executing commands,
offering RDP and VNC functions, along with power and account control. Although
Andariel’s abuse of MeshAgent is known for the first time, cyberattacks using
MeshAgent C2 servers have occurred frequently. Andariel is also a hacking group
that distributes malware by exploiting software installed on attack targets or
exploiting vulnerabilities. There are concerns that cyberattacks using MeshAgent
will increase in the future. Detection of Exposed MeshAgent C2 ServersSince the
search engine Criminal IP tags the IP address where the MeshAgent C2 server is
installed, we used the tag filter in Asset Search to search for the MeshAgent C2
server.Search Query:tag: “c2_meshagent”Results of searching exposed MeshAgent
C2 servers using the tag filter in Criminal IP Asset SearchA total of 2,136
MeshAgent C2 servers were detected, and some of these servers may be traces of
malicious installation by attackers for attacks. In addition, there are concerns
that cyberattacks using MeshAgent will become more active in the future, so even
servers that are not installed for malicious purposes are more likely to become
targets of attacks if exposed externally. Exploiting C2 servers not only
distributes malicious code, but also enables malicious activities such as DDoS
attacks or cryptocurrency mining through botnets, and can lead to information
theft and additional attacks that exploit vulnerabilities within the system. In
particular, hacking attacks targeting companies can cause financial damage as
well as the leakage of personal and important information, and are a factor that
undermines the trustworthiness of companies.The country with the most MeshAgent
servers exposed is the United States with 682 servers, followed by Germany and
Russia.Statistics of countries with exposed MeshAgent C2 servers confirmed by
Criminal IPExposed Remote Administration Pages and C2 ServersIn the search
results, the IP address hosting the login page of the open-source remote
monitoring and management server “MeshCentral” was exposed and confirmed. The
fact that the login page of a remote management system is exposed externally
means that it is vulnerable to server infiltration and hacking threats for
remote control functions. Hackers can use credential stuffing, default
passwords, social engineering techniques, or infected software to discover user
account information and attempt to access internal systems.As shown in the
screenshot below, it is crucial to take swift action to block external access to
exposed remote control systems and allow only authorized access.Login page of
MeshCentral, an externally exposed open-source remote monitoring and management
serverIn addition to MeshAgent C2 used in this malware distribution attack, C2
servers are also being abused in various cyberattacks. Previously, the CIP blog
covered the dark web leak of military documents that exploited the C2 framework
and introduced a method for detecting IP addresses that exploit C2 servers to
perform malicious network activities. In addition to the queries introduced in
the blog, you can use the C2 tag of the Criminal IP below to detect C2 servers
that may be exploited for cyberattacks.tag: “C2”tag: “c2_covenant”tag:
“c2_metasploit”tag: “c2_posh”Results of searching tag: “C2” in Criminal IP Asset
SearchDetecting the external exposure of C2 servers installed on the company’s
systems and monitoring internal access to the IP addresses of these C2 servers
is crucial from a security standpoint. Using tags in Criminal IP queries greatly
helps simplify and streamline cybersecurity and response processes.Criminal IP’s
C2 tag can be used from the Pro plan or higher, and in relation to this, you can
refer to Chilean Army Documents Leak: Exploiting Cobalt Strike With Rhysida
Ransomware.This report is based on data from Criminal IP, a Cyber Threat
Intelligence search engine.Sign up fora free Criminal IP accounttoday to
explore the search results mentioned in the report and delve into comprehensive
threat intelligence.Source: Criminal IP (https://www.criminalip.io)Related
Article(s):Chilean Army Documents Leak: Exploiting Cobalt Strike With Rhysida
Ransomware

2024.04.09
Read More
Search

UNCOVERING 57,000 QNAP NAS DEVICES EXPOSED ON THE INTERNET

Recently, Taiwanese hardware vendor QNAP successfully prevented an attack by
removing malicious servers used for brute-force attacks targeting the QNAP NAS
(Network Attached Storage) devices. This attack was possible due to the exposed
devices using weak passwords.QNAP successfully blocked hundreds of zombie IP
addresses within 7 hours using QuFirewall, a default firewall built into QNAP
devices. They also identified the source of the CC (Command  Control) servers
within 48 hours. Fortunately, the quick responses prevented further attacks on
numerous QNAP NAS devices exposed online.Uncovering Externally Exposed QNAP NAS
DevicesThe exposed QNAP NAS devices are a regular target of brute-force attacks.
In the event of a brute-force attack, a ransomware attack is also plausible to
happen. Despite QNAP reacting quickly to mitigate attack damages, the exposed
NAS devices remain a target for attackers.By utilizing the product filter in
Criminal IP Asset Search, you can find QNAP servers connected to the
internet.Search Query:“product:QNAP”Searching for exposed QNAP servers using
the product filter in Criminal IP Asset SearchThe search revealed more than
57,000 servers still running exposed QNAP NAS devices.While not all servers are
at risk of brute-force attacks or ransomware, attackers will prioritize
targeting externally exposed NAS devices when identifying potential victims. If
you use weak passwords on any of these devices/servers, your information could
be stolen through a brute-force attack. Moreover, you may even suffer economic
damages from a ransomware attack. Countries with externally exposed QNAP NAS
devices confirmed by Criminal IPAccording to country statistics on exposed QNAP
devices, Germany has the highest number with 6,700, followed by Italy and
Taiwan.Even if it is not a QNAP device, all externally exposed NAS servers can
easily be targeted by attackers. Because NAS is often used for back-ups and
sharing sensitive files, it can be targeted by attackers looking to steal,
encrypt important documents, as well as install information-stealing
malware.QNAP NAS Servers Still VulnerableAmong the exposed QNAP NAS servers
searched, many servers are in a dangerous state and are prone to easily being
targeted by attackers. By blocking attackers, QNAP has mitigated recent threats,
but attackers can have different methods up their sleeves.In the Asset Search
report below, you can observe an IP address linked to a QNAP NAS device.There
are a total of 7 open ports, a QNAP NAS device is running on port 21, and port
22 is open pertaining to several vulnerabilities. Devices that operate on IP
addresses with such vulnerabilities are more susceptible to being targeted by
attackers.Searching for vulnerable QNAP NAS servers in Criminal IP Asset
SearchIn addition to recent attacks targeting QNAP, an ongoing attack targeting
NAS servers is still occurring. Synology, another NAS manufacturer, also warns
its customers about brute-force attacks attempted through the botnet:
StealthWorker. It advises clients to be aware that successful attacks could lead
to ransomware infections and alerts users to pay close attention.To keep your
NAS devices safe, QNAP recommends changing the default access port number as
well as disabling port forwarding on the router and UPnP on the NAS device. QNAP
also urged people to implement appropriate security measures such as strong
passwords for their accounts, password policies, and disabling administrator
accounts. All businesses and organizations utilizing NAS should follow these
vendor recommendations. Furthermore, they should always use tools such as the
Criminal IP search engine or Criminal IP ASM (Attack Surface Management) to
check for exposed external devices.Also check out our article on Cisco IOS XE
Zero-Day Vulnerabilities: Uncovering Over 56,000 Exposed Devices.This report is
based on data from Criminal IP, a Cyber Threat Intelligence search engine.
Create a free Criminal IP account today to access the search results cited in
the report and search for more extensive threat Intelligence.Source: Criminal IP
(https://www.criminalip.io)Related Article(s):Cisco IOS XE Zero-Day
Vulnerabilities: Uncovering Over 56,000 Exposed Devices

2023.12.05
Read More
Search

CISCO IOS XE ZERO-DAY VULNERABILITIES: UNCOVERING OVER 56,000 EXPOSED DEVICES

Cisco IOS XE zero-day vulnerability has recently become a hot topic in the
cybersecurity industry. This particular vulnerability was identified within the
Web UI functionality of the IOS XE software developed by Cisco. The zero-day
vulnerabilities that are being actively exploited in the actual attacks are
CVE-2023-20198 and CVE-2023-20273. Notably, CVE-2023-20198 has been assigned the
highest CVSS score of 10, with Cisco describing this vulnerability as “a
vulnerability that allows an attacker to access the victim’s system with
15-level privileges. The exploitation of the Cisco IOS XE zero-day vulnerability
proves more severe than anticipated, allowing for the execution of all commands
and changes to configuration settings. On October 16, Cisco issued a security
advisory for these vulnerabilities, highlighting that, at present, the only
recommended defense is to disable the Web UI feature of IOS XE.Cisco security
advisory on IOS XE zero-day vulnerabilities released on October 16How to Detect
Devices Exposed to Cisco IOS XE Zero-Day ThreatsTo identify devices vulnerable
to Cisco IOS XE zero-day threats, use the search query ‘WebUI Product:
“OpenResty”. This query searches for OpenResty products that run Cisco Web UI
and allows you to find Cisco IOS XE Web UI devices that can be accessed from the
internet. With the Product Filter in Criminal IP Asset Search, you can search
for the IP addresses associated with specific products.Search Query:WebUI
product: “OpenResty”Search results for Cisco IOS XE Web UI using product filter
in Criminal IP Asset SearchThe search results discovered more than 56,000 Cisco
IOS XE devices running on OpenResty servers. Given Cisco’s global popularity,
you can see that these devices are being used all around the world. A total of
176 countries appeared to be using Cisco IOS XE Web UI devices. Among them, the
United States appeared the most with 9,599 devices, followed by the Philippines
with 4,131 devices, and Peru with 4,080 devices.Statistics on countries with
Cisco IOS XE Web UI devices confirmed by Criminal IPStatistics for Autonomous
System Related Cisco IOS XE Zero-Day DevicesWith the Criminal IP Element
Analysis, you can use the as_name filter to check the statistics for the
autonomous system using devices related to the Web UI
feature.https://www.criminalip.io/intelligence/element-analysis/search?query=WebUI+product%3A+%22OpenResty%22category=assetelement=as_name
Statistics for autonomous system related to Cisco IOS XE Web UI devices
confirmed by Criminal IP Element AnalysisThe autonomous systems that topped the
statistics charts were ISPs providing internet access to households and
companies. Filipino telecommunication company Globe Telecoms appeared the most
with 2,607 devices, followed by Chilean telecommunication company CTC Corp S.A.
Telefonica Empresas with 2,334 devices, and Peruvian telecommunications company
America Movil Peru S.A.C with 2,113 devices.No security patch has been released
for the existing Cisco IOS XE Web UI zero-day vulnerability. Ongoing research is
investigating the potential for further exploits. If you use a Cisco IOS XE
device, we recommend staying informed by checking the latest security advisories
onthe official site.Check out the article on theMOVEit Zero-Day: Detecting
Servers Exposed to Data Leak Attacks.This report is based on data from Criminal
IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP
account today to access the search results cited in the report and search for
more extensive threat Intelligence.Source: Criminal IP
(https://www.criminalip.io) Related article(s):MOVEit Zero-Day: Detecting
Servers Exposed to Data Leak Attacks

2023.11.10
Read More
Search


BEST PRACTICES


CIP WEEKLY DENYLIST: ANONYMOUS IPS IN THE 4TH WEEK OF APRIL

Criminal IP identifies and provides IP addresses that have a history of
suspicious or malicious activity on the internet, including credential stuffing,
indiscriminate brute-force attacks, DDoS attacks, scanning, spam, phishing,
hacking, bad reputation, malware, and more.Criminal IP Weekly Denylist

2024.04.26




NEGLECTED BASIC FRAUD RESPONSE STRATEGIES: INSIGHTS FROM CREDIT CARD COMPANIES

According to recent coverage in a South Korean daily newspaper, users of a
prominent South Korean credit card company (referred to as “Company A”) found
themselves victim to unauthorized transactions totaling thousands of dollars on
popular domestic online shopping platforms like Coupang and 11Stree

2024.04.18




USE CASE OF CRIMINAL IP FDS ANOMALY DETECTION SOLUTION IN AN E-COMMERCE
COMPANY   

Criminal IP FDS is an AI-based fraud detection solution that is used in various
fields such as finance and banking, e-commerce, online games, government and
public services, and insurance.In this article, we introduce customer insights
and a case study on how Criminal IP FDS improved E-commerce com

2024.03.27




USE CASE OF CRIMINAL IP FDS CREDENTIAL STUFFING PREVENTION SOLUTION IN AN ONLINE
GAMING COMPANY   

Criminal IP FDS is an AI-based fraud detection solution that is used in various
fields such as finance and banking, e-commerce, online games, government and
public services, and insurance.In this article, we introduce customer insights
and a case study on how Criminal IP FDS improved online gaming c

2024.03.25


WHAT'S NEW ON CRIMINAL IP

2024.04.25[#Criminal_IP v1.55.1 Release Note] Updated Free membership plan's
features and Pricing page Added Quad9 API Integration Added C2 tags Data added
to Domain Search File exposure Please check more details
https://blog.criminalip.io/2024/04/25/criminal-ip-v1-55-1-2024-04-25-release-note/…
https://blog.criminalip.io/2024/04/25/criminal-ip-v1-55-1-2024-04-25-release-note/2024.03.28[#Criminal_IP
v1.53.1 Release Note] Criminal IP FDS Page Opened Criminal IP Menu and Footer
Redesigned Two-step Authentication for Login Added Domain / Asset Search API
Error Code Added Please check more details
https://blog.criminalip.io/2024/03/28/criminal-ip-v1-53-1-2024-03-28-release-note/…
https://t.co/nupMP1ZFSx2024.03.14[#Criminal_IP v1.52.1 Release Note] Improved UI
for displaying SSL certificate data Improved display of Hacking Group data
Changed pagination in search results Adjusted search result scope for Free &
non-member users Please check more details
https://blog.criminalip.io/2024/03/14/criminal-ip-v1-52-1-2024-03-14-release-note/…
https://t.co/8pixnPIJ2X2024.02.28[#Criminal_IP v1.51.1 Release Note] Released
Hacking Group (Actors) Intelligence Users can retrieve IOC, IOA, TTP, Software,
and the hacking group's activity history to respond to attacks. Added tag:
Directory Listing please check more details
https://blog.criminalip.io/2024/02/28/criminal-ip-v1-51-1-2024-02-28-release-note/…
https://t.co/dGYnbA3K02
Subscribe


CYBERSECURITY NEWS

2024.05.02Cobalt's 2024 State of Pentesting Report Reveals Cybersecurity
Industry Needs

Cobalt, the pioneers of Pentest as a Service (PtaaS) and leading provider of
offensive security solutions, today announced its sixth annual State of
Pentesting Report.

2024.05.02Bitwarden launches new MFA Authenticator app for iOS, Android

Bitwarden, the creator of the popular open-source password manager, has just
launched a new authenticator app called Bitwarden Authenticator, which is
available for iOS and Android devices.

2024.04.30Google prevented 2.28 million policy-violating apps from being
published on Google Play in 2023

Google announced they have prevented 2.28 million policy-violating apps from
being published in the official Google Play.


API INTEGRATION

We provide straightforward, easy-to-use APIs that are designed to block
risk-scored IPs or malicious domain links. Use Criminal IP code samples to
seamlessly integrate all other functions and the database in your organization's
infrastructure.

Get StartedCode Samples
 * Identification of VPN/hosting/Tor of the accessed IP
 * Detection of malicious domain links
 * Management of attack surface vulnerabilities within an organizational
   infrastructure

→ root@criminalip ~ % |

{
"ip": "8.8.8.8",
"score": { "inbound": "Moderate", "outbound": "Low" },
"country": "United States",
"country_code": "us",
"region": "California",
"city": "Los Angeles",
"isp": "GOOGLE",
"org_name": "Google",
"as_no": 15169,
"postal_code": "90009",
"latitude": 34.0544,
"longitude": -118.2441,
"status": 200
}

→ root@criminalip ~ % |


HOW API WORKS

Criminal IP’s API integration will detect and block potential malicious users
accessing login services in real time.




FAQMOST FREQUENTLY ASKED QUESTIONS ABOUT CRIMINAL IP

Frequently Asked Questions
What is Criminal IP?

Criminal IP is a Cyber Threat Intelligence (CTI) search engine that scans the
open ports of IP addresses worldwide daily to discover all devices connected to
the Internet. Using AI-based technology, it identifies malicious IP addresses
and domains and provides a 5-level risk assessment. The data is indexed with
various filters and tags for effective searching. Additionally, it can be
integrated with other systems through an API.

What are some functions of Criminal IP?

You can search for vulnerabilities and all devices connected to the Internet,
such as IP addresses, domains, IoT, and ICS. It provides four search functions:
Asset, Domain, Image, and Exploit, and five intelligence functions: Banner
Explorer, Vulnerability, Statistics, Element Analysis, and Maps, along with an
API.

Where can Criminal IP be used?

Criminal IP allows you to search or inquire via an API threat intelligence on
all devices, servers, and domains connected to the Internet. It can be used for
cyber security, attack surface management, penetration testing, vulnerability
and malware analysis, as well as for investigation and research. For example,
when a new vulnerability or ransomware is discovered, you can determine how many
PCs or servers are vulnerable or infected, and check whether the IP address or
domain in use is also vulnerable. Additionally, it scans in real-time for
malicious URLs generated by hackers and phishing URLs, allowing you to analyze
threat information without directly accessing them. To see more examples on how
to use Criminal IP, please refer to the Best Practice page.

How frequently does Criminal IP update data?

Criminal IP constantly collects and updates data in real-time.

Which Internet browsers can be used for Criminal IP?

As Criminal IP is a web-based search engine, it is accessible via computers,
mobile devices, and tablets. It is specially optimized for Chrome browsers.

Do I need a separate program installation?

Criminal IP does not require a separate program installation. It is available as
a SaaS service, accessible from anywhere with Internet access via web, tablet,
or mobile devices.

Do you have any sample codes for Criminal IP?

Criminal IP provides sample codes for each Search and Intelligence function,
including API. For more information, please refer to the Sample Code page.

How do I create a Criminal IP account?

You can create a Criminal IP account on the Register page using your email,
Google, or Twitter account.

I want to change my account email.

Once an email account is created, you cannot change your registered email. If
you still need to change it, please contact Customer Support.

I would like to receive recent news about Criminal IP.

Follow Criminal IP's official Twitter account to receive the latest news about
Criminal IP. In addition, you can receive the weekly Criminal IP newsletter by
activating the 'Subscribe to the CIP Newsletter' checkbox on the My Information
page.

Criminal IP Search Quick Guide
What is "Asset Search"?

Asset Search is a search feature that provides the risk level of an IP address
in 5 stages and comprehensive information including Domain, Open Ports,
vulnerabilities, WHOIS information, and screenshots associated with that IP
address. For more information, please refer to the Asset Search page.

What is "Domain Search"?

Domain Search is a search feature that provides information about URLs. By
scanning a URL, you can check in real-time whether a site is a phishing site or
contains malware, as well as the connected IP addresses, subdomains, network
logs, and technologies that were used. For more information, please refer to the
Domain Search page.

What is "Image Search"?

Image Search is a search feature that provides image information on devices,
websites, and corporate or personal information that are exposed to the
Internet. For more information, please refer to the Image Search page.

What is "Exploit Search"?

Exploit Search is a search feature that maps exploitable vulnerabilities based
on searches for CVE IDs, vulnerability types, platforms, and more in real-time.
For more information, please refer to the Exploit Search page.

What is "Banner Explorer"?

Banner Explorer is an intelligence feature that provides threat intelligence
information classified into product and service categories such as
cryptocurrency, database, and IoT. For more information, please refer to the
Banner Explorer page.

What is "Vulnerability"?

Vulnerability is an intelligence feature that provides information on attack
surface exposure and vulnerability of assets via classification by CVE ID and
product name, which helps proactively monitor vulnerabilities of the
applications in use. For more information, please refer to the Vulnerability
page.

What is "Statistics"?

Statistics is an intelligence feature that provides a dashboard with 10-day
statistical graphs that determine the maliciousness of IP addresses and domain
information, as well as the presence of VPNs. For more information, please refer
to the Statistics page.

What is "Element Analysis"?

Element Analysis is an intelligence feature that provides the results of
analyzing assets and vulnerability data according to the desired filters and
elements. For more information, please refer to the Element Analysis page.

What is "Maps"?

Maps is an intelligence feature that provides a visual representation of the
country and location information for an IP address on a map, as well as
statistics by AS name, product, and country. For more information, please refer
to the Maps page.

Which filters are available for "Asset Search"?

Asset Search provides filters to enhance search accuracy and convenience. Please
refer to the Filters page.

Which filters are available for "Image Search"?

Image Search provides filters to enhance search accuracy and convenience. Please
refer to the Filters page.

Which filters are available for "Exploit Search"?

Exploit Search provides filters to enhance search accuracy and convenience.
Please refer to the Filters page.

Which tags can I use for "Asset Search"?

Asset Search provides tags to enhance search accuracy and convenience. Please
refer to the Tags page.

Which tags can I use for "Image Search"?

Image Search provides tags to enhance search accuracy and convenience. Please
refer to the Tags page.

What categories are searchable through "Banner Explorer"?

Banner Explorer provides category-specific searches for cryptocurrencies,
databases, industrial control systems, IoT, network infrastructure, and video
games. For more information, please refer to the Banner Explorer page.

Which products are searchable through "Vulnerability"?

Vulnerability provides various major product categories such as MySQL, Linux,
WebLogic Server, and HTTP server that help you easily search for vulnerabilities
in specific products. For more information, please refer to the Vulnerability
page.

What can I search for on the "Element Analysis" page?

You can search for all assets and vulnerabilities collected by Criminal IP by
country, service, ASN, product, and port number.

API Quick Guide
Where can I get an API Key?

You can copy your API Key on the My Information page after signing up and
logging in to your account.

Where can I get the API codes?

You can use API codes for each function on the API page.

Do I need to use a separate software for API?

No separate software is required.

How do I make API calls?

After copying the issued API Key, you can use the command line on the API page
or use various application codes in the GitHub to call the API and check the
results as a JSON response.

Is there a limit on the number of API calls?

The number of available API calls varies depending on the credits provided by
each plan. Please refer to the Pricing page for the number of credits provided
by each plan.

What is the API call speed?

When using the Enterprise plan, high-speed APIs within 1 second are supported.
For more information, please refer to the Pricing page.

Which data can be provided through the API?

All threat intelligence of Criminal IP is equally provided as APIs. For more
information, please refer to the API page.

How can the Criminal IP API be utilized?

Criminal IP API can be easily applied to databases and security systems in use.
It can be used to block account takeover, credential stuffing, and malicious
access by determining the maliciousness and vulnerability information of IPs and
domains in real-time, and protect customers and assets.

Questions for Membership
Do you have a free plan?

If a customer creates an account but does not pay for a plan, the Free
Membership plan will be automatically applied. Free Membership provides a
certain amount of credits that can be used to access Criminal IP features. Once
all the free credits have been used, customers can upgrade to a paid plan at any
time. Upgrading to a paid plan will provide access to more search criteria and
search results.

What if the free plan does not meet my needs?

You can use three paid plans for monthly subscriptions, Lite, Medium, and Pro.
These plans offer a much larger amount of credits than the Free Membership plan
and allow you to use more features and filters. Additionally, with the
Enterprise plan, you can use all features without any limit on data volume. For
more information, please refer to the Pricing page.

Is it possible to get unlimited access to the database?

Yes, it is possible. With the Enterprise plan, you can use all the data and
features without any limitations. For more information, please refer to the
Pricing page.

How can I check my payment information?

You can check your current paid plan, payment history, and payment method
information on the My Order page.

What if I want to change my plan?

If you are currently using the Free Membership, you can choose the appropriate
plan on the Pricing page to start subscribing to a paid plan. If you are already
using a paid plan, you can change or cancel your plan on the

Which payment methods are accepted?

Criminal IP offers various payment methods by country. Credit card payment is
available by default and simple payment methods such as PayPal are supported.
Enterprise customers can Contact Us to select a separate payment option.

I want to cancel my plan.

You can cancel your plan anytime on the My Order page after logging in to
Criminal IP. Even if you cancel your plan, you can continue to use the service
until the next regular payment date. If you have any additional questions
regarding plan cancellation, please contact customer support at any time.

I want to delete my account.

After logging into your account, you can access the membership withdrawal page
and proceed after agreeing. When you delete your account, all your search and
account history as well as remaining credits will be deleted and permanently
removed.

I have a question about the Enterprise plan.

Please contact us through the Contact Us page.

More questions?
What if I have other questions?

If you already have a Criminal IP account, please contact us through the
customer support page for inquiries. For inquiries regarding the Enterprise
membership, or if you do not have an account, please contact us through the
Contact Us page.

go to top



PRIVACY

We use cookies to provide you with the best experience on our websites. Click
‘Accept All’ to accept all cookies. If you want to choose which others we use,
you can do so through 'Cookie settings'.
Please see our Cookie Policy for more information.

Cookie SettingsAccept All



 * Search Engine
   Search
   Asset SearchDomain SearchImage SearchExploit Search
   Intelligence
   Banner ExplorerVulnerabilityStatisticsElement AnalysisMapsHacking Group
   (Actors)

 * Products
   Criminal IP ASM
   Criminal IP FDS
   Chrome Extension

 * Resources
   Developer
   Best PracticeFilters, TagsAPICode SamplesAPI IntegrationsGitHub Reference
   Blog

 * About
   AI Spera
   Partners

 * Contact Us
   Contact Us
   Bug Bounty

Contact Ussupport@aispera.com

v1.55.1 - 2024.04.25
© 2024, All Rights Reserved - AI Spera Inc.
Terms of Use

Privacy Policy

Cookie Policy