Cyber Threat Feeds
Netcraft’s validated threat feeds are truly global, and protect the entire internet ecosystem from online threats
Best-in-class threat intelligence
Netcraft provides complete, global cyber threat feeds across a large variety of threat types that cover all impersonated institutions—not just Netcraft customers. Threat data is available in standalone feeds, or integrated into our complete digital risk protection platform.
Netcraft’s threat intelligence is powered by automation using machine learning and AI alongside thousands of carefully curated rules. Millions of suspected threats are collected across a multitude of noisy sources each day and are transformed into verified and actionable cyber threat intelligence.
Netcraft’s phishing site feed has been running since 2005, and our feeds are trusted by key internet infrastructure providers, including browsers, antivirus companies and Netcraft’s threat data partners.
Defeating cyber attacks with unmatched scale and effectiveness
Netcraft’s online brand protection operates 24/7 to discover phishing, fraud, scams, and cyber attacks through extensive automation, AI, machine learning, and human insight. Our disruption & takedown service ensures that malicious content is blocked and removed quickly and efficiently—typically within hours.
0%
of the world’s phishing attacks taken down
0M+
threat reports and suspicious URLs analyzed every day
0M
cybercrime attacks blocked to date
0M+
attacks taken down and growing
Block exposure to threats within seconds
In addition to URLs reported by our anti-cybercrime community, Netcraft collates and validates reports from many of the world’s largest banks, open-source data, and other industry partners. We also recover URLs from ongoing analysis of malicious email attachments, many of which serve as key infrastructure in malware operations.
Netcraft’s feeds cover the whole gamut of cyber attack threat types, including phishing, fake shops, fake pharmacies, evil JavaScript, and more. Full data can be provided if required, and options suitable for DNS filtering or use in SIEM tools are available.
Feeds can be delivered via a five-minutely updating JSON feed, or directly within the web interface and API of our digital risk protection platform.
Endpoint protection
Netcraft offers its collections of apps and extensions for enterprise use. Block cybercrime threats from Netcraft’s threat intelligence feeds on employee devices from the moment we discover them.
This protection can be deployed effortlessly across all of your devices via MDM with just a few clicks. Additional management and configurations options are available to unlock functionality or subscriptions.
Feed Types
Netcraft’s malicious site and threat intelligence feeds are available as a collection of continuously updated feeds, suitable for security engineers, network administrators, and internet service providers.
Phishing
Phishing sites are designed to trick visitors into submitting private information by posing as a trusted or legitimate entity. Netcraft’s phishing site feed is used by major web browsers to protect their users, and is also licensed by many of the leading antivirus, content filtering, web-hosting, and domain registration companies.
Fake Shops
Fake shops claim to offer highly discounted luxury goods, typically for premium clothing, shoe, or electronics brands. In reality, they are simply a front to capture users’ payment information. After the victim completes the checkout process, they will be delivered counterfeit products, or possibly even no products at all.
Fake Pharmacies
Fake pharmacies claim to sell pharmaceuticals but have none of the licensing required by the jurisdictions in which they offer products. While many fake pharmacy sites will actually deliver to victims, the drugs delivered are likely to be incorrect, substandard, or counterfeit.
Shopping Site Skimmers
Fraudsters use vulnerabilities in popular e-commerce platforms and their plugins to deploy malicious JavaScript onto legitimate online shopping sites. These JavaScript ‘skimmers’ are added to checkout pages, and capture payment card details and other personal information.
Web Shells
Web shells are backdoor control panels that allow total control over a compromised web server, letting fraudsters easily steal data from the server, launch phishing attacks, join the server to a botnet, engage in DDoS attacks, and distribute malware, to name a few. The web shell feed provides a list of web shells and the associated compromised sites.
Web-Inject Malware
Netcraft detects compromised web pages where malicious JavaScript has been added to exploit vulnerabilities on visitors’ machines. Suspected sites are visited within a sandboxed web browser allowing all the resources of the page to be fetched and executed.
Technical Support Scams
Fraudsters make use of scam websites purporting to be legitimate technical support sites to trick visitors into actions such as installing malware, making financial transfers, using premium rate services or allowing remote access to their machines.
Health Product Scams
Health product scams attempt to lure victims into purchasing fake health products such as weight loss pills, or fake oils. These sites often claim the products are endorsed or used by celebrities, and typically use fake seals to appear more legitimate.
Investment Scams
Investment scams encourage victims to transfer funds to the fraudster on the promise of large returns, often impersonating well-known public figures (such as Sir Richard Branson) to promote the scheme. These scams are among the highest volume attacks seen by Netcraft.
Survey Scams
Survey scams mislead victims into thinking they are being marketed to by a well-known company or brand and will receive a high-value reward or prize by answering a few simple questions. After answering these questions, the victim is told they’ve won, and then redirected to another scam or a third-party affiliate link under the guise of redeeming their prize. They may subsequently be tricked into giving away personal information or installing malicious software.
Malware Infrastructure URLs
Netcraft processes millions of spam emails every day, and any malware attachments are analyzed to identify key infrastructure URLs. Running the malware in a sandbox environment reveals the URLs that it attempts to connect to, including those that transmit operational instructions for the malware, download further stages of the attack, or receive payment for malware such as ransomware.
Malicious Email Addresses
Netcraft can also provide a feed of email addresses participating in advance fee fraud schemes, found in the millions of spam emails that it analyzes. This feed also contains any addresses intended to receive credentials captured by the phishing attacks that Netcraft identifies.
Cryptocurrency Miners
Also called ‘cryptojacking’, this JavaScript malware hijacks the user’s browser and silently mines cryptocurrency when infected sites are visited. This mining code can cause significant drops in websites’ performance and responsiveness.
Frequently Asked Questions
The malicious site and threat intelligence feeds make up a constantly updated database of patterns that match the URLs and email addresses recorded by Netcraft.
The feeds are available as either an encrypted database (with which specific identifiers can be looked up to determine whether they’re blocked) or a plain text database (in TSV or JSONL format).
The TSV/JSONL format allows you to view the full contents of the feed, and offers extra information about the threats such as attack targets and IP addresses.
Yes. This ensures that customers who have fallen behind can catch up incrementally, or if necessary, by requesting the full feed.
We re-test malicious URLs so that they can be removed from the feed once the malicious content has been taken down, which ensures legitimate content on a previously compromised site is no longer blocked.
Insights
Blog
December 2024 Web Server Survey
In the December 2024 survey we received responses from 1,149,724,280 sites across 272,582,582 domains and 13,260,653 web-facing computers. This reflects … Read More
Learn More
Blog
November 2024 Web Server Survey
In the November 2024 survey we received responses from 1,141,129,846 sites across 272,032,056 domains and 13,114,233 web-facing computers. This reflects … Read More
Learn More
Blog
Black Friday Gets a Fakeover: Fake Stores Spike 110% by Using LLMs this Holiday Shopping Season
Key Data This article explores Netcraft’s research into the global growth of fake stores, including activity that makes use of … Read More
Learn More
Schedule time with us
Learn more about Netcraft’s powerful brand protection, external threat intelligence and digital risk protection platform