Map Real Time Cyber Attacks

Author: Satish Arthar
May 4, 2016

It seems nearly every day we’re reading about Internet attacks aimed at knocking sites offline and breaking into networks, but it’s often difficult to visualize this type of activity. In this post, we’ll take a look at multiple ways of tracking online attacks and attackers around the globe and in real-time.


A couple of notes about these graphics. Much of the data that powers these live maps is drawn from a mix of actual targets and “honeypots,” decoy systems that security firms deploy to gather data about the sources, methods and frequency of online attacks. Also, the organizations referenced in some of these maps as “attackers” typically are compromised systems within those organizations that are being used to relay attacks launched from someplace else.

The main method is by getting reports back from Intrusion Detection Systems. So each attack that hits an IDS is reported back you have the source of the attack – which may not be the instigator – just the ip registered as attacking you. and of course the target is known to the IDS as the IDS IS the target.The IDS could be software or hardware based.


FireEye Cyber Threat Map, While the FireEye Cyber Threat Map doesn’t technically operate in real time, it does generate a very interesting picture of how surreptitiously installed malware communicates with the server systems that are remotely controlling the malicious software.






My favorite – and perhaps the easiest way to lose track of half your workday (and bandwidth) comes from the folks at Norse Corp. Their map – IPViking – includes a wealth of data about each attack, such as the attacking organization name and Internet address, the target’s city and service being attacked, as well as the most popular target countries and origin countries.



Screenshot from 2016-05-04 14:45:27


Another live service with oodles of information about each attack comes from Arbor Networks’ Digital Attack map. Arbor says the map is powered by data fed from 270+ ISP customers worldwide who have agreed to share anonymous network traffic and attack statistics.



Screenshot from 2016-05-04 14:13:50



Kaspersky’s Cyberthreat Real-time Map is a lot of fun to play with, and probably looks the most like an interactive video game. Beneath the 3-D eye candy and kaleidoscopic map is anonymized data from Kaspersky’s various scanning services. As such, this fairly interactive map lets you customize its layout by filtering certain types of malicious threats, such as email malware, Web site attacks, vulnerability scans, etc.



Screenshot from 2016-05-04 21:12:33



The Cyberfeed, from Anubis Networks, takes the visitor on an automated tour of the world, using something akin to Google Earth and map data based on infections from the top known malware families. It’s a neat idea, but more of a malware infection map than an attack map, and not terribly interactive either. In this respect, it’s a lot like the threat map from Finnish security firm F-Secure, the Global Botnet Threat Activity Map from Trend Micro, and Team Cymru’s Internet Malicious Activity Map.



The Honeynet Project’s Honey Map is not super sexy but it does include a fair amount of useful information about real-time threats on honeypot systems, including links to malware analysis from Virustotal for each threat or attack.



Additionally, the guys at OpenDNS Labs have a decent attack tracker that includes some nifty data and graphics.


Speaking of attacks, some of you may have noticed that this site was unreachable for several hours over the last few days. That’s because it has been under fairly constant assault by the same criminals who attacked Sony and Microsoft’s gaming networks on Christmas Day. We are moving a few things around to prevent further such disruptions, so you may notice that some of the site’s features are a tad flaky or slow for a few days.


We made ths post becoz, we Cyber51 decided to build one of our own. When we started more focused on user experience and information accessibility. We were able to create a close to real time cyber attack monitoring system that is engaging, interactive, and insightful. Soon it may suprise you all with nice some functions.



Cyber Crime on the rise

Author: Martin Voelk
February 3, 2016

You can read about Cyber crime in the papers daily. Breaches and hacks in all parts of the world. However what is often neglected is the fact that a lot of the Cyber crime is committed by a lot absolute amateurs with very little IT knowledge. The victims unfortunately, in most cases, are even less experienced in even basic IT Security. A lot of the crimes could be prevented by basic user education. Even a lot of companies fail to educate their users around the threats out there, so one can imagine how the security awareness is around individuals and families.

No doubt there are sophisticated hacking groups, organised networks and individuals who are very skilled and true Black hats. But the sort of scams we see almost daily are sometimes so basic, yet so effective due to the lack of education.

A few very bad examples we encountered:

  • Bad guy sends an email to someone’s wife asking for confidential information like a credit card by email. Bit of research, new gmail or Yahoo address and the results are stunning how many people send their Credit Card information to their alleged husband/wife
  • Installing Malware with a Microsoft installer and even disabling AV because the instruction of the great game or tool asks people to
  • Trusting any Facebook profile if people believe it’s actual a friend, not realising that anyone can set up any Facebook profile and pretext to be someone else
  • Get a $100 USD/EUR/GBP voucher for XYZ  by simply answering 5 questions and authenticate with your Gmail / Yahoo / Hotmail / Amazon or Ebay account. This is a bit more sophisticated but for the bad guys easily done. The problem is cross authentication where you have legit sites which allow you to use FB/Twitter login. If in doubt – don’t enter credentials! No one will give anyone a $100 voucher for a few questions.

A few golden rules to mitigate threats:

  • Mistrust all email which isn’t digitally signed (verify offline, call the boss, husband, wife or whoever asks for something sensitive by Email)
  • Don’t blindly install cool games or tools. Run an AV scan on everything first
  • Don’t trust Social Media and especially not requests for sensitive information over that medium. Verify offline
  • No one will give you a $100 USD voucher for just a few questions. And if someone really does, there is no need to supply a password ever!

A police officer in a small town in the UK recently addressed the fact that 80% of Cyber crime could be prevented by basic user education and security awareness. Very good article.




UK police hires Ex-Hacker

Author: Martin Voelk
January 11, 2016

Law enforcement often is hiring Top nodge Ex-Hackers to provide their services for them. Everyone knows about the famous Kevin Mitnick who once was the most wanted by the FBI. These days Mr. Mitnick runs his own business helping others to stay safe from Cyber Crime.

More recently something similar happened in the UK. Tony Sales was one of the biggest online fraudsters in the UK and has recently been hired by West Midlands police in the UK. 



April 10, 2015

Business Week / Symantec have published a nice chart highlighting the top Cyber crime countries. Whilst those statistics only report on detected Cyber crime, it probably holds true for undetected crimes as well. This chart represents the victim countries rather than the attackers locations.


1. United States of America
Share of malicious computer activity: 23%
Malicious code rank: 1
Spam zombies rank: 3
Phishing web site hosts rank: 1
Bot rank: 2
Attack origin rank: 1

2. China
Share of malicious computer activity: 9%
Malicious code rank: 2
Spam zombies rank: 4
Phishing web site hosts rank: 6
Bot rank: 1
Attack origin rank: 2

3. Germany
Share of malicious computer activity: 6%
Malicious code rank: 12
Spam zombies rank: 2
Phishing web site hosts rank: 2
Bot rank: 4
Attack origin rank: 4

4. Britain
Share of malicious computer activity: 5%
Malicious code rank: 4
Spam zombies rank: 10
Phishing web site hosts rank: 5
Bot rank: 9
Attack origin rank: 3

5. Brazil
Share of malicious computer activity: 4%
Malicious code rank: 16
Spam zombies rank: 1
Phishing web site hosts rank: 16
Bot rank: 5
Attack origin rank: 9

6. Spain
Share of malicious computer activity: 4%
Malicious code rank: 10
Spam zombies rank: 8
Phishing web site hosts rank: 13
Bot rank: 3
Attack origin rank: 6

7. Italy
Share of malicious computer activity: 3%
Malicious code rank: 11
Spam zombies rank: 6
Phishing web site hosts rank: 14
Bot rank: 6
Attack origin rank: 8

8. France
Share of malicious computer activity: 3%
Malicious code rank: 8
Spam zombies rank: 14
Phishing web site hosts rank: 9
Bot rank: 10
Attack origin rank: 5

9. Turkey
Share of malicious computer activity: 3%
Malicious code rank: 15
Spam zombies rank: 5
Phishing web site hosts rank: 24
Bot rank: 8
Attack origin rank: 12

10. Poland
Share of malicious computer activity: 3%
Malicious code rank: 23
Spam zombies rank: 9
Phishing web site hosts rank: 8
Bot rank: 7
Attack origin rank: 17

11. India
Share of malicious computer activity: 3%
Malicious code rank: 3
Spam zombies rank: 11
Phishing web site hosts rank: 22
Bot rank: 20
Attack origin rank: 19

12. Russia
Share of malicious computer activity: 2%
Malicious code rank: 18
Spam zombies rank: 7
Phishing web site hosts rank: 7
Bot rank: 17
Attack origin rank: 14

13. Canada
Share of malicious computer activity: 2%
Malicious code rank: 5
Spam zombies rank: 40
Phishing web site hosts rank: 3
Bot rank: 14
Attack origin rank: 10

14. South Korea
Share of malicious computer activity: 2%
Malicious code rank: 21
Spam zombies rank: 19
Phishing web site hosts rank: 4
Bot rank: 15
Attack origin rank: 7

15. Taiwan
Share of malicious computer activity: 2%
Malicious code rank: 11
Spam zombies rank: 21
Phishing web site hosts rank: 12
Bot rank: 11
Attack origin rank: 15

16. Japan
Share of malicious computer activity: 2%
Malicious code rank: 7
Spam zombies rank: 29
Phishing web site hosts rank: 11
Bot rank: 22
Attack origin rank: 11

17. Mexico
Share of malicious computer activity: 2%
Malicious code rank: 6
Spam zombies rank: 18
Phishing web site hosts rank: 31
Bot rank: 21
Attack origin rank: 16

18. Argentina
Share of malicious computer activity: 1%
Malicious code rank: 44
Spam zombies rank: 12
Phishing web site hosts rank: 20
Bot rank: 12
Attack origin rank: 18

19. Australia
Share of malicious computer activity: 1%
Malicious code rank: 14
Spam zombies rank: 37
Phishing web site hosts rank: 17
Bot rank: 27
Attack origin rank: 13

20. Israel
Share of malicious computer activity: 1%
Malicious code rank: 40
Spam zombies rank: 16
Phishing web site hosts rank: 15
Bot rank: 16
Attack origin rank: 22


Cyber Crime Report Verizon

Author: Martin Voelk
March 27, 2015

Cyber crime is and should concern anyone in Cyber Space. There is a common misconception amongst users and businesses alike. Why should I become a Cyber Crime victim? Well, because the attackers don’t care whether it’s a small business, an individual or a fortune 500 company. A lot of guys do it for fun, others have causes which may be related to profit, for a political cause or simple to test their abilities.

Verizon publishes a free Cyber Crime report every year which we are more than happy to share. Although it’s very comprehensive, this is only the tip of the iceberg. The real figures of incidents are probably exponentially higher. A good read nonetheless.



March 13, 2015

In recent forensic investigations for U.S. customers, we stumbled across a lot of non-proxy’d attacks from Latin American countries. Many people ask us why a lot of attackers don’t even both to disguise their true source IP addresses? Well, there are a lot of different issues surrounding this.

  1. Weak IT Legislation, no IT legislation or governments/law enforcements unwilling to co-operate with certain countries. This is something that can’t be changed and won’t be changed easily. In certain countries you can buy piracy software, piracy music on 8 Gib USBs, 100 Gig hard drives full of latest movies in “mercados”. Those countries of course don’t care about hacking activities or other illegal actions done online, if they permit it offline.
  2. Complete incompetent Internet Service Providers who ignore all aspects of Security, logging and so forth. We won’t mention countries or ISP names but the issue is more than wide spread. During one of our recent assignments we found that complete Peering Routers of various IPs had no access filter for remote access and the usernames were set to: admin and guess? admin123. We discovered that all main core and DSL access routers all had the same local authentication of admin and admin123. Should a hacker uncover this, a 4 million people city is pretty much offline.
  3. Wireless Security is to 95% non existent. For example in Mexico 50% of all private and business users have either their Access Points open or WEP encrypted. Those who use WPA, leave it to factory standard which is a numeric number of 8 – 12 digits. A rainbow table for this is standard equipment for any Pentester. Then you have like 5% left where you may need to employ Social Engineering techniques.
  4. Location Tracking and IP address assignment from ISPs. Another big problem. IP addresses are being handed out in a widely uncoordinated manner, meaning that a person in city X will get an IP in city Y. Mobile Apps particularly suffer from those assignment and tracking problems making it really hard to track the actual location.
  5. Little to no IT Security awareness amongst employees of ISPs and businesses. Whilst social engineering works well in developed countries like the U.S. or Europe, in Latin America even basic password rules are widely ignored. There is a strong understanding that physical security is important (gates, guards, cameras etc.) but IT equipment is left wide open.

The list goes on and on and with those deficits in IT Security across complete country infrastructures, hackers and people with malicious intend have no obstacles in their way doing what they are doing. The missing legislation in many countries along with the non-enforcement of the little legislation in place certainly assists hackers in their activities.



How do Hackers attack?

Author: Martin Voelk
December 9, 2014

We often get asked by our clients, where are those hackers who are behind attacks and how do they disguise themselves? Well, to answer this question it would probably take weeks or even months. Let’s try to put this into a little blog post.

There are 3 categories of individual attackers

The security aware hackers

Those are the guys who know how to cover tracks and disguise themselves. A lot of those guys route their attacks through different countries, the TOR network (an anonymous Network which conceals the real source IP) and compromise weak systems. What are weak systems? Typically schools where teachers with very limited or no IT Security knowledge are responsible for the server maintenance. We had 5 cases recently where corporate clients in the US have been attacked and the forensics revealed that they hacked numerous grammar schools in Europe, installed their tools there and used this to attack. Tracking down those attackers is often hard or impossible.

The stupid hackers

Those are guys who sit in Western countries and start running attack scripts (mainly young teenagers) who are only able to run automated freeware tools. Then they are surprised if law enforcement knocks on their doors.

The hackers who sit outside Western legislation

Not every attacker has to be worried getting caught. Actually a lot of the attacks source from countries which do not cooperate with Western law enforcement or where countries have bad relationships with the United States, European Union or other Western countries. Just to name a few countries where attacks on Western systems will likely not result in any problems for the attackers: China, North Korea, Russia, Syria, Iraq, Afghanistan, Yemen, Sudan, Cuba, Nicaragua, Ecuador, Bolivia, Venezuela and many more in Africa and Asia.

Our customers often get frustrated when we have to tell them that the attacker likely resides outside their home country and even if they involve law enforcement, chances are next to nothing to actually prosecute the attackers. We recommend to be pro-active instead of re-active. Getting your security tested by us and deploy countermeasures is a lot cheaper than waiting for an attack and then firefighting it. The question for any business is not IF an attack is gonna happen….then question is WHEN


Cyber Crime and IT Legislation

Author: Martin Voelk
November 27, 2014

As part of our Penetration Testing and forensic engagement with our customers, we often get asked: Can we not involve law enforcement to track down the hackers who attacked us and bring them to court? The answer is: It depends where the hackers are based!

We live in a networked world, but the world doesn’t have the same laws. In a recent forensic event the customer was all too happy that they thought the attacker has a European IP address. However upon investigation, a school server in Europe had been compromised and used as a relay. The school was happy to assist in our investigation. Analysing logs lead to the likely real source in China! That means game over.

We worked on a case where a customer website incl. Design etc. had been mirrored by a chinese firm. Intellectual property infringement. Nothing you can do. If the persons doing this reside in a non-Western country your chances are next to zero to take those people to court. After Romania and Bulgaria joined the EU, we seen good progress in the ability to involve local law enforcement but there are dozens and dozens of countries where this is not possible.

A lot of the hacks and frauds source from but are not limited to: China, Russia, South America, Middle East, Africa and Far East Asia. Often from countries where there is little or no IT legislation. In other words hacking is not a crime in some countries. Yes, you heard that right. We know those countries but won’t name them. Google Search knows them too.

The other problem is where countries have bad or no relations with each other. A few examples. Almost no Arab law enforcement agency cares about attacks against Israeli servers and vice versa. An Israeli hacker would likely not face problems at home for attacking an Iranian server. The current situation between the Ukraine and Russia and Russia and the West gives the same picture. Then in countries with war zones, no one can or will enforce hacking investigations, such as in Syria or Iraq.

We recently worked with a UK customer who got hacked. We were able to trace the real IP down to the source. It was in Argentina. Game over. Everyone knows that the relationship between Britain and Argentina is poor to say at least. Law enforcement in Argentina will not help investigating or even prosecuting an argentinian hacker who attacked a UK company, unless there is some public or national interest (maybe).

Hackers who know legislation know very well from where they can launch attacks and from where they can’t. In the West a lot of the Cyber Criminals hide in the TOR/Deep Web Network and try to disguise their real location. In some countries of the world there is no need to use TOR because hackers won’t face problems. A lot of the serious hacking boards are publicly hosted in Russia on the white web. Same goes for Chinese forums.

The issue is complex and difficult.

We can only recommend customers to get a Pentest to check their security before they got hacked! Tracing down hackers or even prosecuting them if they are based outside your home or western legislation is as good as impossible and will cause frustration for the victims.