Contribute to the
Cybercrime Information Center
Share threat
intelligence data
We constantly investigate threat intelligence to identify potential sources for additional threats to measure, analyze and report.
Fund cybercrime data collection
We have collected fifty million
threat intelligence reports…
And that’s just for phishing, spam, and malware!
We gratefully acknowledge the contributions of the organizations that contribute threat intelligence data or funds in support of the Cybercrime Information Center:
Anti-Phishing Working Group (APWG). APWG provides access to the eCrime Exchange (eCx) threat data repository and data sharing platform. This feed is populated by APWG’s member organizations. We chose APWG because of its widespread adoption and longevity. We count only verified phishing URLs.
Bambenek Consulting provides the Project with a reference list of known sinkhole addresses and operators. We use this to filter reports that may identify a sinkhole address or domain in a URL that we ingest from our feeds.
Coalition Against Unsolicited Commercial Email (CAUCE). We thank CAUCE for making a monetary contribution to the Cybercrime Information Center.
Domain Tools provides access to bulk parsed Whois, Whois History, and the IRIS investigation platform.
InvaluementURI. The Invaluement URI DNSBL lists domain names and IP addresses that are found in clickable links (URLs) in the message bodies of unsolicited email messages (spam). Most domain names listed in this feed are registered by criminals purposely for spam.
Malware Patrol. Malware Patrol provides access to its Business Protect feed for ransomware and malware infection threat data. The feed is aggregated from diverse sources, including web crawlers, botnet monitors, spam traps, honeypots, research teams, partners and historical data about malicious campaigns.
MalwareURL (MalwareURL.com). The database that MalwareURL uses proprietary software and analytic techniques to locate, assess and monitor suspected sources of web criminality. malware, Trojans and a multitude of other web-related threats. The feed offers metadata that assists us in identifying malware types and families.
OpenPhish. We chose OpenPhish on the strength of its vetting modules to validate detection results and reduce false positives. OpenPhish grants us access to its Premium feed, which offers substantive metadata that assists us in identifying targeted brands and sectors, and because it incorporates data sources from Asia-Pacific and Latin American regions.
PhishTank (database). We use the PhishTank collaborative clearing house for phishing data. PhishTank is operated by OpenDNS and like the APWG, the feed is populated by members. Submissions are verified by a member voting process that has proven highly reliable. We count only verified phishing URLs.
SURBL URI Reputation Data (multi). SURBL lists web sites that have appeared in unsolicited messages. SURBL reports multiple threats including spam, spamvertising, malware, phishing and cracked sites. SURBLs are supported by spam filter (“milter”) and antispam applications used in corporate, ESP, and ISP security deployments.
The Spamhaus Project Domain Block List (DBL). Access to the DBL provides us with a widely used feed that reports multiple threats including spam, phishing, malware, botnet Command-Control and other threats. The domain names that are reported on the list are verified. Spamhaus uses “various data from many sources to craft and maintain a large set of rules controlling an automated system that constantly analyses a large portion of the world's email flow and the domains in it.” The DBL is one of the most widely used DNSRBLs in the world.
The URLhaus Malware URL Exchange (URLhaus). Operated by abuse.ch, the URLhaus Malware URL Exchange collects, tracks and shares malware URL submissions with security solution providers, antivirus vendors and blacklist providers, including Google Safe Browsing (GSB), Spamhaus DBL and SURBL. The feed offers metadata that assists us in identifying malware types and families.
Zetalytics Massive Passive DNS (API). Access to passive DNS data provides us with a means to approximate the time and date when a domain name first resolved in the DNS. We use passive DNS in cases where we cannot obtain domain registration creation dates, e.g., for country code TLDs that do not offer Whois or RDAP, or for gTLDs where we are unable to reliably obtain Whois data.