Subscribe to ThreatSTOP feed
Updated: 1 hour 54 min ago

How much would you pay in bitcoin to watch that cat video?

Mon, 01/16/2017 - 22:00

Where do security professionals draw the line between protecting their company’s network, and delivering a free-range internet experience for their fellow employees? This quandary came up at ThreatSTOP recently, spurred by a support request we received from a customer who posed this very question to himself, his peers, and to us. It got us thinking, and made us wonder what the consensus is among security professionals who constantly wrestle with balancing the scales of security and user friction.

Switcher Android Malware - The Road From Android App to Hijacking DNS Server

Thu, 01/12/2017 - 19:13

One of the most recent campaigns highlighting the importance of router security is Mirai (The botnet that had large scale attacks by infected IoT devices). Even before this, reports emphasized the importance and vulnerability of these devices. For example, Report by Malware Researcher Kafeine revealed the use of an exploit kit aimed to exploit routers. This method showed Google Chrome users were redirected to a malicious server that loaded code designed to determine router models. (While changing the DNS servers configured to the router)

Crime As a Service: The Gritty Details & How to Prevent It

Thu, 01/12/2017 - 17:52


“Crime as a Service” (CaaS): It’s not just a recently ramped up buzzword, it has actual backing and won't quietly fade into the night anytime soon. It’s a service that has the potential to mature into a larger organizational unit, which is telling of the cyber security issues we’ll be up against in the future.

Paul mockapetris at namescon 2017

Wed, 01/11/2017 - 20:04

Come see the inventor himself, Paul Mockapetris, deliver the keynote presentation at NamesCon 2017:

Why Switch When You Can Keep the Service You Trust? Infoblox ActiveTrust vs. ThreatSTOP DNS Firewall Service

Wed, 01/11/2017 - 17:37


Received a notice from Infoblox lately?

If you’re a DNS Legacy Firewall customer, you’ve probably gotten a warning to migrate to ActiveTrust by end of January….. or else. However, that’s not the case. The Threat Intelligence/RPZ Feed you’ve been utilizing with Infoblox is a ThreatSTOP powered service and it’s still operational. We’ve also been developing and improving our product, now offering our new, Next Generation DNS Firewall Service to active subscribers without any added charges.   

Bi-weekly Security Update 12/21-1/3

Wed, 01/04/2017 - 18:15

Malicious content identified and inserted:

  • IPs – 1625
  • Domains – 4562

Target lists updated:

  • TSCritical (Domains and IPs)
  • TSRansomware (Domains and IPs)
  • TSPhishing (Domains and IPs) – New Targets added!
  • TSBanking (Domains and IPs) – New Targets added!

Operation Emmental\SmsSecurity

Thu, 12/29/2016 - 12:02

The evolving threats targeted at mobile devices and the increasing number of campaigns targeted at financial institutions have joined forces and become a double threat in what have become known as the  The Emmental campaign. 

who can you trust? the danger of false positives in threat intelligence

Wed, 12/28/2016 - 23:31

Everyone knows you need to block the bad stuff from getting onto your network and calling home to its masters. However, what happens when something good gets incorrectly flagged as malicious? You’ve been hit with a false positive, and in some cases, this can be just as bad as letting something truly dangerous get through.

ThreatSTOP security team is proud to present - Banking Malware Targets

Tue, 12/27/2016 - 09:39

Banking Malware steals millions of dollars from both personal and business accounts in the United States every year. Personal accounts are insured by federal banking regulations, but businesses are less protected.

Gooligan- The recent Hooligan that is spreading

Fri, 12/23/2016 - 12:15

One criteria for the success of malware is its scope of distribution. Gooligan, a mobile malware, found in the app SnapPea that is described as a "one-stop shopping experience", has succeeded in this aspect. Check Point reported that this malware has breached more than 1 Million Google accounts. This malware has been distributed through apps that are available in third party Android stores. In order to increase the number of downloads for these apps, and in turn the malware, there have also been phishing campaigns which contained download links, sent through various messaging services.

New Phishing Protection

Thu, 12/22/2016 - 10:16

The ThreatSTOP Security Team has introduced a new list of Phishing protection in order to help our customers to protect themselves from Phishing and at the same time to maintain a separation between targets with different false positive chance.

Phishing is a technique used to gain private information for purposes of theft.

Biweekly Security Update

Thu, 12/22/2016 - 00:27

Biweekly Security Update

Malicious content identified and inserted:

  • IPs – 232
  • Domains – 386

Target lists updated:



Tue, 12/20/2016 - 00:14

Marcher is an evolving Android-based banking Trojan, changing in scope and capabilities since first seen in 2013. Spreading through phishing emails and websites, it prompts the victim to download “security updates” from third party app stores. It has also been found to spread through malicious apps on the Google Play Store itself.


Tue, 12/20/2016 - 00:13


On November 30th, 2016, a worldwide cooperative takedown of the Avalanche botnet took place after more than four years of investigation.  “Avalanche” refers to a worldwide crimeware-as-a-service (CaaS) network infrastructure operated by cyber criminals conducting malicious activity. This includes: DDoS, malware distribution, phishing and money-mule operations causing hundreds of millions of damages in Euros worldwide.


Tue, 12/20/2016 - 00:09
4.12 Release Notes

Reporting – The Legacy reporting link has been removed from the portal. All Legacy reporting information is available in the Next-Generation reporting UI.

 12.14 .16 Security Update

Malicious Content Identified & Inserted:

  • IPs – 166
  • Domains – 1288

Target Lists Updated:


ThreatSTOP 4.10 Release Notes

Wed, 12/07/2016 - 18:24
ThreatSTOP 4.10 Release Includes:


Houdini's RAT Is No Disappearing Act

Thu, 12/01/2016 - 20:34

Most creators of Trojans or worms only known attribution to their creation is made by security researchers, and although, these individuals are not known in person, some of them are known and active in the cybercriminal scene. One of these “celebrity cyber criminals” is known by his alias Houdini, and according to is named 'Mohamed Benabdellah'. Houdini is believed to be based in  Algeria and connected to njq8” (aka ‘Naser Al Mutairi’) the developer of other RATs as "njRAT" and "njw0rm".

DGAs For the Masses

Thu, 12/01/2016 - 13:48

At ThreatSTOP, we strive to provide our customers with the most up-to-date and accurate protection from both known and emerging threats. Using the data provided by our friends at the Qihoo 360 research team we have constructed a target list of over 20 identified malware families. The malware families that we will be protecting you against are:

Don’t Pony Up Your Data to Fareit

Wed, 11/30/2016 - 22:53

Fareit, also known as Pony, is a data stealing Trojan that can decrypt or unlock passwords for over 110 different applications, including VPN, FTP, email, instant messaging, web browsers and much more. It is also capable of stealing a victim’s bitcoin wallets. Once it has collected its victim's data, Fareit uploads these stolen credentials to a remote Command and Control (C2) server the criminal has access to. Fareit is very dangerous because its infection on a computer can make the device part of a botnet, allowing the malware to use it to infect other devices.