Introduction to Criminal IP

Genesis of Criminal IP

With the global increase in cybercrimes, the demand for intelligence-driven security has skyrocketed. However, meeting this demand requires a significant initial investment and the need to secure enough skilled personnel and gather information. Therefore, we have developed a service addressing this urgent need to diagnose cyber threats.

The most decisive clue for tracking down cybercrimes is the IP address. Setting our sights on data-driven security, we have conceived the idea of creating a criminal record book that provides a comprehensive history of network activities associated with a specific IP address and converges it with machine learning, artificial intelligence, and behavior-based anomaly detection.

What is IP address-based Cyber Threat Intelligence?

Before delving into the fundamentals, it is important to understand that IP address-based cyber threat intelligence involves compiling evidential security information that minimizes the risk of cyber threats impacting business decision-making processes. Just as fingerprints left at a crime scene help identify criminals, anonymous cyberattacks such as fraudulent access, account theft, payment scams, money laundering, and credential stuffing can all be traced back to their biggest footprint – IP addresses. Using Criminal IP lets you get a real-time view of how many of your IT assets, including DB servers, file servers, middleware servers, administrator servers, IoT systems, and malicious sites, are populating the network. This allows you to monitor potential attack vectors proactively and stay one step ahead of opportunistic malicious actors. Criminal IP is a comprehensive solution aggregating vast amounts of OSINT (Open-Source Intelligence) through unique crawling technology. This data is then overlaid with AI and machine learning-based fraud detection algorithms, allowing network scanning at record speed.

What exactly is Criminal IP?

Criminal IP is a comprehensive threat intelligence search engine that detects personal or corporate cyber asset vulnerabilities in real time and facilitates preemptive responses accordingly. It consists of two main features: SEARCH and INTELLIGENCE, which provide detailed threat-relevant information through banners and malicious behavior history. With Criminal IP, you can find all types of internet-facing information on malicious IPs, phishing sites, malicious links, certificates, industrial control systems, IoT devices, servers, CCTVs, and more.

By integrating our developer API, security practitioners within companies or institutions can timely block attackers from infiltrating internal assets and monitor assets that may unknowingly be exposed on the attack surface. Like how you retrieve information through Google search, you can search for all internet-exposed assets and vulnerabilities through various filters and tags on Criminal IP. Additionally, you can gain insights into the latest threat intelligence augmented by multifaceted analytics, allowing for actionable responses.

1. Asset Search

Directly search for the service name through keywords or type in the CVE number to look up related IP address information.

• Triage of inbound and outbound IP risk scores into 5 straightforward levels (SAFE, LOW, MODERATE, DANGEROUS, CRITICAL)
• Connection of all the contextual information on the IP address owner, country, SSL certificate, associated domain
• Detection of suspicious VPN IP, TOR IP, Hosting IP, CDN, Scanner IP
• Summary of open ports running, past abuse history, and vulnerabilities hidden

2. Domain Search

The Domain Search feature scans your target domain in real-time and provides comprehensive information, including a final risk score based on whether it is being used as a phishing domain, contains malicious links, or has valid certificates.

The domain risk score is also presented according to a 5-level risk matrix. Through the domain summary feature, you can identify the fake domain, fake SSL, abuse record, phishing record, hidden elements in HTML, program traps, network redirection, and suspicious cookies.

This domain search feature is designed as part of the “Use Criminal IP before clicking on suspicious links” initiative, which provides a unique capability to detect newly emerging malicious links that have not yet been registered in the existing database. When a user enters a domain URL, the system launches a Chrome browser to scan and perform AI-driven analysis. This allows us to identify any new URLs that may be malicious and should be blocked accordingly.

3. Exploit Search

Using this exploit feature, you can comb through all the known vulnerabilities (CVEs) around the world and get the details on the actual exploit code for each corresponding service. When you search with CVE information, you can access the whole EXPLOIT information matching your search term so that you can easily ascertain their attack patterns as well. Moreover, if you search by specific platforms instead of CVE, you can check the related EXPLOIT list and screen the result items through various filters (e.g., authors, types, years).

4. Image search

After conducting an image search using different search terms such as RDP, phishing, webcam, and RTSP, you can view specific images of assets that are vulnerable to cyber threats. This feature is similar to how we search for images on Google, but it only retrieves images that indicate potential cyber threats for your reference.

The Criminal IP Difference

1. Unmatched quality and quantity of data

Criminal IP prides itself on its unprecedented quantity and quality of data related to IP addresses, including risk scores, C&C and phishing domains, identification of URLs containing malicious links, information about network devices exposed to attack surfaces, and domain similarity algorithm information.

Our data stands out not only in terms of quantity but also in terms of quality, and you can rest assured of the freshness of the data amounting to as much as 4.2 billion IP addresses and domains, all of which are only a subset of cyber asset information that is gathered and refreshed in real-time.

Along with information on the most widely used VPN IPs, Criminal IP also singles out various types of abnormal IPs masquerading as Tor, Proxy, and Hosting IPs and helps stave off attacks that could potentially be launched through them.

2. Risk Prevention through Vulnerability Detection and Information Provision

Criminal IP already has a massive database that stores information on past and current IP address vulnerabilities, so it is purpose-built to assist in various research or risk management types. Just to illustrate a few, it would be possible to extract a whole database on “US-wide lookup of IP addresses with RDP vulnerabilities” or “lookup of IP addresses with designated CVEs”. We also have established an offline database for various VPN IPs collected at a global scale, which is all accessible upon request.

How to Utilize Criminal IP

1. User Identification

Criminal IP helps identify abnormal users and screens out malicious activities such as credential leaks, payment scams, and web crawling. Providing strictly data-backed evidence determines whether threat actors are attempting to log in through VPN IP, Cloud IP, Proxy IPs, or foreign servers, preventing personal information leakage and brute-force attacks. Additionally, integrating Criminal IP into online service login platforms allows for alert notifications when suspicious logins are attempted via suspicious IP addresses, minimizing damages and providing extra protection.

2. Security Control

Regarding security control, Criminal IP streamlines operations and boosts efficiency by conducting deep-dive analyses of inbound and outbound IP addresses and domains. It is also easy to integrate with other existing security products, such as an Intrusion Detection System (IDS), Endpoint Detection and Response (EDR), spam mail filters, and an organization’s firewall. Furthermore, we implement an IP blocking policy based on assigned risk scores, significantly reducing the resources that would normally go into building a separate IP-based security control system from scratch.

Using Criminal IP facilitates advanced detection of phishing attacks, and even without direct access, malicious domains can be blocked and taken down without much effort. In the event of an incident, we analyze the entire access history of the dangerous IP and provide relevant information such as the domain, vulnerability, and favicon.

3. Attack Surface Management

All companies worldwide have proprietary IP addresses on which their servers, network devices, and databases run. These IP addresses are potential entry points for threat actors, making effective attack surface management crucial to protect assets.

Criminal IP helps corporate security managers identify hidden assets scattered across clouds, verify ASName and service ports, view the latest vulnerabilities of their assets and certificates, and track changes to newly discovered or existing assets. This allows them to maintain their cyber posture and ensure flawless security control.

Using Criminal IP, companies can achieve unified visibility into their obscure assets and manage their IT assets in real-time, without requiring separate programs or complex equipment. It is a valuable service for companies seeking seamless IT asset management but struggling to fully identify their internal assets.