Malicious Site Feeds

Feeds of malicious websites powered by industry-leading cybercrime intelligence

Netcraft launched its phishing feed in 2005, the first of its malicious site feeds. Combining sophisticated phishing attack discovery and classification methods with reporting from Netcraft’s global anti-cybercrime community, Netcraft’s phishing site feed quickly became an industry standard source for anti-phishing.

Throughout its campaign against phishing attacks, Netcraft has recognised and responded to fraudsters’ ever-adapting techniques, and now provides protection against a wide range of malicious online content.

Along with URLs reported by the community, Netcraft collates and validates reports from many of the world’s largest banks, threat intelligence providers, and anti-cybercrime organisations. Netcraft also recovers URLs from ongoing analysis of malicious email attachments, many of which serve as key infrastructure in malware operations.

This stream of malicious sites is available as a collection of continuously updated feeds, suitable for security engineers, network administrators, and internet service providers.

Netcraft’s feeds can be used to prevent customers and employees from falling victim to phishing and online malware attacks. It presents an excellent opportunity for businesses to win new customers and reassure existing ones by taking a proactive stance against fraud.

Feed types


Phishing sites are designed to trick visitors into submitting private information by posing as a trusted or legitimate entity. Netcraft has blocked more than 68 million of these threats in the phishing site feed to date [November 2019].

Netcraft’s phishing site feed is used by all major web browsers to protect their users, and is also licensed by many of the leading anti-virus, content filtering, web-hosting and domain registration companies.

Web-inject malware

Netcraft detects compromised web pages where malicious JavaScript has been added to exploit vulnerabilities on visitors’ machines. Suspected sites are visited within a sandboxed web browser allowing all the resources of the page to be fetched and executed.

Shopping site skimmers

Fraudsters use vulnerabilities in popular e-commerce platforms (e.g. Magento) and their plugins to deploy malicious JavaScript onto legitimate online shopping sites. These JavaScript ‘skimmers’ are added to checkout pages, and capture payment card details and other personal information.

Non-consensual cryptocurrency miners

Also called ‘cryptojacking’, this JavaScript malware hijacks the user’s browser and silently mines cryptocurrency when infected sites are visited. This mining code can cause significant drops in websites’ performance and responsiveness.

Web shells

Web shells are backdoor control panels that allow total control over a compromised web server, letting fraudsters easily steal data from the server, launch phishing attacks, join the server to a botnet, engage in DDoS attacks, and distribute malware, to name a few. The web shell feed provides a list of web shells and the associated compromised sites.

Malware infrastructure URLs

Netcraft processes millions of spam emails every day, and any malware attachments are analysed to identify key infrastructure URLs. Running the malware in a sandbox environment reveals the URLs that it attempts to connect to, including those that transmit operational instructions for the malware, download further stages of the attack, or receive payment for malware such as ransomware.

Malicious email addresses

Netcraft can also provide a feed of email addresses participating in advance fee fraud schemes, found in the millions of spam emails that it analyses. This feed also contains any addresses intended to receive credentials captured by the phishing attacks that Netcraft identifies.

Feed details

The malicious site feeds make up a constantly updated database of patterns that match the URLs and email addresses recorded by Netcraft.

The feeds are available as either an encrypted database, with which specific identifiers can be looked up to determine whether they’re blocked; or a plain text database, letting you view the full contents of the feed, and offering extra information about the threats such as attack targets and IP addresses.

The feeds employ a versioning system to ensure that customers who have fallen behind can catch up incrementally, or if necessary, by requesting the full feed.

We also regularly re-test malicious URLs so that they can be removed from the feed once the malicious content has been taken down. This ensures that end users of the feeds are not prevented from accessing any legitimate content on a previously compromised site for longer than is necessary.

Reference code and technical documentation is provided to help integrate the feeds into your products and services, and support is available via email and telephone.

More Information

Please contact us ( for pricing, giving an overview of how you’d like to implement the feeds and an approximate number of expected users for your product. This will let us suggest solutions tailored to your requirements.