Global Blacklist

The Global Blacklist

Research gives you access to RiskIQ's Global Blacklist of aggregate security incident data across all RiskIQ crawls, including all instances of phishing, malware, spam, and scam observed in RiskIQ crawls.

Getting There

Click on Research in the top navigation menu, and select Global Blacklist.

Filtering and Searching Blacklist Entries

Click on the currently applied filter at the top left to edit it (by default, this filter will be "Incident Date >= last month" when you load the screen). 

This will open the query builder dialog, where you can use drop-down lists of filter/operator choices and create AND and OR clauses to build your query.

You can alternatively type your query directly into the query bar if you know the filter syntax you would like to use. 

Blacklist Filters

Below is a list of the filter facets you can use to search events from RiskIQ's Global Blacklist on the Research Tab.  



Blacklist score (High = 76+, Medium = 51-75, Low = under 50).


Subset(s) of the blacklist (Phishing, Malware, Spam)


Incident is an exact match or a match by reputation.

Matched By

Incident matched by domain, URL, host, or path.

Matched Lists

Blacklists that include the resource flagged in this incident:

  • Riq: riskiq proprietary list, custom tuned to detect exploit kits and other malicious behaviors.
  • Virus total: url flagged by one of 50+ anti-virus engines.
  • Cymru: malicious binary hash list.
  • Abusech: zeus and spyeye tracking list.
  • Surbl: aggregation of six other lists, mostly concerned with spam urls.
  • Phishtank: known phishing sites.
  • Internet identity (iid): known phishing sites.
  • Google safebrowsing phishing: google's list of phishing sites.
  • Google safebrowsing malware: google's list of malicious sites.
  • Pareto: tracks malware urls.
  • Malc0de: tracks malware urls.
  • Mdl: tracks malware urls.
  • Dnsbh: tracks malware urls.

Resource Host

Host associated to this incident.

Resource ASN

ASN associated to this incident.

Cause Page Type

Whether the page that generated the incident is the parent page, cloaked page, or prior page in a crawl.

Cause Page Host

Host associated to the cause page in this incident.

Cause Page Alexa

Alexa traffic rank of the cause page in this incident.

Sequence Host

Host of the first URL in the sequence leading to this incident.

Sequence Cause

Cause for generating the incident in the sequence, e.g. Parent page, redirect, embed, etc.

Ad Type

(If applicable) whether the ad in this incident was a display ad, contextual ad, or paid search ad.

Ad Network

(If applicable) ad network that served the ad in this incident.

Search Network

(If applicable) search network for the crawl that generated this incident, e.g. Google, yahoo, twitter, etc.

Search Result Type

(If applicable) whether a search result that generated this incident was organic, paid, or a blog or microblog.


Which Anti-Virus vendor flagged the resource in this incident.

Anti-Virus Type

What type of flag the Anti-Virus vendor raised on the resource in this incident, e.g. Trojan, adware, exploit kit, toolbar or fake AV.

Anti-Virus Result

Terms extracted from the virustotal description of the resource in this incident (an Anti-Virus Type typically includes several Anti-Virus Results).

Anti-Virus Result Count

Number of Anti-Virus Results contained in the virustotal description of the resource in this incident.

RiskIQ List Description

Category applied to the incident by riskiq, e.g. Fake Software Update or a specific exploit kit.

Phishing Target

(If applicable) organization targeted by a phishing scam.