Honeypot Poster by Hiscox Insurance

Created by Hiscox Insurance, the signs were called Honeypot Posters. The name comes from the kind of servers that are set up inside an organization to attract and record attempts by hackers to steal information, plant malware, or even shut down the site. Three of these server/traps were set up by Hiscox for their poster campaign. The headline on the poster, “Every Pulsing Dot Represents a Live Cyberattack,” flashes a dot/pixel in the word “cyberattack” for each attack caught by the honey pots.

At launch, February 19, 2018, the company announced that the highest number captured in the pretests, before the servers went live online, was 61,805 in one 24-hour period. Average per day during testing was an unsettling 23,000 flashing dots. Olivia Hendricks, Hiscox’s head of marketing explained in a public statement that the campaign is designed to make “small businesses more aware of the very real threat that cybercrime poses and challenging the belief that cyber criminals only target larger organisations.” Hendricks added they were “genuinely astounded by the number of attacks.”


There are two reasons why computer crime and mischief often remain invisible. First, the electronic interchanges are, initially, as invisible as the radio waves passing in the air everywhere. If a hacker can bypass your normal routing systems or mask their instruction flows from your software, you can be clueless.

The second reason for the relative invisibility of cyberattacks has to do with the lack of reporting by companies and other organizations who choose not to alert the customers, citizens, or shareholders about issues they would rather deal with quietly.

The Hiscox Honeypot campaign was designed to initiate interest in their security offerings to small businesses. But they aren’t alone with an interest in visualizing cybercrime. In fact, the team that created their campaign had seen and considered adapting the older and much more comprehensive Norse Attack Map, which displayed worldwide cyberattacks, animated in real time.


A number of online interactive maps track cyberattacks around the world. We’ll look at three. The first, the Norse Attack Map was one of the most colorful, dramatic, and complete, and as a pioneer attracted a lot of attention and skepticism. The site went dark in February 2016 when the CEO, Sam Glines, was asked to step down. As evidenced by the Hiscox interest, the site still is instructive in its ambitious design. Samples are still available on the YouTube site, and two are listed below the images here. The first will show about eight hours of what the tracking looked like, and the second is a recording of an historic worldwide attack on Christmas Day in 2015.

Click to enlarge.

https://www.youtube.com/watch?v=bWXIJSiagBY from Norse Corporation

The Norse map showed the global cyberattacks as darting laser beams that were color-coded for the variety of different kinds of attack. The map included a table showing the country of origin for each attack, the target of the attack, a time stamp, the type of attack, and even the IP address of the attacker.

The information for the map came from the world’s largest network of eight million honey pots, which were threat intelligence sensors masquerading as PCs, servers, ATMs, banks, and other normal targets.

On any given day, or hour, the image of the world under constant attack was enough to motivate a review or even reassessment of security practices, but probably the most spectacular single instance of the world under siege occurred on Christmas Day in 2015 (see image at top of page). John Land’s capture of the attack is still available on YouTube where the 22-minute DDOS (dedicated denial of service attacks) attack of the botnets is sped up in a 4:24 video.

John Land’s YouTube www.youtube.com/watch?v=1wq6LIjPHkk


Click to enlarge.

DDoS occur at the rate of more than 2,000 a day, according to Arbor Networks. The Digital Attack Map website tracks and categorizes these events worldwide by size, type, and duration. This kind of attack will render an online service unavailable by overwhelming it with traffic from numerous sources. If you think your site probably won’t be targeted, you should consider the warning from TrendMicro Research that a mere $150 can buy a week-long DDoS attack on your site from well-established botnet-powered networks.

Along with constantly updated information on the daily activity of the attacks, the Digital Attack Map website has a number of information sources and videos explaining this kind of cyberattack. A gallery page has a selection of recent historic attack maps.


Click to enlarge.

The FireEye Cyber Map offers a convenient overview of the current activity with five contemporaneous attacks illustrated with color-coded arching lines from attackers to targets, a running total of attacks that day on the top right of the screen, and the top five reported industries targeted in the last 30 days. The financial services industry often appears at or near the top of the list. A spinning globe in the bottom left corner of the page highlights the top five attackers, by country, in the last 30 days. It offers a filtered but less confusing set of data. Visit here for the FireEye Map.

There are many more tracking sites than just these two, but they’re a good place to start. Their message, like the blinking Hiscox digital posters, is a dramatic reminder of what’s happening in the not-so-visible world of cybercrime. It would be interesting to see one of the major security companies redesign a site like the Norse Map. The attention it could draw might be worth the expense.

About the Authors