Phishing remains one of the greatest off-chain security threats to the cryptocurrency space, with increasingly sophisticated groups targeting their victims across Slack, Telegram, forums, as well as email. This project streams newly registered SSL certificates using certstream and attempts to identify suspicious domains based on keywords set by the user in near real time. You can read about it in more detail in our blog post.
The program has not been tested with Python 2, we'd strongly recommend using Python 3.
You will need the following python packages installed:
- termcolor
- certstream
- tqdm
- tld
- python_Levenshtein
- gspread
- fuzzywuzzy
- pythonwhois
On the host, you will need to install:
- python3-tk
- PhantomJS executable must be in PATH. (If you're using an UBUNTU distro, we recommend downloading (the source directly)[ https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2] and copying bin/phantomjs into /usr/bin/phantomjs.
To install the packages run:
pip3 install -r requirements.txtIn order to service your own project, you will need to create a monitoring profile. The simplest way to do this is copy one of the existing profiles in the monitoring_profiles directory. After doing so, adapt the configuration of the file as outlined below.
The watchlist variable in settings refers to specific domain(s) that you intend to monitor. These will typically be the domain(s) associated with your tokensale, project or company.
...
"watchlist" : {
"myetherwallet.com": {
"myetherwallet": 100, "myether": 50
}
}
...
In addition to the domains that you would like to monitor, you can associate an arbitrary number of keywords with that domain. In the example above, MyEtherWallet also wants to monitor the keywords "mew" and "".
You can also whitelist domains that you do not want to monitor by adding them to the whitelist variable in your monitoring profile:
...
"whitelisted_domains" : ["myetherwallet.com"]
...
A Security Operations Centre (SOC) is a unit dedicated to handling security incidents in large organizations. Most teams working out of the crypto/blockchain space will not have a SOC, and as a result this project attempts to create a lean & reliable substitute by bootstrapping off of Google Sheets. Doing so allows teams to handle and attend to phishing incidents with relative ease, including setting email alerts to notify of changes to the spreadsheet.
In order to configure this project to work with Google Sheets, you will need to create signed credentials.
- Create signed credentials for your google account. (Guide here)
- Save these credentials in a file called creds.json in the credentials directory in this project.
- Create a copy of the spreadsheet https://docs.google.com/spreadsheets/d/17efqX2ubePcEghFbyOuFYIuHrPzQf2uxND1yKBgRKLc/, or alternatively create a blank spreadsheet. Ensure that you grant edit permission to the spreadsheet by the email address in your google creds.json.
- Update the following fields in your monitoring_profiles/monitoring_profile.json file:
...
"google_spreadsheet_key" : "<your spreadsheet key>", #This is the value from the URL
#https://docs.google.com/spreadsheets/d/<KEY>/
"google_threshold" : 90, #Domains over this score will be written to the spreadsheet
...
You should now start seeing domains that score over the specified threshold being written to your spreadsheet. Setup email notifications on the spreadsheet to receive notifications any time the program writes to the spreadsheet.
By default, WHOIS lookups on suspicious domains are turned off, but you can enable this in the default_settings.py file.
You can ensure that everything is running as intended and setup correctly by running:
python3 -m unittest discover -s tests/ -p '*_test.py'
$ python3 blockphish.py monitoring_profiles/profile.json
An obvious clone of an existing well known brand with minor changes:
A simple typo on MyEtherWallet:
A homograph attack on MyEtherWallet (note the 'e's).
If you would like further assistance with combatting phishing attacks we'd love to hear from you.
Thanks to @x0rz https://github.com/x0rz/phishing_catcher for the original inspiration.
GNU GPLv3
ETH Donation Address: 0x4fC60C34266af4106353c35d9600585e17F60512