PhishStats

Fighting phishing and cybercrime since 2014 by gathering, enhancing and sharing phishing information with the infosec community.


Proudly supported by

NEW! Download the database

Due to many requests, we are offering a download of the whole database for the price of USD 256.00. That's a 50% discount, the regular price will be USD 512.00. If you are a company training a machine learning algorithm or doing phishing research, this is a good option for you. Contact us if you need an invoice.

What will you get? Once payment is confirmed, you will receive within 48h a link to download a CSV file containing the full database. This file will not be updated by PhishStats after your purchase, but you can use the free API to keep monitoring new URLs from that point on.

All previous sources of information continue to be free, as they were. Please do not try to download the whole database through the API, as this will take a lot of time and slows down the free service for everyone. The API was made for continuous monitoring and running specific lookups.

CSV Feed

Updated every 90 minutes with phishing URLs from the past 30 days. Contains the following columns: date, phishscore, URL and IP address

Go
API Feed

Allows you to perform complex queries and returns a JSON file with the columns you want. Check a brief API documentation below.

Go
Public Dashboard 1

Overall phishing statistics

Go
Public Dashboard 2

Search for specific IP, host, domain or full URL

Go
Database size

Over 3 million records on the database and growing.

Hosting location

Where phishing websites are being hosted with information such as Country, City, ISP, ASN, ccTLD and gTLD.

New information added recently

Such as abuse contacts, SSL issuer, Alexa rank, Google Safebrowsing, Virustotal and Shodan.

Comming soon.

Blog with phishing analysis.

API to receive phishing reports from trusted partners.

Information comparison

 

CSV Feed

API

Public Dashboards

Metabase

Basic information
Search function
Database full access
No conding skills


Metabase access is not open for the general public. If you are an information security researcher, or member of a CSIRT, SOC, national CERT and would like to access Metabase, please get in touch via e-mail or Twitter. Keep in mind that Public Dashboards are already using Metabase itself, but with prebuilt dashboards. Metabase access means you can run your own queries and create your own dashboards from scratch, but the web interface is the same.

API documentation

API is available at https://phishstats.info:2096/api/ and will return a JSON response. No account creation is required. Please note that running a massive amount of queries in a short time will get you blocked and/or banned. If you want to download the whole database, see the pricing above. New database fields are not being calculated retroactively.

Logical operators can be: ~and ~or

Comparison operators can be: eq (equal), ne (not equal), gt (greater than), lt (less than), like (not like) and not nlike (not like) and more.

By default 20 records and max of 100 are returned per GET request on a table. Where _p indicates page and _size indicates size of response rows, for instance, /api/phishing?_p=2&_size=50. More examples on how to use the API can be found here https://github.com/o1lab/xmysql

Example Key | Value
Id phishstats.info:2096/api/phishing?_where=(id,eq,3296584)
ASN phishstats.info:2096/api/phishing?_where=(asn,eq,as14061)
IP phishstats.info:2096/api/phishing?_where=(ip,eq,148.228.16.3)
CountryCode phishstats.info:2096/api/phishing?_where=(countrycode,eq,US)
TLD phishstats.info:2096/api/phishing?_where=(tld,eq,US)
Id DESC phishstats.info:2096/api/phishing?_sort=-id
Date DESC phishstats.info:2096/api/phishing?_sort=-date
Title with Id DESC phishstats.info:2096/api/phishing?_where=(title,like,~apple~)&_sort=-id
URL with Id DESC phishstats.info:2096/api/phishing?_where=(url,like,~apple~)&_sort=-id
Title or URL with Id DESC phishstats.info:2096/api/phishing?_where=(title,like,~apple~)~or(url,like,~apple~)&_sort=-id
Score greater than 5 where TLD equals .BR but not hosted in Brazil with Id DESC phishstats.info:2096/api/phishing?_where=(score,gt,5)~and(tld,eq,br)~and(countrycode,ne,br)&_sort=-id

Who is using PhishStats

  • Antiphishing.la is sending us phishing from latin america
  • CTM360 is using our API to find abuse contacts
  • Miteru is using our API to find phishing kits
  • SpiderFoot is using our API to find malicious IPs
  • StalkPhish is using our API to find phishing kits
  • Tines has integrated their security automation product with our API
  • .XYZ domain registry operator is monitoring abusive .xyz domains
  • We also have researchers from several countries using our data to study phishing

Who is talking about PhishStats

Join PhishStats at

Made with Pingendo Free  Pingendo logo