Blockchain Focused Phishing Detection
Switch branches/tags
Nothing to show
Clone or download
Pull request Compare This branch is 60 commits ahead, 26 commits behind x0rz:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
credentials
image_utils
monitoring_profiles
tests
.gitignore
LICENSE
README.md
blockphish.py
default_settings.py
logging_methods.py
requirements.txt
sheets.py
utils.py

README.md

BlockPhish

Phishing detection for cryptocurrency projects

Phishing remains one of the greatest off-chain security threats to the cryptocurrency space, with increasingly sophisticated groups targeting their victims across Slack, Telegram, forums, as well as email. This project streams newly registered SSL certificates using certstream and attempts to identify suspicious domains based on keywords set by the user in near real time. You can read about it in more detail in our blog post.

usage

Installation

The program has not been tested with Python 2, we'd strongly recommend using Python 3.

You will need the following python packages installed:

  • termcolor
  • certstream
  • tqdm
  • tld
  • python_Levenshtein
  • gspread
  • fuzzywuzzy
  • pythonwhois

On the host, you will need to install:

To install the packages run:

pip3 install -r requirements.txt

Setup

In order to service your own project, you will need to create a monitoring profile. The simplest way to do this is copy one of the existing profiles in the monitoring_profiles directory. After doing so, adapt the configuration of the file as outlined below.

Domains

The watchlist variable in settings refers to specific domain(s) that you intend to monitor. These will typically be the domain(s) associated with your tokensale, project or company.

...
"watchlist" : {
    "myetherwallet.com": {
      "myetherwallet": 100, "myether": 50
    }
 }
...

In addition to the domains that you would like to monitor, you can associate an arbitrary number of keywords with that domain. In the example above, MyEtherWallet also wants to monitor the keywords "mew" and "".

You can also whitelist domains that you do not want to monitor by adding them to the whitelist variable in your monitoring profile:

...
"whitelisted_domains" : ["myetherwallet.com"]
...

Google SOC

A Security Operations Centre (SOC) is a unit dedicated to handling security incidents in large organizations. Most teams working out of the crypto/blockchain space will not have a SOC, and as a result this project attempts to create a lean & reliable substitute by bootstrapping off of Google Sheets. Doing so allows teams to handle and attend to phishing incidents with relative ease, including setting email alerts to notify of changes to the spreadsheet.

In order to configure this project to work with Google Sheets, you will need to create signed credentials.

  1. Create signed credentials for your google account. (Guide here)
  2. Save these credentials in a file called creds.json in the credentials directory in this project.
  3. Create a copy of the spreadsheet https://docs.google.com/spreadsheets/d/17efqX2ubePcEghFbyOuFYIuHrPzQf2uxND1yKBgRKLc/, or alternatively create a blank spreadsheet. Ensure that you grant edit permission to the spreadsheet by the email address in your google creds.json.
  4. Update the following fields in your monitoring_profiles/monitoring_profile.json file:
...
  "google_spreadsheet_key" : "<your spreadsheet key>", #This is the value from the URL
                                                      #https://docs.google.com/spreadsheets/d/<KEY>/
  "google_threshold" : 90, #Domains over this score will be written to the spreadsheet
...

You should now start seeing domains that score over the specified threshold being written to your spreadsheet. Setup email notifications on the spreadsheet to receive notifications any time the program writes to the spreadsheet.

WHOIS

By default, WHOIS lookups on suspicious domains are turned off, but you can enable this in the default_settings.py file.

Unit tests

You can ensure that everything is running as intended and setup correctly by running:

python3 -m unittest discover -s tests/ -p '*_test.py'

Usage

$ python3 blockphish.py monitoring_profiles/profile.json

Examples of suspicious domains

An obvious clone of an existing well known brand with minor changes:

Blockchain.info Clone

A simple typo on MyEtherWallet:

Myetherwallet

A homograph attack on MyEtherWallet (note the 'e's).

Myetherwallet

Further assistance

If you would like further assistance with combatting phishing attacks we'd love to hear from you.

Thanks

Thanks to @x0rz https://github.com/x0rz/phishing_catcher for the original inspiration.

License

GNU GPLv3

Donations

ETH Donation Address: 0x4fC60C34266af4106353c35d9600585e17F60512