Catalyst / admin/SAynapse-Horizon 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / SAynapse-Horizon

public

Self Hosted Cyber Threat Intelligence Hub

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
SAynapse-Horizon / Synapse-Horizon / backend / src / sources / phishtank.js 1966 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import { makeIoc, fetchWithTimeout, ok, unconfigured, SEVERITY } from '../normalize.js'

// PhishTank — verified online phishing URLs. Requires a registered application
// key; anonymous access is blocked / heavily rate-limited.
const LIMIT = 25

export const meta = { key: 'phishtank', requiresKey: true }

export function configured() {
  return Boolean(process.env.PHISHTANK_APP_KEY)
}

export async function fetchSource() {
  const key = process.env.PHISHTANK_APP_KEY
  if (!key) return unconfigured('Set PHISHTANK_APP_KEY (registered PhishTank app key) to enable PhishTank.')

  const user = process.env.PHISHTANK_USERNAME || 'synapse-horizon'
  const url = `https://data.phishtank.com/data/${key}/online-valid.json`
  const res = await fetchWithTimeout(url, { headers: { 'User-Agent': `phishtank/${user}` } })
  const rows = await res.json()
  const list = Array.isArray(rows) ? rows : []

  const iocs = list
    .filter((r) => /yes/i.test(r.verified || '') && /yes/i.test(r.online || ''))
    .sort((a, b) => new Date(b.submission_time) - new Date(a.submission_time))
    .slice(0, LIMIT)
    .map((r) => {
      const brand = r.target && r.target !== 'Other' ? r.target : 'multiple brands'
      const defanged = String(r.url).replace(/^https?/i, (m) => m.replace('t', 'x'))
      return makeIoc('phishtank', {
        detectedAt: r.verification_time || r.submission_time,
        severity: SEVERITY.MEDIUM,
        category: 'Phishing',
        indicator: defanged,
        indicatorType: 'url',
        target: brand,
        confidence: 78,
        mitre: [{ id: 'T1566.002', name: 'Phishing: Spearphishing Link' }],
        headline: `Phishing: Credential-harvesting page ${defanged} impersonating ${brand} verified by PhishTank`,
        raw: r,
        stix: {
          type: 'indicator',
          pattern: `[url:value = '${r.url}']`,
          pattern_type: 'stix',
          labels: ['phishing'],
        },
      })
    })

  return ok(iocs)
}