We are happy to announce the release of Phish2MISP a small python script that can be used to gather information related to a phishing site and add it as an event in MISP.

We have often had the case of phishing sites that needs to be added to MISP as an event, and spending time on gathering the relevant attributes.

With Phish2MISP we have tried to make this as easy as possible.

Relevant information from a phishing site

We have attempted to gather the minimal relevant information in this first released version where we are collecting

• URL

• Hostname and IP

• Domain name and IP

• Target

• Screenshoot

The phishing site

Getting data into MISP

phish2MISP makes use CutyCapt for the screendumping part, besides this it automates the collection of attributes.

That will automatically create the event in MISP

Configure Phish2MISP

In the configuration sample below we are using TOR as proxy when visiting the phishing site

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

misp_url = 'https://<YOUR MISP INSTANCE>/'
misp_key = '<MISP API KEY> '
misp_verifycert = True
misp_tags = ['tlp:green', 'misp-galaxy:financial-fraud="Phishing"']

misp_distribution = 0 # 0 = Organisation only, 1 = This community only, 2 = Connected communities, 3 = All communities, 4 = Sharing Group
sharing_group_id = 1 # Only to be used in combination with misp_distribution = 4

misp_threat_level_id = 1 # 0 = Undefined, 1 = Low, 2 = Medium, 3 = High
misp_analysis = 0 # 0 = Completed, 1 = Ongoing, 2 = Initial

auto_publish = True # True means auto publish event, False will not publish event 

make_screenshot = True

misp_proxies = {
}

The code can be fetched from github on the following URL: https://github.com/eCrimeLabs/phish2MISP/