New Project Informs Security Teams of Phished Users

31 January 2020

New Project Informs Security Teams of Phished Users

A newly launched project wants to help inform IT security representatives and domain owners when their users fall victim to phishing.

Named ‘I got phished’ and coming from malicious activity monitoring site abuse.ch, the project collects information on users who became victims of phishing by entering their credentials on a phishing website.

“The purpose of the project is to notify security representatives such as CERTs, CSIRTs, SOCs but also domain owners about potential phishing victims within their constituency,” the service’s maintainer explains.

The data is not generated by ‘I got phished’ or by abuse.ch, but comes from third-party, trusted IT security researchers. Thus, the project is not interested in how the data was procured or its accuracy.

As part of the project, only the email addresses of the victims that got phished are stored, as they are needed to notify the service’s users about the compromise.

‘I got phished’ does not store passwords and doesn’t directly notify phishing victims either, which sets it apart from Have I Been Pwned, the service maintained by Australian cybersecurity expert Troy Hunt.

The service only accepts submissions from vetted security researchers and only sends notifications to IT security representatives and domain owners, based on the domain name.

“If you are an individual (user), it is not possible to register your email address on I got phished. I got phished reports based on the domain name and not on an individual email address,” the service’s maintainer explains.

Security teams and domain owners can register to ‘I got phished’ to receive notifications if their corresponding domain name is present in newly added data sets. Only domain names can be registered, but not sub-domains.

The service also provides an API that vetted security researchers can use to feed data on phishing victims.

To date, ‘I got phished’ has over 2,000 registered users and information on more than 4,100 domains whose users fell victim to phishing, with 5,400 email addresses compromised in phishing attacks.