[BUG] Bad actors using this list/honeypot

[bulk88]

Describe the bug

This ticket is informational, there probably is no solution to fixing it.

2 months ago, my site site was white listed/removed from this DB. About 2 weeks, maybe a month later after removal. The botnet that was doing 10K-75K/day, max 250K/req per day to my site, vanished. Currently, as intended, some days I have 0 requests (weekends), and peaks at 5 requests a day that are not my IPs/ASNs, (Tor IPs), after being removed from this list.

This public phishing list, itself, is used by bad actors. If I wanted to DDOS a site, esp a pay per minute/hour/gig hosted site, just maliciously add a URL to this list, and watch the botnet traffic from 100s/1000s of VPNs, proxies, and cloud VPSes attack the site trying to find the .csv or .zip with collected phished logins or php/wordpress/shell injection attacks roll in. The bots DO NOT know what cookies are, and can't store cookies between requests, and the bots never learn, there is no content for them, no matter how much error 404 pages you return to them.

If someone could game this public list, and maliciously add an arbitrary false positive domain, and victim's domain's hosting, is pay per minute/hour/gig, it would quickly be knocked off or a huge cloud bill delivered at the end of the month.

After collecting a month of the the DDOS source IPs, and removing legitimate regional to me, ASNs, local LTE mobile and residential fixed ISPs, I came up with this list of ASNs. Except for Orange SA, all were non-residential. M247 hosting also popped into the list but from the wrong country on a tracepath, but I didn't include it here, since its the hosting provider of the VPN I personally use.

Hope this list helps someone.

559
1101
2514
3209
3215
3216
3352
4224
7489
7979
8075
8304
8359
8402
9605
11595
12093
12355
12389
12695
12816
12876
13043
13213
13238
13737
13768
13926
14061
14259
14315
14618
15085
15169
16276
16509
17506
18345
18403
18747
19237
20473
20860
21263
21887
22773
24940
26388
26548
27176
28855
29319
29405
29713
29802
30277
30860
32097
32475
32613
32780
32934
33083
33302
35526
35908
36236
36351
36352
36459
36873
36937
37100
37611
38364
39351
40021
42708
43289
43350
45671
45899
46562
46664
47583
49447
49825
50058
50304
51167
51395
53667
54203
54455
54538
55103
55286
55836
59425
60068
60404
60721
60729
60754
62651
62838
62904
63949
135377
135905
197422
197540
200651
202425
203833
205100
206092
206804
208169
208323
209366
209604
210630
211298
212238
394625
395111
396507
396982
397373
397423
398324
398355
398722

[funilrys]

Pining for future consideration.

I'm working on an other way to distribute and manage this repository. Therefore, I have to keep this in mind.

Thanks for the information @bulk88 .

[bulk88]

There is, or was earlier this year, a semi-FOSS python app on github, that directly downloaded your list on start-up/every day/every hour, and tried to do .csv/.zip "loot" extraction from phish sites (but not the php/shell/wordpress/admin portal exploits), along with a FOSS python library that randomly generated real UAs, although I got the hint something was up, when I saw a couple "pylib" UAs in my logs. Who knows how many entrepreneurs set instances, of that phish loot capture app. The github project does state, its not a blackhat tool, since attempting to steal already stolen credentials from darkweb, for adding to public username/password stolen databases and leaked API secrets key blacklists, to prevent global credential stuffing, is a whitehat activity. That github project does not have proxy jumping infrastructure in it. Whatever blackhat is using your list did fork and ad proxy jumping to that github project, or uses a closed source/private equivalent script.

A more interesting idea would be to include secret honeypot URLs in your list, you DO consciously keep inactive domains on there in case they come back, and you could collect intel on what IPs are INTENTIONALLY are connecting to "deactivated" phish sites over and over. You'd get a list of probably 50% known public list identified VPN IPs, 25% dedicated hosting IPs (VPSs/exploited small sites), and 25% consumer/residential devices (Orange France, maybe 1 USA Comcast, and 2 Russian LTE providers, and a Vietnam LTE/National telco provider) acting as VPNs/proxies, so some of the proxies IPs being used are grey/blackhat proxies, not commercial VPNs. Some android apps, not sure if they are Google Play store official, or LG/Huawei/Ali/Samsung app store, DO require in terms of service, instead of ads in the app, that your mobile phone act as a residential proxy, but anyone paying for residential proxies is a blackhat.

A blacklist of IPs attempting to crack the phish hosts, would be another blacklist you could publish or give that data discreetly to another public blacklist of what your honeypot collects 😊

[g0d33p3rsec]

A more interesting idea would be to include secret honeypot URLs in your list, you DO consciously keep inactive domains on there in case they come back, and you could collect intel on what IPs are INTENTIONALLY are connecting to "deactivated" phish sites over and over.

This sounds like something that Canarytokens would be useful for. I can look into setting up an instance on a custom domain once the semester finishes if there's interest. It would be interesting to feed the related IPs into Greynoise to attempt to correlate with other scanning activity.