From 39f5ed87cedac344ccf77b4733d6e8485c08386f Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Tue, 20 Aug 2019 15:40:11 +0200
Subject: [PATCH] new: [phishing] Taxonomy to classify phishing attacks
 including techniques, collection mechanisms and analysis status.

---
 phishing/machinetag.json | 152 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 152 insertions(+)
 create mode 100644 phishing/machinetag.json

diff --git a/phishing/machinetag.json b/phishing/machinetag.json
new file mode 100644
index 0000000..4e4ec3d
--- /dev/null
+++ b/phishing/machinetag.json
@@ -0,0 +1,152 @@
+{
+  "namespace": "phishing",
+  "description": "Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status.",
+  "version": 1,
+  "predicates": [
+    {
+      "value": "techniques",
+      "expanded": "Techniques",
+      "description": "Phishing techniques used."
+    },
+    {
+      "value": "reported",
+      "expanded": "Reported",
+      "description": "How the phishing information was reported."
+    },
+    {
+      "value": "origin",
+      "expanded": "Origin",
+      "description": "Origin or source of the phishing information such as tools or services."
+    },
+    {
+      "value": "action",
+      "expanded": "Action",
+      "description": "Action(s) taken related to the phishing tagged with this taxonomy."
+    },
+    {
+      "value": "state",
+      "expanded": "State",
+      "description": "State of the phishing."
+    }
+  ],
+  "values": [
+    {
+      "predicate": "techniques",
+      "entry": [
+        {
+          "value": "fake-website",
+          "expanded": "Social engineering fake website",
+          "description": "Adversary controls a fake website to phish for credentials or information."
+        },
+        {
+          "value": "email-spoofing",
+          "expanded": "Social engineering email spoofing",
+          "description": "Adversary sends email with domains related to target. Adversary controls the domains used."
+        },
+        {
+          "value": "clone-phishing",
+          "expanded": "Clone phishing",
+          "description": "Adversary clones an email to target potential victims with duplicated content."
+        },
+        {
+          "value": "voice-phishing",
+          "expanded": "Voice phishing",
+          "description": "Adversary use voice-based techniques to trick a potential victim to give credentials or sensitive information. This is also named as vishing."
+        },
+        {
+          "value": "search-engines-abuse",
+          "expanded": "Social engineering search engines abuse",
+          "description": "Adversary controls the search engine result to get an advantage"
+        },
+        {
+          "value": "spear-phishing",
+          "expanded": "Spear phishing",
+          "description": "Adversary attempts targeted phishing to a user or a specific group of users based on knowledge known by the adversary."
+        },
+        {
+          "value": "bulk-phishing",
+          "expanded": "Bulk phishing",
+          "description": "Adversary attempts to target a large group of potential targets without specific knowledge of the victims."
+        },
+        {
+          "value": "sms-phishing",
+          "expanded": "SMS phishing",
+          "description": "Adversary sends an SMS to a potential victims to gather sensitive information or use another phishing techniques at a later stage."
+        }
+      ]
+    },
+    {
+      "predicate": "reported",
+      "entry": [
+        {
+          "value": "manual-reporting",
+          "expanded": "Manual reporting",
+          "description": "Phishing reported by a human (e.g. tickets, manual reporting)."
+        },
+        {
+          "value": "automatic-reporting",
+          "expanded": "Automatic reporting",
+          "description": "Phishing collected by automatic reporting (e.g. phishing report tool, API)."
+        }
+      ]
+    },
+    {
+      "predicate": "origin",
+      "entry": [
+        {
+          "value": "url-abuse",
+          "expanded": "url-abuse",
+          "description": "CIRCL url-abuse service."
+        },
+        {
+          "value": "lookyloo",
+          "expanded": "lookyloo",
+          "description": "CIRCL lookyloo service."
+        },
+        {
+          "value": "phishtank",
+          "expanded": "Phishtank",
+          "description": "Phishtank service."
+        },
+        {
+          "value": "spambee",
+          "expanded": "Spambee",
+          "description": "C-3 Spambee service."
+        }
+      ]
+    },
+    {
+      "predicate": "action",
+      "entry": [
+        {
+          "value": "take-down",
+          "description": "Take down notification sent to the operator where the phishing infrastructure is hosted."
+        },
+        {
+          "value": "pending-law-enforcement-request",
+          "description": "Law enforcement requests are ongoing on the phishing infrastructure."
+        }
+      ]
+    },
+    {
+      "predicate": "state",
+      "entry": [
+        {
+          "value": "unknown",
+          "expanded": "Phishing state is unknown or cannot be evaluated",
+          "numerical_value": 50
+        },
+        {
+          "value": "active",
+          "expanded": "Phishing state is active and actively used by the adversary",
+          "numerical_value": 100
+        },
+        {
+          "value": "down",
+          "expanded": "Phishing state is known to be down",
+          "numerical_value": 0
+        }
+      ]
+    }
+  ]
+}