At StalkPhish, we’ve been committed to staying ahead of phishing threats and providing our users with the most comprehensive tools for detecting and investigating brand impersonation, fraud campaigns, and phishing attacks. Today, we’re excited to share details about our enhanced API that brings powerful search capabilities and real-time threat intelligence directly to your security workflows.

Why We Built This API

Fighting phishing is not an easy task. You need to detect campaigns before you can start dismantling them. It’s a race against time—the faster you detect a campaign, the faster you can take it down. Our daily operations involve detecting, enriching, and sorting tens of thousands of phishing URLs, and we’ve designed our API to put this wealth of intelligence at your disposal programmatically.

What sets StalkPhish apart is our original approach: we don’t just detect phishing URLs—we gather intelligence on the threat actors behind campaigns and the developers of phishing kits. By extracting and analyzing data embedded within phishing kits themselves, we help you understand not just the “what” but the “who” behind phishing operations. This threat actor-centric intelligence is crucial for tracking campaigns over time, identifying infrastructure reuse, and anticipating future attacks.

A Tiered Approach to Threat Intelligence

Understanding that different organizations have different needs and budgets, we’ve structured our API access across three subscription tiers:

Free Tier

Perfect for researchers and small-scale investigations, the Free tier provides:

• 10 API calls per day
• Access to the last 4 hours of phishing data
• Up to 30 results per query
• Basic URL and IP address search capabilities

Standard Tier

For security teams needing regular access to threat intelligence:

• 1000 API calls per day
• 30-day historical data access
• Up to 100 results per query
• Additional search capabilities including page title searches and extracted email addresses
• Google Safe Browsing status and phishing scores
• SSL certificate information

Pro Tier

Our most comprehensive offering for enterprise security operations:

• 10,000 API calls per day
• 180-day historical data access
• Up to 200 results per query
• Full feature access including brand search, favicon hash matching, and phishing kit analysis
• Telegram bot/channel extraction data
• Phishing kit family classification
• ZIP file hash searches for tracking kit reuse

Powerful Search Capabilities

One of the most powerful features of our enhanced API is the advanced search system with boolean operator support. Security analysts can now construct complex queries to pinpoint specific threats:

# Search for PayPal phishing with login pages
curl -H "Authorization: Token YOUR_TOKEN" \
"https://api.stalkphish.io/api/v1/search/url/paypal%20AND%20login"

# Find Microsoft or Apple impersonation attempts
curl -H "Authorization: Token YOUR_TOKEN" \
"https://api.stalkphish.io/api/v1/search/url/microsoft%20OR%20apple"

# Exclude legitimate sites from results
curl -H "Authorization: Token YOUR_TOKEN" \
"https://api.stalkphish.io/api/v1/search/url/banking%20NOT%20legitimate"

The API supports combining up to 5 boolean operators with a maximum of 10 search terms, allowing for precise threat hunting and campaign tracking.

Temporal Filters for Time-Based Analysis

Phishing campaigns often follow patterns and trends. Our API includes flexible temporal filtering to help you track campaigns over time:

# Search for recent PayPal phishing (last 7 days)
response = requests.get(
    'https://api.stalkphish.io/api/v1/search/url/paypal',
    headers={'Authorization': 'Token YOUR_TOKEN'},
    params={'last_days': 7}
)

# Custom date range search
response = requests.get(
    'https://api.stalkphish.io/api/v1/search/url/microsoft',
    headers={'Authorization': 'Token YOUR_TOKEN'},
    params={
        'from_date': '2024-07-01',
        'to_date': '2024-07-31'
    }
)

Beyond URLs: Multi-Vector Threat Hunting

As we’ve shared in previous blog posts, StalkPhish.io’s probes retrieve relevant information directly from phishing kits themselves. The API exposes this rich data through multiple search vectors:

IP Address Search: Track infrastructure reuse across campaigns by searching for specific IPv4 addresses hosting phishing sites.

Brand Search (Pro): Monitor phishing attempts targeting specific brands or companies you’re protecting.

Favicon Hash Search (Pro): Identify related phishing sites using MMH3 favicon hashes—particularly useful for tracking campaigns that reuse infrastructure or kits.

Email Extraction Search (Pro): Find phishing pages containing specific email addresses, useful for tracking scammer operations.

ZIP File Hash Search (Pro): As we’ve documented in our PhishingKit-Yara-Rules project, tracking phishing kit reuse is crucial. Search by MD5, SHA1, or SHA256 hashes to identify known kits across different domains.

Phishing Kit Intelligence

Since years, StalkPhish.io has included a system for classifying phishing kits. This enhancement allows us to effectively categorize phishing kits collected through our infrastructure. The API now exposes this classification data in the Pro tier response:

{
  "zipfilename": "phishing_kit.zip",
  "zipfilehash": "abc123def456",
  "phishingkit_family": "PK_Paypal_RD304",
  "page_hash": "sha256hash",
  "extracted_telegram": [{
    "botID": "1548908025:fc51cd8e6218a1a38da47ed00230f057681",
    "channelID": "987654321"
  }],
  "targeted_brand": "PayPal"
}

This data is invaluable for understanding campaign infrastructure and tracking threat actor operations over time. As we’ve blogged about previously, many phishing kits use Telegram for data exfiltration, and our API surfaces this information automatically.

Built for Integration

We’ve designed the API with real-world security workflows in mind. The simple token-based authentication and RESTful design make it easy to integrate into existing security tools, SOAR platforms, and threat intelligence feeds. We’ve even documented integration with tools like IntelOwl to speed up threat analysis.

Code examples are provided in Python, JavaScript, and cURL to help you get started quickly:

const axios = require('axios');

const api = axios.create({
  baseURL: 'https://api.stalkphish.io/api/v1',
  headers: {'Authorization': 'Token YOUR_TOKEN'}
});

async function searchPhishing() {
  try {
    const response = await api.get('/search/url/paypal', {
      params: { last_days: 7 }
    });
    console.log(response.data);
  } catch (error) {
    console.error('Error:', error.response.data);
  }
}

Rate Limiting and Best Practices

To ensure reliable service for all users, we implement rate limiting based on subscription tiers. The API returns clear HTTP status codes and error messages, and we provide guidance on implementing exponential backoff and retry strategies in your applications.

def make_api_request(url, headers, params=None, max_retries=3):
    """Make API request with automatic rate limit handling"""
    for attempt in range(max_retries):
        response = requests.get(url, headers=headers, params=params)
        
        if response.status_code == 429:
            retry_after = int(response.headers.get('Retry-After', 60))
            print(f"Rate limited. Waiting {retry_after} seconds...")
            time.sleep(retry_after)
            continue
            
        return response
    
    raise Exception("Max retries exceeded")

Real-World Impact

Our platform has been instrumental in uncovering numerous phishing campaigns, from French-language CPF (MonCompteFormation) scams to Olympics-themed phishing attacks during Paris 2024. With the API, security teams can now automate the detection of similar campaigns targeting their organizations and respond faster than ever before.

Whether you’re tracking a specific brand impersonation campaign, hunting for infrastructure patterns, or building automated threat intelligence pipelines, the StalkPhish.io API provides the data and flexibility you need to stay ahead of phishing threats.

Getting Started

Ready to integrate StalkPhish.io into your security workflow? Visit our documentation at https://stalkphish.io/documentation/fullapi/ for complete API reference, code examples, and authentication details.

For questions or to upgrade your subscription tier, reach out to our team. As always, we’re committed to helping organizations fight phishing more effectively, one API call at a time.

Stay tuned to the StalkPhish blog for more insights into phishing campaigns, kit analysis, and threat intelligence. Follow our ongoing work with the PhishingKit-Yara-Rules open source project on GitHub for the latest detection rules.