Phishing Database - Data Source

Website	https://github.com/mitchellkrogza/Phishing.Database
Category	DNS & Domain Blocklists

The Phishing Database is a community-maintained collection of confirmed phishing domains and URLs, maintained by Mitchell Krog. It aggregates data from multiple phishing intelligence feeds with automated verification, providing a regularly updated resource for identifying active phishing infrastructure.

Source:Phishing Database

What is the Phishing Database?

Phishing attacks remain one of the most common vectors for credential theft, financial fraud, and initial access in targeted intrusions. The Phishing Database project addresses this by collecting, verifying, and publishing lists of domains and URLs actively used in phishing campaigns.

The database draws from multiple upstream phishing feeds and community reports. Each reported domain goes through an automated verification pipeline that checks whether the phishing content is still live, validates the report against multiple indicators, and categorizes the entry. This verification step is important because phishing domains are often short-lived: attackers register a domain, deploy a phishing page, harvest credentials for hours or days, and then abandon the domain. A database that does not verify entries quickly accumulates stale data.

The project publishes its data in several formats: domain-only lists for DNS-based blocking, full URL lists for web proxy filtering, and status-categorized files that distinguish between active, inactive, and invalid entries. This makes the data usable across different security tools and filtering architectures.

Phishing domains in the database typically impersonate banks, email providers, cloud services, social media platforms, cryptocurrency exchanges, and government agencies. Common techniques include typosquatting (registering misspellings of legitimate domains), use of legitimate-sounding subdomains on throwaway base domains, and exploitation of free hosting and URL shortening services.

How We Use This Data

We integrate the Phishing Database into our domain reputation checks. When you look up a domain on robtex.com or rbls.org, we check it against this database and flag any matches. A domain listed here has been identified as hosting phishing content, which is a direct indicator of malicious intent.

This is particularly valuable for email security analysis. When investigating a suspicious link from an email, checking the domain against the Phishing Database can quickly confirm whether it is part of a known phishing campaign. The database's focus on verification helps ensure that flagged domains represent genuine threats rather than false positives.

FAQ

What does it mean if a domain appears in the Phishing Database?

It means the domain was reported by one or more phishing intelligence feeds and verified by the project's automated pipeline as hosting phishing content. This is a strong indicator that the domain was created to impersonate a legitimate service and steal user credentials or personal information. Even if the phishing content has since been taken down, the domain's history marks it as part of malicious infrastructure.

How quickly are new phishing domains added to the database?

The project runs automated collection and verification on a regular cycle. New phishing domains are typically added within hours of being reported to upstream feeds. However, given that many phishing campaigns last only hours before the attacker moves on, some entries may represent domains where the phishing content is already offline. The database maintains status categories to distinguish active from inactive entries.

How is this different from Google Safe Browsing?

Google Safe Browsing is a proprietary service integrated into Chrome, Firefox, and Safari that warns users before visiting dangerous sites. It uses hash-prefix matching and is not fully transparent about its data. The Phishing Database is an open-source project with publicly visible domain lists, making it suitable for integration into custom security tools, DNS filters, and threat intelligence platforms where you need direct access to the underlying data rather than a browser-level API.