Investigator Use
PhishTank is a community-powered database of verified phishing URLs, maintained by OpenDNS and operated as a public resource for the security community. It allows anyone to submit suspicious phishing URLs, which are then verified by community members and added to a searchable database accessible via web interface and API.
What investigators use PhishTank for: checking whether a URL is a known phishing site before clicking, researching phishing infrastructure associated with a target domain or IP, identifying phishing campaigns targeting specific brands or organizations, and integrating phishing URL data into automated threat analysis workflows.
What PhishTank exposes: verified phishing URLs with submission dates, the target brand being impersonated, current online status of the phishing site, submission and verification history, and community voting records. The complete database is downloadable for offline analysis and integration into security tools.
PhishTank is particularly useful for brand impersonation investigations. If a financial institution or e-commerce brand is being targeted by phishing campaigns, searching PhishTank by brand name surfaces all known phishing URLs mimicking that organization. These URLs often share hosting infrastructure, domain registration patterns, and redirect chains that link multiple campaigns together.
For domain attribution: when investigating a suspicious domain, submitting it to PhishTank and searching for similar domains can reveal whether a domain operator has a history of phishing activity. Many phishing actors reuse the same hosting providers, registrars, and URL patterns across multiple campaigns.
API access: PhishTank provides a free API for programmatic access to the database. The API accepts URLs for lookup and returns verified phishing status, making it easy to integrate into automated analysis pipelines.
In a workflow: check PhishTank early in any URL-focused investigation, alongside URL Void and VirusTotal. If a domain appears in PhishTank, pivot to its hosting infrastructure using SecurityTrails and Shodan to identify related phishing infrastructure. Use certificate transparency logs to find other domains issued certificates from the same provider at the same time — a common pattern in phishing kit deployment.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
CVE
Cyber Threat OSINT
CVE provides standardized vulnerability identifiers and references used in security research, triage, and threat intelligence workflows.
CVE Details
Cyber Threat OSINT
CVE Details aggregates vulnerability records, CVSS scores, and affected software lists for security analysis and patch prioritization.
Default Passwords
Cyber Threat OSINT
Find default passwords and credentials for routers, printers, servers, and network devices for authorized security auditing.
Exploit DB
Cyber Threat OSINT
The Exploit Database archives public exploits and proof-of-concept code for known vulnerabilities, used in penetration testing and research.
Honey DB
Cyber Threat OSINT
HoneyDB aggregates honeypot sensor data to identify malicious IP addresses, attacker tactics, and emerging threat patterns.
Hybrid analysis
Cyber Threat OSINT
Hybrid Analysis provides free malware sandboxing with Falcon Sandbox technology to analyze suspicious files and URLs for threat intelligence.