Phishing.club#

Phishing.club is an advanced phishing platform with built-in credential capture, OAuth flow support, and campaign management. InfraGuard integrates via webhook to receive real-time campaign events.

Config#

domains:
  phish.example.com:
    upstream: "${PHISHINGCLUB_UPSTREAM}"    # e.g. http://127.0.0.1:8000
    profile_type: "phishing_club"

    campaign_token:
      enabled: true
      token_param: "t"
      tokens:
        - "${CAMPAIGN_TOKEN_Q1}"
      score_on_missing: 0.8

    drop_action:
      type: "redirect"
      target: "https://example.com"

# Webhook receiver
phishingclub:
  enabled: true
  webhook_path: "/wb/pc"                       # randomize in production
  webhook_secret: "${PHISHINGCLUB_WEBHOOK_SECRET}"
  whitelist_on_click: false                    # promote clicking IP to C2 whitelist
  event_result_label: "allow"

See config/examples/phishing-club.yaml.

Webhook Integration#

Phishing.club fires HMAC-SHA256 signed POST events to the configured webhook URL when campaign actions occur. InfraGuard:

Validates the X-Signature: sha256=<hex> header against webhook_secret
Parses the event payload
Records the event to the tracking DB
Dispatches a real-time alert to configured plugins (Discord/Slack)

Configure Phishing.club#

In the phishing.club admin UI, set the webhook URL to:

https://phish.example.com/wb/pc

Set the webhook secret to match ${PHISHINGCLUB_WEBHOOK_SECRET}.

Event Types#

Event	Score	Alert type
`data_submitted`	1.0	High-value
`credentials_submitted`	1.0	High-value
`oauth_token_captured`	1.0	High-value
`device_code_captured`	1.0	High-value
`mfa_submitted`	1.0	High-value
`link_clicked`	0.5	Standard
`email_opened`	0.5	Standard
`browser_metadata`	0.5	Standard

High-value events trigger immediate Discord/Slack alerts.

`whitelist_on_click`#

When whitelist_on_click: true, the IP of a target who clicks an email link is automatically promoted to InfraGuard’s dynamic C2 whitelist. This is useful when pairing a phishing redirector with a C2 redirector on the same host — once a target is phished, their beacon is automatically trusted.

Discord Plugin for Campaign Monitoring#

plugins:
  - infraguard.plugins.builtin.discord

plugin_settings:
  discord:
    enabled: true
    event_filter:
      only_blocked: false
      min_score: 0.5          # alert on all phishing.club events
    options:
      webhook_url: "${DISCORD_WEBHOOK_URL}"
      username: "PhishGuard"

Webhook Path Security#

Randomize the webhook path in production — it’s an unauthenticated POST endpoint (signature-validated, but still enumerable):

phishingclub:
  webhook_path: "/wb/xk9m3p"   # random path