The APWG eCrime Exchange (eCX)

The APWG eCrime Exchange (eCX) is the security world’s oldest and most trusted threat data repository and data sharing platform.  It was developed specifically to exchange threat data about common cybercrime events such as phishing. The APWG’s member organizations contribute new data, and pull data out to use every day in their products and services – as well as for security applications and forensic routines.  The eCX offers a RESTful API for fast and easy use.

Providing data into the eCX helps protect both your organization’s users and the wider public.  Simply submit new data, and it will be available to other eCX users, including browser developers and antivirus vendors who use the data to block phishing and responder organizations who work to prevent attacks and to take down current attacks.  Pull data out, and use it in your own security products and research.  All entries are timestamped and tagged, and fresh data flows in continuously. The eCX and its progenitors have served the communities of interest since 2004.

Currently, total flow inbound to the /phish endpoint on the eCX from all member sources captures between 50,000 to 100,000 records per month from a few dozen institutions (many reporting on behalf of any number of enterprises).  As importantly, Arizona State University researchers found, in recent research that eCX was alone in its class in one keystone metric: reports lodged at /phish on the eCX generated the highest level of crawler traffic of any entity.[1]

The APWG eCrime Exchange is available to APWG members
Learn how to join
View the eCX API documentation
For more information:
APWG Members
Login Here

The eCX offers five types of data:

Phishing:  The eCX receives hundreds to thousands of new, unique phishing URLs every day.  The listings include confidence scores and brand (target) tags, so you know the data’s reliable.  Learn about new attacks against hundreds of companies across the Internet, including the ones you need to protect.

Report Phishing: a repository of reported phishing emails.

Malicious IPs:  This feed contains IP addresses that have been recently observed as sources of malicious activity, such as fraudulent transactions and large-scale scanning attacks.  Use the data to manage your reputation systems, firewalls, and more.

Malicious Domains: A feed of suspected and known malicious domain names, including fake stores and fraud/identity theft sites.  Supporting data can be added and forwarded to registrar and registry operators, or other APWG members, to aid in takedowns.

Cryptocurrency:  This repository of problematic virtual currency addresses can help you identify suspicious transactions and enrich your analytic tools.  It’s high-value data for cryptocurrency exchanges, wallet providers, trading platforms, and investment funds who want to protect themselves and their customers against phishing and cybercrime.

eCX Phish Module

[1]PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques Against Browser Phishing Blacklists, in the Proceedings of the 40th IEEE Symposium on Security & Privacy, May 2019, San Francisco, CA. Adam Oest, Yeganeh Safaei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Kevin Tyers.