eCrime eXchange (eCX) Code and Documentation Repository

Overview

This is a repository of documenation, code, and command line examples to interact with the APWG's eCrime eXchange API (eCX API). Each script requires an eCX API token key to allow access to the eCX API

If you have code that you'd like to contribute, please contact us at support@ecrimex.net

Getting Started

You can find documentation about the eCX API here or in the document titled "eCx API Guide.

We also suggest you take a look the eCX API client written in PHP by the developers of eCX.

Testing

We have a sandbox for the eCX API located at https://api.sandbox.ecrimex.net for you to test your code on. It is updated nightly at midnight GMT with new data from production.

Repositories

Available

GET

• Example of how to GET data from the eCX /phish endpoint using cURL on the command line
• Example of how to GET data from the eCX /phish endpoint using wget on the command line
• GET data from eCX, using pagination (Python)
• GET CSV data from eCX using a date range

POST

• Example of how to POST data to eCX /phish endpoint using cURL on the command line
• Example of how to POST data to eCX /phish endpoint using wget on the command line
• Bulk upload CSV data into the Virtual Currency Workgroup

PATCH

Awaiting Development

We've split this up by eCX API REST verbs, GET to grab data, POST to send new data into eCX, and PATCH to update existing data, and some extended examples

• GET all data from eCX that is newer (date modified) than the last GET
• GET all data from eCX that is newer (ID) than the last GET
• GET a single phish entity by ID
• GET a single phish entity by exact URL
• GET a single phish entity by wildcard URL
• GET a list of phish by TLD
• GET a list of phish by Domain
• GET a list of phish by wilcard Domain
• GET a list of phish by ASN
• GET a list of phish by Brand
• GET a list of phish by wildcard Brand
• GET a list of phish by ASN
• GET a list of phish by IP
• GET a list of phish by CIDR
• GET data from eCX, and export into Splunk
• GET data from eCX, and export into Syslog
• Maltego Xforms/scripts to pull data elements from eCX and visualize in Maltego

• POST a phishing URL to eCX
• POST data to eCX via a bulk CSV uploader

• PATCH existing phish as active
• PATCH existing phish as inactive
• PATCH existing phish with new confidence level

• Find an IP pulled out of /phish in the /mal_ip endpoint (* must have access into both modules)

eCX API Documentation

The eCX API documentation is built in OpenAPI/Swagger format

Questions or Concerns?

Please contact us.