Spaces:
Sleeping
Sleeping
| import gradio as gr | |
| import torch | |
| import re | |
| import plotly.graph_objects as go | |
| from transformers import AutoTokenizer, AutoModelForSequenceClassification | |
| from langchain_community.embeddings import HuggingFaceEmbeddings | |
| from langchain_community.vectorstores import FAISS | |
| from langchain.chains import RetrievalQA | |
| from langchain_community.llms import HuggingFacePipeline | |
| from langchain.prompts import PromptTemplate | |
| import warnings | |
| warnings.filterwarnings("ignore") | |
| # ========================================== | |
| # 1. Classification Model (Phishing/Scam) | |
| # ========================================== | |
| classifier_name = "Auguzcht/securisense-phishing-detection" | |
| tokenizer = AutoTokenizer.from_pretrained(classifier_name) | |
| model = AutoModelForSequenceClassification.from_pretrained(classifier_name) | |
| def classify_text(text): | |
| inputs = tokenizer(text, return_tensors="pt", truncation=True, max_length=512) | |
| with torch.no_grad(): | |
| outputs = model(**inputs) | |
| probs = torch.nn.functional.softmax(outputs.logits, dim=-1)[0] | |
| phishing_prob = float(probs[1]) if len(probs) > 1 else float(probs[0]) | |
| label = "🚨 PHISHING / SCAM" if phishing_prob > 0.5 else "✅ LEGITIMATE" | |
| return label, phishing_prob | |
| # ========================================== | |
| # 2. Advanced Risk Visualization (Plotly) | |
| # ========================================== | |
| def create_gauge(prob): | |
| fig = go.Figure(go.Indicator( | |
| mode = "gauge+number", | |
| value = prob * 100, | |
| domain = {'x': [0, 1], 'y': [0, 1]}, | |
| title = {'text': "Threat Probability (%)", 'font': {'size': 20, 'color': '#ffffff'}}, | |
| gauge = { | |
| 'axis': {'range': [None, 100], 'tickwidth': 1, 'tickcolor': "white"}, | |
| 'bar': {'color': "rgba(0,0,0,0)"}, | |
| 'bgcolor': "white", | |
| 'borderwidth': 2, | |
| 'bordercolor': "gray", | |
| 'steps': [ | |
| {'range': [0, 30], 'color': "#00cc96"}, | |
| {'range': [30, 70], 'color': "#ffa15a"}, | |
| {'range': [70, 100], 'color': "#ff4b4b"} | |
| ], | |
| 'threshold': { | |
| 'line': {'color': "white", 'width': 4}, | |
| 'thickness': 0.75, | |
| 'value': prob * 100 | |
| } | |
| } | |
| )) | |
| fig.update_layout( | |
| paper_bgcolor="rgba(0,0,0,0)", | |
| font={'color': "white"}, | |
| margin=dict(l=20, r=20, t=50, b=20), | |
| height=250 | |
| ) | |
| return fig | |
| # ========================================== | |
| # 3. Threat Intelligence: IoC Extractor | |
| # ========================================== | |
| def extract_iocs(text): | |
| urls = re.findall(r'(https?://[^\s]+)', text) | |
| emails = re.findall(r'[\w\.-]+@[\w\.-]+\.\w+', text) | |
| phones = re.findall(r'(\+?\d{1,4}?[\s-]?)?\(?\d{2,3}?\)?[\s-]?\d{3,4}[\s-]?\d{3,4}', text) | |
| ioc_markdown = "### 🕵️ Indicators of Compromise (IoC)\n" | |
| if not urls and not emails and not phones: | |
| return ioc_markdown + "*No specific links, emails, or phone numbers detected.*" | |
| if urls: | |
| ioc_markdown += "**🔗 Suspicious URLs:**\n" + "\n".join([f"- `{u}`" for u in set(urls)]) + "\n\n" | |
| if emails: | |
| ioc_markdown += "**📧 Senders/Contacts:**\n" + "\n".join([f"- `{e}`" for e in set(emails)]) + "\n\n" | |
| if phones: | |
| extracted_phones = [text[p.start():p.end()] for p in re.finditer(r'(\+?\d{1,4}?[\s-]?)?\(?\d{2,3}?\)?[\s-]?\d{3,4}[\s-]?\d{3,4}', text)] | |
| if extracted_phones: | |
| ioc_markdown += "**📱 Phone Numbers:**\n" + "\n".join([f"- `{p}`" for p in set(extracted_phones)]) + "\n\n" | |
| return ioc_markdown | |
| # ========================================== | |
| # 4. Advanced Knowledge Base (RAG) | |
| # ========================================== | |
| knowledge_base = [ | |
| # ---------------- CREDENTIAL HARVESTING ---------------- | |
| "[CREDENTIAL HARVESTING - ACCOUNT FREEZE]: Threat actors send urgent warnings of 'Suspended Accounts' or 'Illegal Activity Detected'. The goal is to induce panic, forcing the victim to click a rogue link and surrender their authentication credentials.", | |
| "[CREDENTIAL HARVESTING - FAKE OAUTH]: Prompts asking the victim to 'Log in with Microsoft' or 'Log in with Google' to view a secure document. The pop-up is a cloned iframe designed to steal session tokens and passwords.", | |
| "[CREDENTIAL HARVESTING - PASSWORD EXPIRATION]: Disguised as an IT Helpdesk alert stating the victim's domain password will expire in 2 hours. Contains a hyperlink to a spoofed Active Directory portal.", | |
| "[CREDENTIAL HARVESTING - BROWSER UPDATE]: Fake alerts indicating the victim's Chrome or Edge browser is out of date and vulnerable. The download link executes a credential-stealing dropper (e.g., RedLine Stealer).", | |
| "[CREDENTIAL HARVESTING - MFA FATIGUE]: Attackers constantly spam the victim's phone with login approval requests in the middle of the night, hoping the victim will accidentally press 'Approve' just to make the notifications stop.", | |
| "[CREDENTIAL HARVESTING - SESSION HIJACKING (AiTM)]: Adversary-in-the-Middle attacks where a reverse proxy sits between the user and the real website. It captures not just the password, but the live session cookie, bypassing 2FA completely.", | |
| # ---------------- FINANCIAL FRAUD ---------------- | |
| "[FINANCIAL VECTOR - ANOMALOUS PAYMENT FORMAT]: Any demand for payment utilizing non-refundable, anonymized pipelines including Apple/Amazon Gift Cards, prepaid Visa cards, or direct crypto transfers (BTC, USDT).", | |
| "[FINANCIAL VECTOR - RECOVERY FRAUD (SECONDARY ATTACK)]: Scammers target victims of past fraud, posing as cybersecurity agencies, lawyers, or white-hat hackers. They promise to recover stolen funds, contingent on an upfront 'processing fee' or 'taxes'.", | |
| "[FINANCIAL VECTOR - OVERPAYMENT SCAM]: A fraudster sends a fake cashier's check or fraudulent transfer exceeding the agreed purchase price, then urgently requests the victim to wire the 'difference' back before the original check bounces.", | |
| "[FINANCIAL VECTOR - CHARITY EXPLOITATION]: Fraudulent campaigns launched immediately after natural disasters or global crises, soliciting donations to untraceable crypto wallets or unofficial P2P cash applications.", | |
| "[FINANCIAL VECTOR - LOAN FEE SCAM]: Scammers guarantee a massive personal or business loan regardless of poor credit, but require the victim to pay processing fees or 'collateral insurance' upfront via wire transfer.", | |
| "[FINANCIAL VECTOR - FAKE DEBT COLLECTION]: Impersonators call demanding immediate settlement of a fabricated 'zombie debt', threatening wage garnishment or immediate arrest if a credit card payment isn't made on the spot.", | |
| # ---------------- CRYPTOCURRENCY AND WEB3 ---------------- | |
| "[CRYPTO FRAUD - SEED PHRASE EXTRACTION]: Malicious support agents on platforms like Discord/Twitter asking victims to 'validate their wallet' or 'sync their node' on a third-party site, requiring the victim's 12-to-24 word master recovery phrase.", | |
| "[CRYPTO FRAUD - RUG PULL / HONEYPOT]: Promotions for newly launched coins guaranteeing massive APY. In a Honeypot, a smart contract is manipulated so victims can buy the coin but technically cannot sell it.", | |
| "[CRYPTO FRAUD - ROMANCE PIG BUTCHERING]: A multi-month social engineering campaign where scammers build romantic trust, then convince victims to inject capital into a spoofed high-yield crypto trading dashboard under the guise of insider trading.", | |
| "[CRYPTO FRAUD - FLASH LOAN ARBITRAGE BOTS]: Scammers sell 'guaranteed profit' trading bots. The provided Python or Solidity script contains a backdoor that actually routes the victim's funds to the scammer's wallet.", | |
| "[CRYPTO FRAUD - ADDRESS POISONING]: Attackers aggressively spam a victim's wallet with zero-value transactions from an address that looks visually identical to an address the victim frequently uses, hoping the victim will accidentally copy-paste the scammer's address for their next real transfer.", | |
| "[CRYPTO FRAUD - ICE PHISHING]: Tricking a Web3 user into signing a malicious transaction parameter that grants the attacker 'approval' to infinitely deduct a specific token from the victim's Metamask wallet.", | |
| # ---------------- BUSINESS EMAIL COMPROMISE (BEC) ---------------- | |
| "[BEC - VENDOR INVOICE FRAUD]: Threat actors compromise a legitimate supplier's email, intercept a legitimate invoice, and alter the attached PDF to display the scammer's routing and bank account numbers.", | |
| "[BEC - EXECUTIVE IMPERSONATION]: An attacker spoofs the CEO or CFO's email, directing subordinate finance staff to execute a 'highly confidential' wire transfer for an unannounced corporate acquisition.", | |
| "[BEC - PAYROLL DIVERSION]: An email to the HR or Payroll department, appearing to be from an employee, requesting that their direct deposit routing information be changed to a new, fraudulent bank account.", | |
| "[BEC - GIFT CARD SOLICITATION]: The boss allegedly emails lower-level staff claiming to be trapped in a meeting, ordering them to urgently buy physical gift cards for 'client rewards' and send photos of the scratched PIN numbers.", | |
| "[BEC - SUPPLY CHAIN ATTACK]: Hackers compromise a third-party IT vendor or software supplier and leverage that trusted access to push a malicious update or send phishing emails internally to top-tier enterprise clients.", | |
| # ---------------- MALWARE AND RANSOMWARE ---------------- | |
| "[MALWARE DELIVERY - MACRO ENABLED DOCUMENTS]: Invoices or shipping receipts sent as .docm or .xlsm files. The document prompts the user to 'Enable Content', executing VBA macros that download a Ransomware encryptor.", | |
| "[MALWARE DELIVERY - HTM/HTML SMUGGLING]: Attachments ending in .html. When opened locally in an offline browser, embedded obfuscated JavaScript dynamically generates a ZIP or EXE payload, bypassing server-side security gateways.", | |
| "[MALWARE DELIVERY - FAKE SOFTWARE CRACKS]: Links offering free versions of licensed software (Photoshop, Windows OS). They are bundled with InfoStealers that harvest saved Chrome passwords, cookies, and crypto wallet extensions.", | |
| "[MALWARE DELIVERY - DRIVE-BY COMPROMISE]: A link leading to a compromised website loaded with an Exploit Kit. No clicking is required; merely visiting the page exploits browser vulnerabilities to silently drop malware.", | |
| "[MALWARE DELIVERY - USB DROP ATTACK]: Physical social engineering where customized USB rubber duckies are dropped in corporate parking lots labeled 'Q4 Employee Bonuses'. Plugging it in instantly executes keystroke injection attacks.", | |
| "[MALWARE DELIVERY - BROWSER EXTENSION POISONING]: Malicious plugins disguised as harmless PDF converters or AdBlockers that secretly log all web requests and alter copied crypto wallet addresses in the clipboard.", | |
| # ---------------- SOCIAL ENGINEERING & ADVANCE-FEE ---------------- | |
| "[SOCIAL ENGINEERING - GRANDPARENT VISHING]: Voice Phishing utilizing AI-synthesized voice cloning. Scammers impersonate a distressed family member claiming they are in jail or the hospital, demanding emergency bail or medical funds.", | |
| "[SOCIAL ENGINEERING - LOTTERY/INHERITANCE (419)]: An advance-fee scheme where the victim receives notification of winning a massive international lottery or inheriting untouched estate funds, requiring upfront fees to 'release the funds'.", | |
| "[SOCIAL ENGINEERING - JOB/EMPLOYMENT SCAM]: Offers for 'Easy Remote Work'. Victims are 'hired' without interviews and told to purchase a 'home office kit' from a specific vendor with a bogus check. The vendor is the scammer.", | |
| "[SOCIAL ENGINEERING - SEXTORTION]: Mass-blast emails claiming the sender has hacked the victim's webcam and recorded compromised footage. The email demands a Bitcoin ransom to prevent the footage from being emailed to all contacts.", | |
| "[SOCIAL ENGINEERING - THE 'WRONG NUMBER' HOOK]: A text message starting with 'Hey, are we still meeting for golf today?'. When the victim replies 'wrong number', the scammer strikes up a friendly conversation aiming to execute a Pig Butchering crypto scam months later.", | |
| "[SOCIAL ENGINEERING - CANCELLED SUBSCRIPTION ALERT]: Fake emails from Norton, GeekSquad, or McAfee claiming the victim’s credit card was charged $499 for renewal. The email relies on the victim calling the provided 1-800 number to dispute it, initiating a remote-desktop scam.", | |
| # ---------------- TELECOM & RETAIL FRAUD ---------------- | |
| "[TELECOM FRAUD - SIM SWAPPING]: Attackers bribe or socially engineer telecom employees to port the victim's phone number to a new SIM card controlled by the attacker, instantly granting them all 2FA SMS intercepts.", | |
| "[RETAIL FRAUD - BRUSHING SCAM]: Victims receive random, un-ordered packages from Amazon or AliExpress. The seller uses the victim’s leaked address to create fake verified positive reviews, inflating the seller's storefront rating artificially.", | |
| "[RETAIL FRAUD - FAKE TICKET VENDORS]: Cloned websites utilizing severe SEO poisoning to appear first on Google, offering sold-out concert or airline tickets at massive discounts. Victims pay via Zelle but receive nothing.", | |
| "[HOSPITALITY FRAUD - AIRBNB BAIT & SWITCH]: Scammers list luxury properties at cheap rates. Before check-in, they cancel the booking on the official app and urge the victim to pay directly via wire transfer for a 'discounted alternate property'.", | |
| # ---------------- ELECTION & GOVT FRAUD ---------------- | |
| "[GOV FRAUD - TAX REFUND STEALING]: Fraudulent SMS declaring an unexpected federal tax refund or stimulus check is waiting. Requires the victim to click a URL and enter their SSN / National ID for identity theft.", | |
| "[GOV FRAUD - JURY DUTY EXTORTION]: A phone call from a supposed local sheriff or judge claiming the victim missed jury duty and an arrest warrant has been issued. Payment of the 'fine' is demanded via prepaid gift cards to cancel the warrant.", | |
| # ---------------- PLATFORM & OBFUSCATION EXPLOITS ---------------- | |
| "[TECHNICAL INDICATOR - SENDER OBFUSCATION (SPOOFING)]: The 'From' name perfectly matches a known entity, but the underlying <reply-to> SMTP headers expose a generic, disposable, or randomized alphanumeric email address.", | |
| "[TECHNICAL INDICATOR - URL TYPOSQUATTING]: The deliberate malicious registration of domains that are visually identical to legitimate ones, exploiting user misreading (e.g., netfiix.com, waimart.com, support-microsoft.com).", | |
| "[TECHNICAL INDICATOR - QUISHING (QR CODE PHISHING)]: The usage of scannable QR codes embedded in emails to bypass corporate URL filters. The QR code redirects mobile devices to credential harvesting portals.", | |
| "[TECHNICAL INDICATOR - SMISHING (SMS PHISHING)]: Fraudulent text messages carrying an extraordinary sense of urgency (e.g., Bank Fraud Alerts, Postal Customs). SMS bypasses traditional enterprise email firewalls.", | |
| "[TECHNICAL INDICATOR - ZERO-FONT OBSTRUCTION]: Scammers embed invisible white-text or zero-width characters inside an email to confuse AI spam algorithms without altering the visual presentation to the human user.", | |
| "[TECHNICAL INDICATOR - OPEN REDIRECT ABUSE]: Appending malicious payloads to the end of a highly trusted domain (e.g., trustedbank.com/redirect?url=malicious-site.com). The victim only sees the trusted first half of the link.", | |
| "[TECHNICAL INDICATOR - GOOGLE ADS SEO POISONING]: Buying sponsored ads on Google for keywords like 'Download VLC' or 'Bank Login'. The top-ranking ad looks identical to the real company but funnels users directly into a payload server.", | |
| # ---------------- MEDICAL & HEALTHCARE SCAMS ---------------- | |
| "[HEALTHCARE FRAUD - MEDICAL BILLING SCAM]: Urgent spoofed invoices from local hospitals or clinics demanding immediate payment for a recent surgery or test, threatening to send the debt to collections within 24 hours.", | |
| "[HEALTHCARE FRAUD - MEDICARE COMPROMISE]: Callers posing as government healthcare reps claiming the victim must confirm their Medicare number and bank account to receive a 'free' back brace or medical device.", | |
| "[HEALTHCARE FRAUD - PRESCRIPTION EXTORTION]: Fake online pharmacies offering heavily discounted prescription drugs (e.g., Ozempic, Adderall). They steal the credit card data and repeatedly extort the buyer by threatening to report them to authorities.", | |
| # ---------------- GENERATIVE AI & DEEPFAKE THREATS ---------------- | |
| "[AI THREAT - DEEPFAKE EXECUTIVE VIDEO]: A highly orchestrated attack where a scammer uses Deepfake video technology to impersonate a company CFO during a live Zoom call, directing an employee to execute a multi-million dollar transfer.", | |
| "[AI THREAT - AUTOMATED SPEAR-PHISHING (LLM)]: The usage of scraped LinkedIn data fed into an LLM to generate highly personalized, grammatically perfect phishing emails tailored specifically to a victim's recent job promotion or life event.", | |
| "[AI THREAT - SYNTHETIC IDENTITY FRAUD]: The creation of a completely fabricated persona utilizing AI-generated faces and stolen SSNs to apply for massive credit lines, open bank accounts, and establish fraudulent business entities.", | |
| # ---------------- HARDWARE & IOT SCAMS ---------------- | |
| "[IOT COMPROMISE - FAKE FIRMWARE UPDATE]: Urgent emails warning the user that their home security camera or smart router requires a critical security patch. The provided firmware is actually a botnet enroller (e.g., Mirai).", | |
| "[HARDWARE FRAUD - JUICE JACKING]: Public USB charging stations at airports deliberately modified to stealthily export data from or install malware onto a victim's phone while it charges.", | |
| "[HARDWARE FRAUD - BOGUS HARDWARE WALLETS]: Scammers selling 'discounted' Ledger or Trezor crypto hardware wallets on eBay. The devices are physically tampered with, containing pre-configured secure elements to instantly drain funds.", | |
| # ---------------- TRAVEL & HOSPITALITY FRAUD ---------------- | |
| "[TRAVEL SCAM - SPOOFED AIRLINE CANCELLATIONS]: SMS texts claiming the victim's upcoming flight was cancelled. The provided link demands a 're-booking fee' to secure the same seat, stealing credit card info.", | |
| "[TRAVEL SCAM - BOGUS VISA ASSISTANCE]: Websites impersonating official government portals (e.g., ESTA, Schengen) that charge victims $100+ for a standard $15 tourist visa application, or simply steal the passport details for identity theft.", | |
| "[TRAVEL SCAM - FREE VACATION HOOK]: Automated robocalls congratulating the victim on winning a fully paid cruise or resort stay. The victim is then asked to pay 'just the port taxes' via credit card to claim the prize.", | |
| # ---------------- REAL ESTATE & MORTGAGE FRAUD ---------------- | |
| "[REAL ESTATE FRAUD - ESCROW INTERCEPTION]: Hackers monitor email chains between home buyers and real estate agents. Right before closing, they step in using a spoofed email and provide fraudulent wire instructions for the down payment.", | |
| "[REAL ESTATE FRAUD - PHANTOM RENTALS]: Scammers copy pictures of a legitimate house for sale and post it on Craigslist as a rental with unrealistically low rent. They demand a 'security deposit' via Zelle before allowing a tour.", | |
| "[REAL ESTATE FRAUD - TITLE THEFT]: Fraudsters forge a deed to a property they do not own, file it with the county, and then rapidly take out huge mortgage loans against the property, leaving the actual owner with the debt.", | |
| # ---------------- GAMING & ESPORTS FRAUD ---------------- | |
| "[GAMING SCAM - IN-GAME CURRENCY PHISHING]: High-urgency messages targeting minors on platforms like Roblox or Fortnite, promising 'Free V-Bucks or Robux' if the user logs into a spoofed landing page.", | |
| "[GAMING SCAM - ACCOUNT TAKEOVER (ATO)]: Scammers offering high-ranking, pre-leveled accounts for sale. Once the victim pays, the scammer uses the original recovery email to steal the account back.", | |
| "[GAMING SCAM - FAKE TOURNAMENT REGISTRATION]: Phishing links sent on Discord advertising massive prize-pool tournaments. The victim must 'register' by linking their Steam or Riot account, which is immediately stolen.", | |
| # ---------------- LEGAL & EXTORTION SCAMS ---------------- | |
| "[LEGAL EXTORTION - COPYRIGHT INFRINGEMENT]: Businesses receive an aggressive email from a supposed 'law firm' claiming images on their website violate copyright. A link provides 'photographic proof', which drops a trojan.", | |
| "[LEGAL EXTORTION - HITMAN SCAM]: A highly threatening email where the sender claims they are an assassin hired to kill the victim, but offers to spare their life and reveal the contractor's name if paid a large sum in Bitcoin.", | |
| "[LEGAL EXTORTION - CARTEL DEATH THREATS]: Victims receive graphic texts with violent imagery from someone claiming to be a cartel boss, demanding 'compensation' because the victim allegedly wasted their escort or operative's time.", | |
| # ---------------- FRAUD-AS-A-SERVICE (FaaS) ---------------- | |
| "[FaaS - PHISHING KITS (PhaaS)]: The email originates from a mass-deployed Phishing-as-a-Service kit, where novice scammers rent fully functional spoofed banking portals and automated OTP interception bots for a monthly subscription.", | |
| "[FaaS - BULK SMS GATEWAY ABUSE]: The utilization of compromised corporate Twilio or SendGrid accounts to blast millions of Smishing texts globally, bypassing carrier blocklists due to the high reputation of the compromised gateway.", | |
| # ---------------- CLOUD & SaaS EXPLOITS ---------------- | |
| "[CLOUD COMPROMISE - FAKE SHAREPOINT/ONEDRIVE]: Phishing emails containing links to 'securely shared documents' hosted on fake Microsoft 365 or Google Workspace portals, designed to steal enterprise SSO credentials.", | |
| "[CLOUD COMPROMISE - TOXIC OAUTH APPS]: Malicious third-party apps requesting 'Read/Write' access to the victim's Google Drive or Outlook inbox. Once authorized, the attacker maintains persistent access without needing a password.", | |
| "[CLOUD COMPROMISE - AWS/AZURE BILLING EXTORTION]: Attackers breach an unsecured cloud environment, rapidly spin up hundreds of high-compute GPU instances for cryptomining, and leave the victim company with a $100,000+ monthly server bill.", | |
| # ---------------- DARK WEB & IAB (INITIAL ACCESS BROKERS) ---------------- | |
| "[DARK WEB - CREDENTIAL STUFFING]: Botnets automatically testing millions of username/password combinations leaked from older data breaches against banking portals, exploiting victims who re-use passwords across multiple sites.", | |
| "[DARK WEB - COOKIE THEFT (PASS-THE-COOKIE)]: Access brokers steal the victim's browser session cookies via InfoStealers, allowing buyers on dark web forums to bypass MFA and log directly into the victim's active banking session.", | |
| # ---------------- ACADEMIC & STUDENT EXPLOITATION ---------------- | |
| "[ACADEMIC FRAUD - FAKE SCHOLARSHIP FEES]: Organizations guarantee a massive university scholarship or grant for the student, provided they pay an upfront 'application processing fee' or 'federal tax disbursement fee'.", | |
| "[ACADEMIC FRAUD - STUDENT LOAN FORGIVENESS]: Scammers posing as federal education departments offering to immediately wipe out student debt for a onetime payment, often requesting the student's FSA ID (Federal Student Aid).", | |
| "[ACADEMIC FRAUD - TUITION REDIRECTION]: Hackers compromise a university's billing email system, sending forged tuition invoices to international students, directing them to wire their semester fees to an offshore bank account.", | |
| # ---------------- AUTOMOTIVE & LOGISTICS SCAMS ---------------- | |
| "[VEHICLE FRAUD - FAKE VIN REPORTS]: A victim selling a car online is contacted by an 'interested buyer' who demands they pull a vehicle history report from a specific, obscure website. The site is a front to steal the seller's credit card.", | |
| "[VEHICLE FRAUD - THIRD-PARTY ESCROW SCAM]: Scammers selling non-existent classic cars or RVs online below market value. They insist on using a 'trusted third-party shipping and escrow company' which they actually own and control.", | |
| "[VEHICLE FRAUD - VIRTUAL VEHICLE CLONING]: Fraudsters steal a legitimate Vehicle Identification Number (VIN) from a parked car, put it on a stolen car of the exact same make and model, and sell the stolen car to an unsuspecting buyer.", | |
| # ---------------- RELIGIOUS & AFFINITY FRAUD ---------------- | |
| "[AFFINITY FRAUD - PASTOR/CLERGY IMPERSONATION]: A scammer creates a fake email or WhatsApp account mimicking a local priest, rabbi, or imam, urgently asking congregation members to buy gift cards for 'sick community members'.", | |
| "[AFFINITY FRAUD - PONZI TARGETING COMMUNITIES]: Fraudsters infiltrate tight-knit religious, ethnic, or immigrant communities, using shared faith or cultural background to build extreme trust before recruiting them into a massive Ponzi scheme.", | |
| # ---------------- SOCIAL MEDIA & INFLUENCER SCAMS ---------------- | |
| "[SOCIAL MEDIA - ACCOUNT VERIFICATION SCAM]: Phishers DM a victim claiming they are eligible for the 'Blue Checkmark' or a verified badge if they click a link and log in within 24 hours. The link captures their Instagram/Twitter credentials.", | |
| "[SOCIAL MEDIA - INFLUENCER SPONSORSHIP THEFT]: Fake brands email content creators offering lucrative sponsorship deals. The attached 'brand guidelines' or 'contract PDF' runs a silent executable that steals the creator's YouTube channel.", | |
| "[SOCIAL MEDIA - ACCOUNT CLONING]: Scammers duplicate a victim's public profile pictures and name, create a new account, friend all of the victim's contacts, and then beg the contacts for emergency cash.", | |
| # ---------------- MILITARY & VETERAN TARGETING ---------------- | |
| "[MILITARY FRAUD - VA BENEFIT BUYOUTS]: Scarcity-driven scams offering veterans a 'lump sum cash advance' on their future pension or disability payments, locking them into predatory contracts with hidden 100%+ interest rates.", | |
| "[MILITARY FRAUD - DEPLOYED SOLDIER CATFISH]: Romance scammers stealing photos of real military personnel, claiming to be deployed in a war zone overseas, and begging the victim for wire transfers to 'buy a flight home' or 'pay for communication gear'.", | |
| # ---------------- ADVANCED MALWARE & CRYPTOJACKING ---------------- | |
| "[MALWARE DELIVERY - STEGANOGRAPHY]: Threat actors conceal malicious payload code inside the pixels of an otherwise perfectly normal-looking image file (.jpg or .png) sent via email or hosted on a compromised site.", | |
| "[MALWARE DELIVERY - FILELESS MALWARE]: Advanced attacks that do not install software on the hard drive. Instead, they exploit trusted, built-in system tools like PowerShell or WMI to execute malicious code directly in the computer's RAM.", | |
| "[CRYPTOJACKING - SILENT MINING]: Malicious scripts injected into legitimate streaming or torrenting websites. The script hijacks the visitor's CPU power to mine Monero (XMR) for the attacker in the background, causing system overheating.", | |
| # ---------------- DEFI & SMART CONTRACT EXPLOITS ---------------- | |
| "[DEFI EXPLOIT - ORACLE MANIPULATION]: Attackers exploit vulnerable Web3 price oracles to artificially inflate the price of an obscure token, then borrow massive amounts of stablecoins against that inflated collateral, draining the lending protocol.", | |
| "[DEFI EXPLOIT - FAKE AIRDROPS]: Scammers mint zero-value tokens and send them to the victim's wallet. When the victim attempts to swap or sell the mystery tokens on a decentralized exchange, the smart contract drains the victim's entire wallet.", | |
| # ---------------- MOBILE & APP STORE VULNERABILITIES ---------------- | |
| "[MOBILE THREAT - FAKE AUTHENTICATOR APPS]: Malicious applications submitted targeting '2FA' keywords in the App Store. Once installed, they intercept TOTP codes and silently transmit them to an adversary's C2 server.", | |
| "[MOBILE THREAT - FLEECEWARE]: Apps (like simple flashlights or calculators) that offer a 3-day free trial, then automatically bill exorbitant weekly subscription fees ($50/week) via the App Store, hoping the user deletes the app without cancelling the sub.", | |
| "[MOBILE THREAT - KEYBOARD REPLACEMENT]: Scammers trick victims into installing a custom virtual keyboard (e.g., 'Cool Fonts App') which effectively functions as a systemic mobile keylogger, capturing passwords and crypto phrases.", | |
| # ---------------- FREELANCE & GIG ECONOMY EXPLOITATION ---------------- | |
| "[GIG ECONOMY - UPWORK/FIVERR OVERPAYMENT]: The client hires a freelancer, 'accidentally' pays $5,000 instead of $500 via a stolen credit card, and demands a $4,500 refund via Zelle before the stolen card chargeback hits the freelancer.", | |
| "[GIG ECONOMY - FREE WORK HARVESTING]: 'Companies' posting massive coding or design tests as part of the 'interview process'. They never hire anyone; they simply use desperate applicants to build their product for free.", | |
| "[GIG ECONOMY - TASK-SCAM PYRAMID]: Victims are forced to use their own funds to 'buy product reviews' to boost SEO rankings, under the guise of an affiliate marketing gig, with promises of 300% returns that never materialize.", | |
| # ---------------- SUPPLY CHAIN & DISTRIBUTION FRAUD ---------------- | |
| "[SUPPLY CHAIN - BILL OF LADING FORGERY]: Attackers intercept shipping documents between global manufacturers and distributors, forging the 'Bill of Lading' to redirect containers of high-value electronics to black-market warehouses.", | |
| "[SUPPLY CHAIN - DOUBLE BROKERING]: Fraudulent freight companies bid on legitimate shipping contracts, outsource the job to an actual trucker, get paid by the client, and then disappear without ever paying the actual trucker.", | |
| "[SUPPLY CHAIN - DIGITAL VENDOR SPOOFING]: Attackers register a domain one letter off from a multi-national vendor (e.g., ibmsystems.com instead of ibm.com), issuing massive bulk purchase orders to distributors on Net-30 credit terms.", | |
| # ---------------- ADVANCED PERSISTENT THREAT (APT) TECHNIQUES ---------------- | |
| "[APT TACTICS - WATERING HOLE ATTACK]: Adversaries compromise a highly specific, niche website frequented only by their target demographic (e.g., a regional aviation regulation blog) to serve zero-day exploit payloads directly to high-value targets.", | |
| "[APT TACTICS - LIVING OFF THE LAND (LotL)]: Nation-state actors bypassing Endpoint Detection (EDR) by executing operations using only pre-installed native administrative tools like WMI, PowerShell, and PsExec, making anomalous activity incredibly hard to detect.", | |
| "[APT TACTICS - DLL HIJACKING]: Attackers drop a malicious Dynamic Link Library (DLL) file in the same directory as a legitimate, signed application. When the legitimate app runs, it mistakenly loads the malicious code with elevated privileges.", | |
| # ---------------- SMART HOME & DOMESTIC IOT SCAMS ---------------- | |
| "[DOMESTIC IOT - BABY MONITOR EXTORTION]: Hackers utilize credential stuffing to log into unsecured IoT baby monitors or living room cameras, shouting threats via the speaker or recording private footage to extort the parents.", | |
| "[DOMESTIC IOT - HVAC CRYPTOMINING]: Threat actors scan for vulnerable Internet-exposed Smart Thermostats, hacking them to form massive botnets intended entirely to mine low-hashing cryptocurrencies like Monero.", | |
| # ---------------- TAX & ACCOUNTING MANIPULATION ---------------- | |
| "[TAX FRAUD - FORM W-2 SPEAR PHISHING]: Spoofed emails originating from 'The CEO' sent to HR in late January, demanding the W-2 forms (containing SSNs and salaries) of all employees for 'urgent federal review'.", | |
| "[TAX FRAUD - GHOST PREPARERS]: Unlicensed accountants promising maximum tax returns. They artificially inflate expenses on the victim's return, route the massive IRS refund to their own account, and disappear, leaving the victim to face a federal audit.", | |
| # ---------------- IP PINGING & DOXXING THREATS ---------------- | |
| "[DOXXING - HONEYTRAP URLS]: An attacker sends a seemingly harmless personalized link (e.g., Grabify) to a target in a forum or game chat. Clicking it reveals the victim's raw IP address, ISP, and geographic coordinates, leading to SWATing or DoS attacks.", | |
| "[DOXXING - ANONYMOUS EXTORTION]: Attackers correlate a pseudo-anonymous Reddit or 4chan account with a real-life LinkedIn profile, demanding crypto ransom to prevent exposing embarrassing niche internet activity to the victim’s employer.", | |
| # ---------------- NFT & DIGITAL ASSET HEISTS ---------------- | |
| "[NFT EXPLOIT - SLEEPINTMINTING]: Scammers mint a fake NFT directly to a famous person's wallet, then 'buy' it back from the wallet. On the blockchain, it looks like a celebrity endorsed the project, artificially inflating its dark-market value.", | |
| "[NFT EXPLOIT - DISCORD WEBHOOK COMPROMISE]: Attackers compromise a popular NFT project's Discord Server using a hijacked Admin token, posting a 'Surprise Stealth Mint' link that is actually a drainer script targeting eager community members.", | |
| "[NFT EXPLOIT - METADATA POISONING]: A user buys a seemingly valuable piece of NFT art. Post-sale, the scammer alters the external IPFS metadata link, swapping the beautiful artwork file out for an image of garbage or nothing at all.", | |
| # ---------------- AI & LLM SPECIFIC ATTACTS ---------------- | |
| "[AI HACKING - PROMPT INJECTION]: Malicious text hidden within a webpage or document designed to manipulate an AI assistant (like Copilot or an enterprise LLM) into exfiltrating the user's private data or circumventing safety guardrails.", | |
| "[AI HACKING - DATA POISONING]: Attackers subtly alter datasets used to train a corporate machine learning model over time, intentionally teaching the AI to classify malicious network traffic as benign, creating a permanent blind spot.", | |
| "[AI HACKING - LLM HALLUCINATION EXPLOITATION]: Attackers publish malicious software packages to PyPI or npm with names that popular AI coding assistants frequently hallucinate. When developers blindly copy the AI's code, they install the malware.", | |
| # ---------------- BIOMETRIC & DEEP IDENTITY THEFT ---------------- | |
| "[BIOMETRIC FRAUD - SYNTHETIC FINGERPRINTING]: Using high-res photos from social media, attackers utilize 3D printing to create synthetic silicone fingertips capable of bypassing physical biometric scanners in high-security facilities.", | |
| "[BIOMETRIC FRAUD - LIVENESS SPOOFING]: Utilizing deepfake video overlays on a mobile device camera to bypass cryptocurrency exchange KYC (Know Your Customer) systems that require the user to blink or turn their head.", | |
| # ---------------- AUTOMOTIVE & EV EXPLOITATION ---------------- | |
| "[EV EXPLOITATION - CHARGING STATION MITM]: Compromising public Electric Vehicle charging stations to launch Man-In-The-Middle attacks on the vehicle's telemetry network, spoofing billing data or deploying ransomware to the infotainment system.", | |
| "[AUTOMOTIVE EXPLOIT - CAN BUS INJECTION]: Attackers physically access the wiring (often through a headlight casing) to inject messages directly into the Controller Area Network (CAN) bus, unlocking doors and starting the engine without a key FOB.", | |
| "[AUTOMOTIVE EXPLOIT - RELAY ATTACK]: Two thieves work together using radio extenders. One stands near the victim's house to capture the signal of their smart key, relaying it to the second thief next to the car in the driveway, driving away silently.", | |
| # ---------------- CRITICAL INFRASTRUCTURE / ICS / SCADA ---------------- | |
| "[ICS COMPROMISE - PLOGIC BOMB]: Disgruntled engineers embedded logic bombs within the Programmable Logic Controllers (PLCs) of a water treatment facility or oil refinery, designed to halt operations or alter chemical mixes months after they resign.", | |
| "[SCADA COMPROMISE - HMI SPOOFING]: Attackers breach an energy grid's Human-Machine Interface (HMI) and alter the telemetry display. Operators see a stable temperature gauge while the actual physical turbine is covertly driven to the point of catastrophic meltdown.", | |
| # ---------------- PHYSICAL PERIMETER & RED TEAMING ---------------- | |
| "[PHYSICAL BREACH - PIGGYBACKING/TAILGATING]: Social engineering where an attacker disguised as a delivery driver or carrying heavy boxes closely follows an authorized employee through a badge-access door before it closes.", | |
| "[PHYSICAL BREACH - ROGUE FEMTO CELL]: Attackers park a van near an enterprise office and deploy a rogue LTE cellular base station (IMSI Catcher). Employee phones automatically connect, allowing interception of all SMS, including 2FA tokens.", | |
| "[PHYSICAL BREACH - DROPBOX PLANTING]: Covertly hiding a small Raspberry Pi with a 4G modem behind a printer or desk in a corporate lobby, wired into the internal ethernet jack to provide permanent remote network access.", | |
| # ---------------- FREIGHT, MARITIME & AVIATION ---------------- | |
| "[MARITIME HACKING - AIS SPOOFING]: Altering a vessel's Automatic Identification System (AIS) broadcast. Drug cartels or smugglers make their ship appear to be sailing near Africa on radar, while they are physically docking in a European port.", | |
| "[AVIATION HACKING - GHOST FLIGHT INJECTION]: Intentionally injecting fake ADS-B telemetry data to make air traffic controllers see phantom aircraft on a collision course, forcing them to re-route real flights and cause logistical chaos.", | |
| # ---------------- CORPORATE ESPIONAGE & INSIDER THREATS ---------------- | |
| "[ESPIONAGE -HONEY POT RECRUITING]: Foreign intelligence agents pose as highly attractive recruiters on LinkedIn. They court engineers with 'exclusive job offers' simply to gain access to proprietary source code wrapped as an interview assignment.", | |
| "[INSIDER THREAT - THE DEPARTING DOWNLOAD]: An employee, knowing they are about to be fired or leave for a competitor, bulk-downloads the entire corporate CRM database, client list, and trade secrets to a personal cloud drive in the middle of the night.", | |
| # ---------------- QUANTUM COMPUTING & CRYPTOGRAPHIC THREATS ---------------- | |
| "[QUANTUM THREAT - HARVEST NOW, DECRYPT LATER (HNDL)]: Nation-state actors intercepting and storing massive tranches of currently uncrackable highly encrypted enterprise traffic, waiting for quantum computers to mature enough to break the RSA/ECC encryption retrospectively.", | |
| "[CRYPTOGRAPHIC COMPROMISE - BGP HIJACKING]: Attackers maliciously manipulate the Border Gateway Protocol (BGP) routing tables to physically re-route a country's entire internet traffic through a rogue ISP in a hostile nation for mass surveillance before forwarding it to the real destination.", | |
| "[CRYPTOGRAPHIC COMPROMISE - ROGUE CERTIFICATE AUTHORITY]: State-sponsored hackers compromise a trusted Root Certificate Authority (CA), allowing them to mint perfectly valid SSL/TLS certificates for any website (e.g., Google or a major bank), enabling flawless, undetectable HTTPS wiretapping.", | |
| # ---------------- SPACE, SATELLITE & AEROSPACE EXPLOITATION ---------------- | |
| "[SATELLITE EXPLOIT - CUBE-SAT HIJACKING]: Threat actors compromise the ground-station uplinks for Low Earth Orbit (LEO) microsatellites, taking over propulsion thrusters to either de-orbit the satellite or weaponize it to crash into a military communications satellite.", | |
| "[AEROSPACE COMPROMISE - GPS SPOOFING (MEACONING)]: Attackers broadcast high-power, forged GPS signals near military bases or maritime shipping lanes. This forces drones, ships, and missile guidance systems to miscalculate their location and blindly steer into hostile territory or crash.", | |
| "[SPACE COMM INFRASTRUCTURE - VSAT RANSOMWARE]: Deploying ransomware specifically into the Very Small Aperture Terminal (VSAT) modems used on offshore oil rigs and commercial vessels, completely blacking out their ability to communicate with the mainland until a crypto ransom is paid.", | |
| # ---------------- NEURAL INTERFACES (BCI) & TRANS-HUMAN EXPLOITATION ---------------- | |
| "[BCI THREAT - NEURAL SPYING (BRAIN-JACKING)]: As Brain-Computer Interfaces (e.g., Neuralink) mature, attackers intercept the Bluetooth LE or proprietary RF signals between the implant and the compute module to read raw motor-cortex intention data or induce seizure-like states.", | |
| "[BIO-MEDICAL THREAT - PACEMAKER OVERRIDE]: Targeted assassination attempts via exploiting hardcoded, unpatchable credentials in IoT-connected medical implants. The attacker sends a remote command via a compromised bedside monitor to dump the defibrillator's battery instantly.", | |
| # ---------------- TELECOMMUNICATIONS & SUBSEA INFRASTRUCTURE ---------------- | |
| "[SUBSEA CABLE TAPPING - OPTICAL SPLITTING]: Highly advanced submarines deploying underwater drones to attach physical beam-splitters to trans-oceanic fiber optic cables, extracting terabytes of raw data via light-refraction without causing an outage.", | |
| "[TELECOM COMPROMISE - SS7 PROTOCOL ABUSE]: Exploiting the ancient Signaling System No. 7 (SS7) telephony protocol. An attacker in another continent can track a victim's exact GPS location, intercept their calls, and read SMS 2FA codes just by knowing their phone number.", | |
| # ---------------- DEEPFAKES, DISINFORMATION & MARKET MANIPULATION ---------------- | |
| "[MARKET MANIPULATION - SYNTHETIC MEDIA SHORTING]: A hedge fund secretly generates a hyper-realistic deepfake video of a Fortune 500 CEO being 'arrested' by the FBI. They short the company's stock, release the video on Twitter, and make billions in the 15 minutes before the truth is verified.", | |
| "[DISINFORMATION - BOT-FARM ASTROTURFING]: Utilizing massive arrays of AI-powered bots to artificially create a 'grassroots' political or financial movement online. The bots talk to each other to manipulate Twitter trending algorithms, swaying national elections or tanking a competitor's brand." | |
| ] | |
| embeddings = HuggingFaceEmbeddings(model_name="sentence-transformers/all-MiniLM-L6-v2") | |
| vectorstore = FAISS.from_texts(knowledge_base, embeddings) | |
| # ========================================== | |
| # 5. LLM Explainer Generation (Zephyr 7B) | |
| # ========================================== | |
| llm = HuggingFacePipeline.from_model_id( | |
| model_id="HuggingFaceH4/zephyr-7b-beta", | |
| task="text-generation", | |
| pipeline_kwargs={"max_new_tokens": 400, "temperature": 0.3} | |
| ) | |
| prompt = PromptTemplate.from_template( | |
| """You are an elite cybersecurity and incident response analyst. Analyze the following message to determine if it is a scam. | |
| Context (Known Red Flags): | |
| {context} | |
| Message to Analyze: | |
| {question} | |
| STRICT GUARDRAILS & ANTI-HALLUCINATION RULES: | |
| - DO NOT invent or hallucinate information. Base your analysis completely on the provided Message and Context. | |
| - If the message appears entirely safe and lacks any known red flags, explicitly state "NO THREAT DETECTED". | |
| - Do not output random code or extra conversational filler. | |
| Provide a structured, professional response in English with exactly the following three sections: | |
| 1. **Security Assessment**: Is it safe or a scam? | |
| 2. **Behavioral Red Flags**: Specific psychological tactics or anomalous logic used in the message. | |
| 3. **Incident Response Action Plan**: Immediate steps the user must take.""" | |
| ) | |
| qa_chain = RetrievalQA.from_chain_type( | |
| llm, retriever=vectorstore.as_retriever(search_kwargs={"k": 4}), chain_type_kwargs={"prompt": prompt} | |
| ) | |
| # ========================================== | |
| # 6. Main Analyzer Function | |
| # ========================================== | |
| def analyze(message): | |
| if not message.strip(): | |
| return "⚠️ EMPTY MESSAGE", create_gauge(0), "No content provided.", "No IoCs extracted." | |
| label, risk = classify_text(message) | |
| gauge_fig = create_gauge(risk) | |
| iocs = extract_iocs(message) | |
| explanation = qa_chain.run(message) | |
| return label, gauge_fig, explanation, iocs | |
| # ========================================== | |
| # 7. Professional Gradio UI | |
| # ========================================== | |
| custom_css = """ | |
| #header {text-align: center; margin-bottom: 20px;} | |
| #header h1 {font-size: 2.5em; color: #ff4b4b; font-family: 'Inter', sans-serif;} | |
| .attribution {font-size: 0.85em; color: #888; text-align: center; margin-top: 40px;} | |
| """ | |
| with gr.Blocks(title="PhishGuard Pro", theme=gr.themes.Soft(primary_hue="red"), css=custom_css) as demo: | |
| with gr.Column(elem_id="header"): | |
| gr.Markdown("# 🛡️ PhishGuard Pro") | |
| gr.Markdown("### Advanced Enterprise Threat Intelligence & Fraud Detector") | |
| gr.Markdown("*Powered by BERT Classification, IoC Extraction, and LLM Generative AI.*") | |
| with gr.Row(): | |
| with gr.Column(scale=5): | |
| msg = gr.Textbox(lines=6, placeholder="Paste the suspicious email, SMS, or message here...", label="Input Threat Content") | |
| analyze_btn = gr.Button("🔍 Execute Deep Intelligence Scan", variant="primary", size="lg") | |
| gr.Markdown("### 💡 Interactive Demo Data") | |
| gr.Examples( | |
| examples=[ | |
| ["URGENT: Your PayPal account has been limited due to suspicious activity. Click here to verify your identity: http://paypa1-secure-update.com/login"], | |
| ["FINAL NOTICE: IRS arrest warrant issued under your name. Pay $500 via Target Giftcards immediately to cancel the warrant. Call us at 1-800-555-0199."], | |
| ["Hi, I'm a recruiter from Amazon. We have a remote job paying $500/day for liking YouTube videos. Contact scammer@fakepayment.com and send a $50 registration fee to start."] | |
| ], | |
| inputs=msg | |
| ) | |
| with gr.Column(scale=5): | |
| with gr.Row(): | |
| result = gr.Markdown(label="Classification Status", value="**Status:** Awaiting Input...") | |
| gauge = gr.Plot(label="Threat Matrix Score") | |
| with gr.Accordion("🛠️ Threat Indicators of Compromise (IoCs)", open=True): | |
| ioc_box = gr.Markdown(value="*System ready for regex extraction...*") | |
| expl = gr.Textbox(lines=10, label="⚡ AI Incident Response Plan", interactive=False) | |
| analyze_btn.click(analyze, inputs=msg, outputs=[result, gauge, expl, ioc_box]) | |
| # Attributions Section | |
| gr.Markdown( | |
| """ | |
| --- | |
| <div class="attribution"> | |
| <b>Powered by Open Source AI:</b><br/> | |
| Classification: <a href="https://huggingface.co/Auguzcht/securisense-phishing-detection" target="_blank">Auguzcht/securisense-phishing-detection</a> | | |
| Embeddings: <a href="https://huggingface.co/sentence-transformers/all-MiniLM-L6-v2" target="_blank">Sentence-Transformers</a> | | |
| LLM Explainer: <a href="https://huggingface.co/HuggingFaceH4/zephyr-7b-beta" target="_blank">Zephyr-7B-beta</a><br/> | |
| <i>Developed as a demonstration of a Hybrid AI Security Architecture.</i> | |
| </div> | |
| """, | |
| elem_classes=["attribution"] | |
| ) | |
| if __name__ == "__main__": | |
| demo.launch() | |