🔍 Victim Monitoring System

⚠️ CRITICAL DISTINCTION ⚠️
Customers = Your paying clients who use the framework
Victims = End users targeted by your customers (potential law enforcement)

🎯 System Overview

The Victim Monitoring System detects when potential law enforcement agents or security researchers are interacting with your phishing infrastructure. This system provides real-time threat detection and automatic defensive responses.

🔍 VICTIM MONITORING ARCHITECTURE ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ MITM PROXY │────│ VICTIM MONITOR │────│ RISK ANALYSIS │ │ │ │ │ │ │ │ • Entry Point │ │ • Email Track │ │ • Gov Email │ │ • IP Capture │ │ • IP Mapping │ │ • LE IP Range │ │ • User Agent │ │ • Activity Log │ │ • Tool Detect │ └─────────────────┘ └─────────────────┘ └─────────────────┘ │ │ │ └────────────────────────┼────────────────────────┘ │ ┌─────────────────┐ │ AUTO RESPONSE │ │ │ │ • Block LE │ │ • Alert Admin │ │ • Rate Limit │ │ • Decoy Traffic │ └─────────────────┘

🚨 Risk Classification

SAFE (0)

Normal victim behavior

Standard email domains
Regular browsing patterns
No automation signatures
Consumer IP ranges

SUSPICIOUS (1)

Some concerning indicators

Unusual browsing patterns
Technical email domains
Rapid form interactions
VPN/proxy usage

DANGEROUS (2)

Multiple red flags detected

Security company domains
Investigation-style browsing
Automation tool signatures
Systematic URL testing

LAW ENFORCEMENT (3)

High confidence LE detection

.gov/.mil email domains
Known LE IP ranges
Law enforcement agencies
Government network signatures

🔧 API Endpoints

Security Alerts - High-Risk Victims

GET /admin/security-alerts

Purpose: Get real-time security alerts for law enforcement detection

curl -H "Authorization: Bearer [FIRESTORE_AUTH]" \
     https://your-domain.com/admin/security-alerts

Response Example:

{
  "timestamp": "2025-08-17T10:30:00Z",
  "alert_count": 3,
  "alerts": [
    {
      "slug": "victim@fbi.gov",
      "risk_level": "LAW_ENFORCEMENT",
      "risk_score": 85,
      "flags": ["gov_email", "law_enforcement"],
      "last_active": "2025-08-17T10:25:00Z",
      "threat_type": "GOVERNMENT_EMAIL",
      "action_taken": "IMMEDIATE_BLOCK"
    }
  ]
}

Customer Performance Metrics

GET /admin/customer-metrics

Purpose: Get customer performance data (simplified since we focus on victim monitoring)

curl -H "Authorization: Bearer [FIRESTORE_AUTH]" \
     "https://your-domain.com/admin/customer-metrics?slug=CUSTOMER_SLUG"

Response Example:

{
  "slug": "customer-abc",
  "performance": "ACTIVE",
  "risk_level": "UNKNOWN",
  "total_visits": 150,
  "security_alerts": 2
}

Link Performance Analytics

GET /admin/link-performance

Purpose: Get aggregate performance metrics with victim security data

curl -H "Authorization: Bearer [FIRESTORE_AUTH]" \
     https://your-domain.com/admin/link-performance

🛡️ Detection Methods

Multi-Layer Detection System

Layer 1: Email Domain Analysis

Government Patterns: .gov, .mil, .police, .fbi, .dhs, .doj

Layer 2: IP Geolocation

LE IP Ranges: 192.52.178.0/24 (FBI), 149.101.0.0/16 (DHS)

Layer 3: User Agent Analysis

Tool Signatures: selenium, phantomjs, headless, bot, crawler

Layer 4: Behavioral Patterns

Investigation Behavior: Rapid testing, systematic probing

⚡ Automatic Response System

Threat Type	Detection Method	Auto Response	Risk Score
Government Email	Email domain pattern	IMMEDIATE_BLOCK	+60
Law Enforcement IP	CIDR range match	IMMEDIATE_BLOCK	+70
Security Research	Tool signatures	BLOCK_RECOMMENDED	+40
Automated Scan	Behavior analysis	RATE_LIMIT	+25

🔒 System Architecture

Global Monitor Instance

monitoring/monitor.go

Single global VictimMonitor
Shared across all packages
Automatic initialization
Thread-safe operations

Victim Detection Engine

monitoring/victim_monitor.go

Email/IP correlation
Risk scoring algorithms
Pattern recognition
Real-time analysis

MITM Integration

proxy/mitm.go

Entry point monitoring
Anonymous victim tracking
IP address capture
User agent analysis

Credential Handler

capture/handler.go

Email correlation
Detailed victim analysis
Blocking decisions
Alert generation

📊 Dashboard Integration

Real-time Monitoring:

Security Alerts: Immediate LE detection notifications
Risk Distribution: Victim risk level statistics
Threat Trends: Investigation pattern analysis
Blocking Activity: Automatic response statistics

🚨 Alert Categories

🏛️ Government Email

Threat: GOVERNMENT_EMAIL

Action: IMMEDIATE_BLOCK

Detects .gov/.mil domains and law enforcement agencies

🚔 Law Enforcement IP

Threat: LAW_ENFORCEMENT

Action: IMMEDIATE_BLOCK

Known FBI, DHS, DOJ IP ranges and networks

🔬 Security Research

Threat: SECURITY_RESEARCH

Action: BLOCK_RECOMMENDED

Security companies and research institutions

🤖 Automated Tools

Threat: AUTOMATED_SCAN

Action: RATE_LIMIT

Bot frameworks and security scanners

⚙️ Configuration Options

// Add custom government domains
govPatterns := []string{
    `\.gov$`, `\.mil$`, `\.police\.`,
    `\.gov\.uk$`, `\.gov\.au$`, // International
    `YOUR_CUSTOM_PATTERN`,     // Add your intel
}

// Update law enforcement IP ranges  
leRanges := []string{
    "192.52.178.0/24", // FBI
    "149.101.0.0/16",  // DHS  
    "204.248.25.0/24", // DOJ
    "YOUR_INTEL_RANGE", // Add your intelligence
}

// Enhance tool detection
toolSignatures := []string{
    "selenium", "phantomjs", "headless",
    "burpsuite", "owasp-zap", "nmap",
    "YOUR_SIGNATURE", // Custom signatures
}

💡 Operational Best Practices

Daily Operations:

Morning Review: Check overnight security alerts
Pattern Analysis: Look for systematic investigation signs
Intelligence Updates: Add new LE IP ranges and domains
Customer Notifications: Alert customers of high-risk detections

Investigation Indicators:

Multiple government emails in short timeframe
Systematic URL testing patterns
Coordinated access from LE IP ranges
Automated tool signatures in user agents

🔒 OPSEC Guidelines

SECURITY REMINDERS:
• Monitor admin endpoints for access attempts
• Use VPN when accessing victim monitoring data
• Rotate admin tokens regularly
• Keep law enforcement intelligence updated
• Document all high-risk victim interactions

🔗 Integration Points

System Component	Integration Function	Monitoring Level	Response Action
MITM Proxy	Anonymous tracking	IP/User-Agent	Initial assessment
Credential Capture	Email correlation	Full victim profile	Blocking decisions
Admin Dashboard	Real-time alerts	Security monitoring	Manual intervention
Customer Metrics	Performance data	Aggregate statistics	Business intelligence

📋 Quick Reference

Key Endpoints:
GET /admin/security-alerts - Real-time LE detection alerts
GET /admin/customer-metrics - Customer performance data
GET /admin/link-performance - Aggregate analytics

Global Access:
monitoring.GlobalVictimMonitor - Use from any package

Core Functions:
TrackVictimActivity() - Log victim interaction
ShouldBlockVictim() - Check blocking decision
GetHighRiskVictims() - Get security alerts

⚠️ OPERATIONAL SECURITY REMINDER:
This system is designed to protect against law enforcement investigation. Always ensure your usage complies with applicable laws and maintains proper operational security practices.

🔗 Related Documentation

Complete Technical Documentation - Full system reference
Admin API Reference - All administrative endpoints
Security Features - Overall security architecture
Kill Switch System - Emergency response procedures