diff --git a/http/phishing/amazon-web-services-phish.yaml b/http/phishing/amazon-web-services-phish.yaml new file mode 100644 index 0000000000..75f8da8f95 --- /dev/null +++ b/http/phishing/amazon-web-services-phish.yaml @@ -0,0 +1,33 @@ +id: amazon-web-services-phish + +info: + name: amazon web services phishing Detection + author: rxerium + severity: info + description: | + A amazon-web-services phishing website was detected + reference: + - https://signin.aws.amazon.com + tags: phishing,amazon-web-services + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Amazon Web Services Sign-In' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"amazon.com")' \ No newline at end of file diff --git a/http/phishing/booking-phish.yaml b/http/phishing/booking-phish.yaml new file mode 100644 index 0000000000..863b71bb2c --- /dev/null +++ b/http/phishing/booking-phish.yaml @@ -0,0 +1,33 @@ +id: booking-phish + +info: + name: booking phishing Detection + author: rxerium + severity: info + description: | + A booking phishing website was detected + reference: + - https://booking.com + tags: phishing,booking + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Booking.com | Official site | The best hotels, flights, car rentals & accommodations' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"booking.com")' \ No newline at end of file diff --git a/http/phishing/brave-phish.yaml b/http/phishing/brave-phish.yaml new file mode 100644 index 0000000000..a62e5f2344 --- /dev/null +++ b/http/phishing/brave-phish.yaml @@ -0,0 +1,33 @@ +id: brave-phish + +info: + name: brave phishing Detection + author: rxerium + severity: info + description: | + A brave phishing website was detected + reference: + - https://brave.com + tags: phishing,brave + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Brave Browser Download | Brave' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"brave.com")' \ No newline at end of file diff --git a/http/phishing/chrome-phish.yaml b/http/phishing/chrome-phish.yaml new file mode 100644 index 0000000000..a67d7b9e3f --- /dev/null +++ b/http/phishing/chrome-phish.yaml @@ -0,0 +1,33 @@ +id: chrome-phish + +info: + name: chrome phishing Detection + author: rxerium + severity: info + description: | + A chrome phishing website was detected + reference: + - https://www.google.com/intl/en_uk/chrome/ + tags: phishing,chrome + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Google Chrome – Download the fast, secure browser from Google' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"google.com")' \ No newline at end of file diff --git a/http/phishing/digital-ocean-phish.yaml b/http/phishing/digital-ocean-phish.yaml new file mode 100644 index 0000000000..8c635a8286 --- /dev/null +++ b/http/phishing/digital-ocean-phish.yaml @@ -0,0 +1,37 @@ +id: digital-ocean-phish + +info: + name: digital ocean phishing Detection + author: rxerium + severity: info + description: | + A digital-ocean phishing website was detected + reference: + - https://digitalocean.com + tags: phishing,digital-ocean + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'DigitalOcean | Cloud Infrastructure for Developers' + + - type: word + words: + - 'DigitalOcean' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"digitalocean.com")' \ No newline at end of file diff --git a/http/phishing/edge-phish.yaml b/http/phishing/edge-phish.yaml new file mode 100644 index 0000000000..1ecfcf54d8 --- /dev/null +++ b/http/phishing/edge-phish.yaml @@ -0,0 +1,33 @@ +id: edge-phish + +info: + name: edge phishing Detection + author: rxerium + severity: info + description: | + A edge phishing website was detected + reference: + - https://www.microsoft.com/en-us/edge/download?form=MA13FJ&ch=1 + tags: phishing,edge + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Sign in - edge Accounts' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"microsoft.com")' \ No newline at end of file diff --git a/http/phishing/kayak-phish.yaml b/http/phishing/kayak-phish.yaml new file mode 100644 index 0000000000..8716a05d27 --- /dev/null +++ b/http/phishing/kayak-phish.yaml @@ -0,0 +1,33 @@ +id: kayak-phish + +info: + name: kayak phishing Detection + author: rxerium + severity: info + description: | + A kayak phishing website was detected + reference: + - https://kayak.co.uk + tags: phishing,kayak + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Search Flights, Hotels & Car Hire | KAYAK' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"kayak.co.uk")' \ No newline at end of file diff --git a/http/phishing/skyscanner-phish.yaml b/http/phishing/skyscanner-phish.yaml new file mode 100644 index 0000000000..e4c1e635a5 --- /dev/null +++ b/http/phishing/skyscanner-phish.yaml @@ -0,0 +1,33 @@ +id: skyscanner-phish + +info: + name: skyscanner phishing Detection + author: rxerium + severity: info + description: | + A skyscanner phishing website was detected + reference: + - https://skyscanner.net + tags: phishing,skyscanner + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Compare Cheap Flights & Book Airline Tickets to Everywhere | Skyscanner' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"skyscanner.net")' \ No newline at end of file diff --git a/http/phishing/trip-phish.yaml b/http/phishing/trip-phish.yaml new file mode 100644 index 0000000000..d0a13ec1d4 --- /dev/null +++ b/http/phishing/trip-phish.yaml @@ -0,0 +1,33 @@ +id: trip-phish + +info: + name: trip phishing Detection + author: rxerium + severity: info + description: | + A trip phishing website was detected + reference: + - https://trip.com + tags: phishing,trip + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Trip.com: Book cheap flights, hotels, car rentals, trains and more' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"trip.com")' \ No newline at end of file diff --git a/http/phishing/vultr-phish.yaml b/http/phishing/vultr-phish.yaml new file mode 100644 index 0000000000..4b9ab3f09e --- /dev/null +++ b/http/phishing/vultr-phish.yaml @@ -0,0 +1,33 @@ +id: vultr-phish + +info: + name: vultr phishing Detection + author: rxerium + severity: info + description: | + A vultr phishing website was detected + reference: + - https://my.vultr.com/ + tags: phishing,vultr + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Log In to your Vultr Account - Vultr.com' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"vultr.com")' \ No newline at end of file