id: amazon-phish

info:
  name: Amazon phishing Detection
  author: rxerium
  severity: info
  description: |
    An amazon phishing website was detected
  reference:
    - https://amazon.com
  metadata:
    max-request: 1
  tags: phishing,amazon,osint
http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'Amazon Sign In'
          - 'Amazon Sign-In'
        condition: or

      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - '!contains(host,"amazon.com")'
          - '!contains(host,"amazon.co.uk")'
          - '!contains(host,"amazon.co.es")'
          - '!contains(host,"amazon.sg")'
          - '!contains(host,"amazon.sa")'
          - '!contains(host,"amazon.ca")'
          - '!contains(host,"amazon.cn")'
          - '!contains(host,"amazon.eg")'
          - '!contains(host,"amazon.fr")'
          - '!contains(host,"amazon.de")'
          - '!contains(host,"amazon.in")'
          - '!contains(host,"amazon.it")'
          - '!contains(host,"amazon.co.jp")'
          - '!contains(host,"amazon.pl")'
          - '!contains(host,"amazon.se")'
          - '!contains(host,"amazon.ae")'
          - '!contains(host,"amazon.com.tr")'
        condition: and
# digest: 4b0a00483046022100af248a3821b085237dfbc6686e32f92c08958b25af6d5684615e3a75c5e260c7022100d2f4ab6ca4b82e48706462c2d7059e27e418a531e819c13e2f853e9e9f1a97eb:922c64590222798bb761d5b6d8e72950