id: amazon-phish

info:
  name: Amazon phishing Detection
  author: rxerium
  severity: info
  description: |
    An amazon phishing website was detected
  reference:
    - https://amazon.com
  metadata:
    max-request: 1
  tags: phishing,amazon,osint
http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'Amazon Sign In'
          - 'Amazon Sign-In'
        condition: or

      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - '!contains(host,"amazon.com")'
          - '!contains(host,"amazon.co.uk")'
          - '!contains(host,"amazon.co.es")'
          - '!contains(host,"amazon.sg")'
          - '!contains(host,"amazon.sa")'
          - '!contains(host,"amazon.ca")'
          - '!contains(host,"amazon.cn")'
          - '!contains(host,"amazon.eg")'
          - '!contains(host,"amazon.fr")'
          - '!contains(host,"amazon.de")'
          - '!contains(host,"amazon.in")'
          - '!contains(host,"amazon.it")'
          - '!contains(host,"amazon.co.jp")'
          - '!contains(host,"amazon.pl")'
          - '!contains(host,"amazon.se")'
          - '!contains(host,"amazon.ae")'
          - '!contains(host,"amazon.com.tr")'
        condition: and
# digest: 4b0a00483046022100c3e194ed121567175fdfbd27960e399dba17bd787b62ca4293050c19ff83850f0221008f2b6721bb5c77acd67b30c3b637259efae80eb654f82a8dbe68322dd54b4d91:922c64590222798bb761d5b6d8e72950