From dba979427b71851133e6a03f748d505d09f2e41b Mon Sep 17 00:00:00 2001 From: rxerium Date: Mon, 5 Jan 2026 12:01:55 +0000 Subject: [PATCH 01/16] Add phishing templates from 1a-auto-phish to discover-phish --- http/osint/phishing/1a-auto-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/ace-hardware-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/advance-auto-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/airbnb-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/ally-bank-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/amc-plus-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/americanmuscle-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/anz-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/asana-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/atlassian-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/audible-phish.yaml | 37 ++++++++++++++++++ http/osint/phishing/auth0-phish.yaml | 35 +++++++++++++++++ http/osint/phishing/autozone-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/azure-phish.yaml | 35 +++++++++++++++++ http/osint/phishing/bandcamp-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/barclays-phish.yaml | 38 +++++++++++++++++++ http/osint/phishing/bethesda-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/binance-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/bitbucket-phish.yaml | 37 ++++++++++++++++++ http/osint/phishing/bitfinex-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/bjs-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/blizzard-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/bmo-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/bnp-paribas-phish.yaml | 38 +++++++++++++++++++ http/osint/phishing/booking-com-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/buymeacoffee-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/cafepress-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/canva-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/capital-one-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/caviar-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/chatgpt-phish.yaml | 37 ++++++++++++++++++ http/osint/phishing/chime-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/cibc-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/citibank-phish.yaml | 37 ++++++++++++++++++ http/osint/phishing/cj-pony-parts-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/cloudflare-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/coinbase-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/comerica-phish.yaml | 36 ++++++++++++++++++ .../phishing/commonwealth-bank-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/costco-phish.yaml | 36 ++++++++++++++++++ .../osint/phishing/credit-agricole-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/crunchyroll-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/csgo-phish.yaml | 37 ++++++++++++++++++ http/osint/phishing/current-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/customink-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/cvs-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/dbs-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/depop-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/deutsche-bank-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/dhl-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/discover-phish.yaml | 36 ++++++++++++++++++ 51 files changed, 1831 insertions(+) create mode 100644 http/osint/phishing/1a-auto-phish.yaml create mode 100644 http/osint/phishing/ace-hardware-phish.yaml create mode 100644 http/osint/phishing/advance-auto-phish.yaml create mode 100644 http/osint/phishing/airbnb-phish.yaml create mode 100644 http/osint/phishing/ally-bank-phish.yaml create mode 100644 http/osint/phishing/amc-plus-phish.yaml create mode 100644 http/osint/phishing/americanmuscle-phish.yaml create mode 100644 http/osint/phishing/anz-phish.yaml create mode 100644 http/osint/phishing/asana-phish.yaml create mode 100644 http/osint/phishing/atlassian-phish.yaml create mode 100644 http/osint/phishing/audible-phish.yaml create mode 100644 http/osint/phishing/auth0-phish.yaml create mode 100644 http/osint/phishing/autozone-phish.yaml create mode 100644 http/osint/phishing/azure-phish.yaml create mode 100644 http/osint/phishing/bandcamp-phish.yaml create mode 100644 http/osint/phishing/barclays-phish.yaml create mode 100644 http/osint/phishing/bethesda-phish.yaml create mode 100644 http/osint/phishing/binance-phish.yaml create mode 100644 http/osint/phishing/bitbucket-phish.yaml create mode 100644 http/osint/phishing/bitfinex-phish.yaml create mode 100644 http/osint/phishing/bjs-phish.yaml create mode 100644 http/osint/phishing/blizzard-phish.yaml create mode 100644 http/osint/phishing/bmo-phish.yaml create mode 100644 http/osint/phishing/bnp-paribas-phish.yaml create mode 100644 http/osint/phishing/booking-com-phish.yaml create mode 100644 http/osint/phishing/buymeacoffee-phish.yaml create mode 100644 http/osint/phishing/cafepress-phish.yaml create mode 100644 http/osint/phishing/canva-phish.yaml create mode 100644 http/osint/phishing/capital-one-phish.yaml create mode 100644 http/osint/phishing/caviar-phish.yaml create mode 100644 http/osint/phishing/chatgpt-phish.yaml create mode 100644 http/osint/phishing/chime-phish.yaml create mode 100644 http/osint/phishing/cibc-phish.yaml create mode 100644 http/osint/phishing/citibank-phish.yaml create mode 100644 http/osint/phishing/cj-pony-parts-phish.yaml create mode 100644 http/osint/phishing/cloudflare-phish.yaml create mode 100644 http/osint/phishing/coinbase-phish.yaml create mode 100644 http/osint/phishing/comerica-phish.yaml create mode 100644 http/osint/phishing/commonwealth-bank-phish.yaml create mode 100644 http/osint/phishing/costco-phish.yaml create mode 100644 http/osint/phishing/credit-agricole-phish.yaml create mode 100644 http/osint/phishing/crunchyroll-phish.yaml create mode 100644 http/osint/phishing/csgo-phish.yaml create mode 100644 http/osint/phishing/current-phish.yaml create mode 100644 http/osint/phishing/customink-phish.yaml create mode 100644 http/osint/phishing/cvs-phish.yaml create mode 100644 http/osint/phishing/dbs-phish.yaml create mode 100644 http/osint/phishing/depop-phish.yaml create mode 100644 http/osint/phishing/deutsche-bank-phish.yaml create mode 100644 http/osint/phishing/dhl-phish.yaml create mode 100644 http/osint/phishing/discover-phish.yaml diff --git a/http/osint/phishing/1a-auto-phish.yaml b/http/osint/phishing/1a-auto-phish.yaml new file mode 100644 index 00000000000..111193b8bf3 --- /dev/null +++ b/http/osint/phishing/1a-auto-phish.yaml @@ -0,0 +1,34 @@ +id: 1a-auto-phish + +info: + name: 1A Auto phishing Detection + author: rxerium + severity: info + description: | + A 1A Auto phishing website was detected + reference: + - https://1aauto.com + metadata: + max-request: 1 + tags: phishing,1a-auto,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '1A Auto | Aftermarket Car Parts - Buy Quality Auto Parts Online' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"1aauto.com")' \ No newline at end of file diff --git a/http/osint/phishing/ace-hardware-phish.yaml b/http/osint/phishing/ace-hardware-phish.yaml new file mode 100644 index 00000000000..8943d3d66a5 --- /dev/null +++ b/http/osint/phishing/ace-hardware-phish.yaml @@ -0,0 +1,36 @@ +id: ace-hardware-phish + +info: + name: Ace Hardware phishing Detection + author: rxerium + severity: info + description: | + An Ace Hardware phishing website was detected + reference: + - https://acehardware.com + metadata: + max-request: 1 + tags: phishing,ace-hardware,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Ace Hardware' + - 'Shop Ace Hardware for grills, hardware, home improvement, lawn and garden, and tools. Buy online & pickup today!' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"acehardware.com")' diff --git a/http/osint/phishing/advance-auto-phish.yaml b/http/osint/phishing/advance-auto-phish.yaml new file mode 100644 index 00000000000..f081df7cee2 --- /dev/null +++ b/http/osint/phishing/advance-auto-phish.yaml @@ -0,0 +1,36 @@ +id: advance-auto-phish + +info: + name: Advance Auto Parts phishing Detection + author: rxerium + severity: info + description: | + An Advance Auto Parts phishing website was detected + reference: + - https://advanceautoparts.com + metadata: + max-request: 1 + tags: phishing,advance-auto,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Advance Auto Parts: Car, Engine, Batteries, Brakes, Replacement, Performance & Accessories' + - 'Advance Auto ' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"advanceautoparts.com")' diff --git a/http/osint/phishing/airbnb-phish.yaml b/http/osint/phishing/airbnb-phish.yaml new file mode 100644 index 00000000000..afc064207be --- /dev/null +++ b/http/osint/phishing/airbnb-phish.yaml @@ -0,0 +1,36 @@ +id: airbnb-phish + +info: + name: Airbnb phishing Detection + author: rxerium + severity: info + description: | + An Airbnb phishing website was detected + reference: + - https://airbnb.com + metadata: + max-request: 1 + tags: phishing,airbnb,travel,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'https://a0.muscache.com/airbnb/static/' + - 'Airbnb' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"airbnb.com")' diff --git a/http/osint/phishing/ally-bank-phish.yaml b/http/osint/phishing/ally-bank-phish.yaml new file mode 100644 index 00000000000..d04ca7e3b11 --- /dev/null +++ b/http/osint/phishing/ally-bank-phish.yaml @@ -0,0 +1,36 @@ +id: ally-bank-phish + +info: + name: Ally Bank phishing Detection + author: rxerium + severity: info + description: | + An Ally Bank phishing website was detected + reference: + - https://ally.com + metadata: + max-request: 1 + tags: phishing,ally-bank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Ally' + - 'anage your money with Ally: online banking, auto financing, and investments. Financial products designed to help you pursue your goals.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"ally.com")' diff --git a/http/osint/phishing/amc-plus-phish.yaml b/http/osint/phishing/amc-plus-phish.yaml new file mode 100644 index 00000000000..290d6fe5c7f --- /dev/null +++ b/http/osint/phishing/amc-plus-phish.yaml @@ -0,0 +1,36 @@ +id: amc-plus-phish + +info: + name: AMC+ phishing Detection + author: rxerium + severity: info + description: | + An AMC+ phishing website was detected + reference: + - https://amcplus.com + metadata: + max-request: 1 + tags: phishing,amc-plus,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'AMC+ features world-class originals, award-winning series, and exclusive movies. Includes Shudder & Sundance Now. AMC+ is entertainment uncompromised. Start your free trial!' + - '<title>AMC+ | Premium Streaming Bundle | Watch TV Shows & Movies' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"amcplus.com")' diff --git a/http/osint/phishing/americanmuscle-phish.yaml b/http/osint/phishing/americanmuscle-phish.yaml new file mode 100644 index 00000000000..4e05778485f --- /dev/null +++ b/http/osint/phishing/americanmuscle-phish.yaml @@ -0,0 +1,34 @@ +id: americanmuscle-phish + +info: + name: AmericanMuscle phishing Detection + author: rxerium + severity: info + description: | + An AmericanMuscle phishing website was detected + reference: + - https://americanmuscle.com + metadata: + max-request: 1 + tags: phishing,americanmuscle,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Performance Muscle Car Parts & Accessories | AmericanMuscle' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"americanmuscle.com")' diff --git a/http/osint/phishing/anz-phish.yaml b/http/osint/phishing/anz-phish.yaml new file mode 100644 index 00000000000..6c933dc0bed --- /dev/null +++ b/http/osint/phishing/anz-phish.yaml @@ -0,0 +1,34 @@ +id: anz-phish + +info: + name: ANZ phishing Detection + author: rxerium + severity: info + description: | + An ANZ phishing website was detected + reference: + - https://anz.com + metadata: + max-request: 1 + tags: phishing,anz,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>ANZ Personal – Bank accounts, home loans, credit cards & more | ANZ' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"anz.com")' diff --git a/http/osint/phishing/asana-phish.yaml b/http/osint/phishing/asana-phish.yaml new file mode 100644 index 00000000000..45319ed42df --- /dev/null +++ b/http/osint/phishing/asana-phish.yaml @@ -0,0 +1,36 @@ +id: asana-phish + +info: + name: Asana phishing Detection + author: rxerium + severity: info + description: | + An Asana phishing website was detected + reference: + - https://asana.com + metadata: + max-request: 1 + tags: phishing,asana,productivity,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'window.AsanaStorage.optanonWrapperInitialized' + - 'Asana' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"asana.com")' diff --git a/http/osint/phishing/atlassian-phish.yaml b/http/osint/phishing/atlassian-phish.yaml new file mode 100644 index 00000000000..cbbf34fe027 --- /dev/null +++ b/http/osint/phishing/atlassian-phish.yaml @@ -0,0 +1,34 @@ +id: atlassian-phish + +info: + name: Atlassian phishing Detection + author: rxerium + severity: info + description: | + An Atlassian phishing website was detected + reference: + - https://atlassian.com + metadata: + max-request: 1 + tags: phishing,atlassian,productivity,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'team collaboration software like Jira, Confluence and Trello help teams organize, discuss, and complete shared work.' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"atlassian.com")' diff --git a/http/osint/phishing/audible-phish.yaml b/http/osint/phishing/audible-phish.yaml new file mode 100644 index 00000000000..ab3c9e16dec --- /dev/null +++ b/http/osint/phishing/audible-phish.yaml @@ -0,0 +1,37 @@ +id: audible-phish + +info: + name: Audible phishing Detection + author: rxerium + severity: info + description: | + An Audible phishing website was detected + reference: + - https://audible.com + metadata: + max-request: 1 + tags: phishing,audible,amazon,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Audible' + - 'Try Audible free for 30 days! Start listening to best-selling audiobooks, exclusive Originals, and free podcasts with the Audible app.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"audible.com")' + - '!contains(host,"amazon.com")' diff --git a/http/osint/phishing/auth0-phish.yaml b/http/osint/phishing/auth0-phish.yaml new file mode 100644 index 00000000000..41fb3ee0e43 --- /dev/null +++ b/http/osint/phishing/auth0-phish.yaml @@ -0,0 +1,35 @@ +id: auth0-phish + +info: + name: Auth0 phishing Detection + author: rxerium + severity: info + description: | + An Auth0 phishing website was detected + reference: + - https://auth0.com + metadata: + max-request: 1 + tags: phishing,auth0,authentication,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'ecure users, AI agents, and more with Auth0, an easy-to-implement, scalable, and adaptable authentication and authorization platform.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"auth0.com")' diff --git a/http/osint/phishing/autozone-phish.yaml b/http/osint/phishing/autozone-phish.yaml new file mode 100644 index 00000000000..e93afe074af --- /dev/null +++ b/http/osint/phishing/autozone-phish.yaml @@ -0,0 +1,36 @@ +id: autozone-phish + +info: + name: AutoZone phishing Detection + author: rxerium + severity: info + description: | + An AutoZone phishing website was detected + reference: + - https://autozone.com + metadata: + max-request: 1 + tags: phishing,autozone,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'AutoZone' + - 'Shop top-quality auto parts at AutoZone. Your go-to source for car and truck parts, DIY repair advice, and Free Next Day Delivery. Shop at over 6300 locations nationwide' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"autozone.com")' diff --git a/http/osint/phishing/azure-phish.yaml b/http/osint/phishing/azure-phish.yaml new file mode 100644 index 00000000000..39ffbf731ac --- /dev/null +++ b/http/osint/phishing/azure-phish.yaml @@ -0,0 +1,35 @@ +id: azure-phish + +info: + name: Microsoft Azure phishing Detection + author: rxerium + severity: info + description: | + A Microsoft Azure phishing website was detected + reference: + - https://azure.microsoft.com + metadata: + max-request: 1 + tags: phishing,azure,microsoft,cloud,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Invent with purpose, realize cost savings, and make your organization more efficient with Microsoft Azure’s open and flexible cloud computing platform.' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"azure.com")' + - '!contains(host,"microsoft.com")' diff --git a/http/osint/phishing/bandcamp-phish.yaml b/http/osint/phishing/bandcamp-phish.yaml new file mode 100644 index 00000000000..2a050af281a --- /dev/null +++ b/http/osint/phishing/bandcamp-phish.yaml @@ -0,0 +1,36 @@ +id: bandcamp-phish + +info: + name: Bandcamp phishing Detection + author: rxerium + severity: info + description: | + A Bandcamp phishing website was detected + reference: + - https://bandcamp.com + metadata: + max-request: 1 + tags: phishing,bandcamp,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Bandcamp' + - 'Discover amazing music and directly support the artists who make it.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"bandcamp.com")' diff --git a/http/osint/phishing/barclays-phish.yaml b/http/osint/phishing/barclays-phish.yaml new file mode 100644 index 00000000000..ec58ddf7e76 --- /dev/null +++ b/http/osint/phishing/barclays-phish.yaml @@ -0,0 +1,38 @@ +id: barclays-phish + +info: + name: Barclays phishing Detection + author: rxerium + severity: info + description: | + A Barclays phishing website was detected + reference: + - https://barclays.com + metadata: + max-request: 1 + tags: phishing,barclays,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Barclays' + - '<title>Barclays Group corporate website | Barclays' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"barclays.com")' + - '!contains(host,"home.barclays")' + condition: and diff --git a/http/osint/phishing/bethesda-phish.yaml b/http/osint/phishing/bethesda-phish.yaml new file mode 100644 index 00000000000..aa7daf4cac6 --- /dev/null +++ b/http/osint/phishing/bethesda-phish.yaml @@ -0,0 +1,36 @@ +id: bethesda-phish + +info: + name: Bethesda phishing Detection + author: rxerium + severity: info + description: | + A Bethesda phishing website was detected + reference: + - https://bethesda.net + metadata: + max-request: 1 + tags: phishing,bethesda,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'The official site for Bethesda, publisher of Fallout, DOOM, Dishonored, Skyrim, Wolfenstein, The Elder Scrolls, more. Your source for news, features & community' + - 'Bethesda' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"bethesda.net")' diff --git a/http/osint/phishing/binance-phish.yaml b/http/osint/phishing/binance-phish.yaml new file mode 100644 index 00000000000..1a6b149bf3b --- /dev/null +++ b/http/osint/phishing/binance-phish.yaml @@ -0,0 +1,36 @@ +id: binance-phish + +info: + name: Binance phishing Detection + author: rxerium + severity: info + description: | + A Binance phishing website was detected + reference: + - https://binance.com + metadata: + max-request: 1 + tags: phishing,binance,crypto,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Binance' + - 'Binance: The World’s Most Trusted Cryptocurrency Exchange to Buy, Trade & Invest in Crypto' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"binance.com")' diff --git a/http/osint/phishing/bitbucket-phish.yaml b/http/osint/phishing/bitbucket-phish.yaml new file mode 100644 index 00000000000..a39a4f10034 --- /dev/null +++ b/http/osint/phishing/bitbucket-phish.yaml @@ -0,0 +1,37 @@ +id: bitbucket-phish + +info: + name: Bitbucket phishing Detection + author: rxerium + severity: info + description: | + A Bitbucket phishing website was detected + reference: + - https://bitbucket.org + metadata: + max-request: 1 + tags: phishing,bitbucket,atlassian,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Bitbucket' + - '<title> Bitbucket | Git solution for teams using Jira' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"bitbucket.org")' + - '!contains(host,"atlassian.com")' diff --git a/http/osint/phishing/bitfinex-phish.yaml b/http/osint/phishing/bitfinex-phish.yaml new file mode 100644 index 00000000000..9bcb8a97ec8 --- /dev/null +++ b/http/osint/phishing/bitfinex-phish.yaml @@ -0,0 +1,36 @@ +id: bitfinex-phish + +info: + name: Bitfinex phishing Detection + author: rxerium + severity: info + description: | + A Bitfinex phishing website was detected + reference: + - https://bitfinex.com + metadata: + max-request: 1 + tags: phishing,bitfinex,crypto,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Bitfinex' + - 'Bitfinex is the longest-running and most liquid major cryptocurrency exchange. Founded in 2012, it has become the go-to platform for traders & institutional investors.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"bitfinex.com")' diff --git a/http/osint/phishing/bjs-phish.yaml b/http/osint/phishing/bjs-phish.yaml new file mode 100644 index 00000000000..29719da0c1f --- /dev/null +++ b/http/osint/phishing/bjs-phish.yaml @@ -0,0 +1,36 @@ +id: bjs-phish + +info: + name: BJ's Wholesale Club phishing Detection + author: rxerium + severity: info + description: | + A BJ's Wholesale Club phishing website was detected + reference: + - https://bjs.com + metadata: + max-request: 1 + tags: phishing,bjs,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "BJ's Wholesale Club" + - "BJ's Wholesale Club is a leading operator of membership warehouse clubs." + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"bjs.com")' diff --git a/http/osint/phishing/blizzard-phish.yaml b/http/osint/phishing/blizzard-phish.yaml new file mode 100644 index 00000000000..b283a5d2a08 --- /dev/null +++ b/http/osint/phishing/blizzard-phish.yaml @@ -0,0 +1,36 @@ +id: blizzard-phish + +info: + name: Blizzard phishing Detection + author: rxerium + severity: info + description: | + A Blizzard phishing website was detected + reference: + - https://blizzard.com + metadata: + max-request: 1 + tags: phishing,blizzard,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Creators of the Warcraft, Diablo, StarCraft, and Overwatch series, Blizzard Entertainment is an industry-leading developer responsible for the most epic entertainment experiences, ever.' + - 'Blizzard' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"blizzard.com")' diff --git a/http/osint/phishing/bmo-phish.yaml b/http/osint/phishing/bmo-phish.yaml new file mode 100644 index 00000000000..9479fc94f1d --- /dev/null +++ b/http/osint/phishing/bmo-phish.yaml @@ -0,0 +1,36 @@ +id: bmo-phish + +info: + name: BMO phishing Detection + author: rxerium + severity: info + description: | + A BMO phishing website was detected + reference: + - https://bmo.com + metadata: + max-request: 1 + tags: phishing,bmo,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'BMO' + - "We're here to help! BMO offers a wide range of personal and business banking services, including bank accounts, mortgages, credit cards, loans and more." + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"bmo.com")' diff --git a/http/osint/phishing/bnp-paribas-phish.yaml b/http/osint/phishing/bnp-paribas-phish.yaml new file mode 100644 index 00000000000..9901a39fa8a --- /dev/null +++ b/http/osint/phishing/bnp-paribas-phish.yaml @@ -0,0 +1,38 @@ +id: bnp-paribas-phish + +info: + name: BNP Paribas phishing Detection + author: rxerium + severity: info + description: | + A BNP Paribas phishing website was detected + reference: + - https://bnpparibas.com + metadata: + max-request: 1 + tags: phishing,bnp-paribas,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'BNP Paribas' + - '<title>Banque BNP Paribas | La banque d'un monde qui change' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"bnpparibas.com")' + - '!contains(host,"group.bnpparibas")' + condition: and diff --git a/http/osint/phishing/booking-com-phish.yaml b/http/osint/phishing/booking-com-phish.yaml new file mode 100644 index 00000000000..ea6662e1f8a --- /dev/null +++ b/http/osint/phishing/booking-com-phish.yaml @@ -0,0 +1,36 @@ +id: booking-com-phish + +info: + name: Booking.com phishing Detection + author: rxerium + severity: info + description: | + A Booking.com phishing website was detected + reference: + - https://booking.com + metadata: + max-request: 1 + tags: phishing,booking,travel,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Booking.com' + - 'Booking.com | Official site | The best hotels, flights, car rentals & accommodations' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"booking.com")' diff --git a/http/osint/phishing/buymeacoffee-phish.yaml b/http/osint/phishing/buymeacoffee-phish.yaml new file mode 100644 index 00000000000..2300ed92a48 --- /dev/null +++ b/http/osint/phishing/buymeacoffee-phish.yaml @@ -0,0 +1,36 @@ +id: buymeacoffee-phish + +info: + name: Buy Me a Coffee phishing Detection + author: rxerium + severity: info + description: | + A Buy Me a Coffee phishing website was detected + reference: + - https://buymeacoffee.com + metadata: + max-request: 1 + tags: phishing,buymeacoffee,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Buy Me a Coffee is the best way for creators and artists to accept support and membership from their fans.' + - '<title>Buy Me a Coffee' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"buymeacoffee.com")' diff --git a/http/osint/phishing/cafepress-phish.yaml b/http/osint/phishing/cafepress-phish.yaml new file mode 100644 index 00000000000..f69be386771 --- /dev/null +++ b/http/osint/phishing/cafepress-phish.yaml @@ -0,0 +1,36 @@ +id: cafepress-phish + +info: + name: CafePress phishing Detection + author: rxerium + severity: info + description: | + A CafePress phishing website was detected + reference: + - https://cafepress.com + metadata: + max-request: 1 + tags: phishing,cafepress,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'CafePress' + - '<title> CafePress | Best merchandise to express yourself' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"cafepress.com")' diff --git a/http/osint/phishing/canva-phish.yaml b/http/osint/phishing/canva-phish.yaml new file mode 100644 index 00000000000..10e842f207c --- /dev/null +++ b/http/osint/phishing/canva-phish.yaml @@ -0,0 +1,34 @@ +id: canva-phish + +info: + name: Canva phishing Detection + author: rxerium + severity: info + description: | + A Canva phishing website was detected + reference: + - https://canva.com + metadata: + max-request: 1 + tags: phishing,canva,design,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Canva: Visual Suite for Everyone' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"canva.com")' diff --git a/http/osint/phishing/capital-one-phish.yaml b/http/osint/phishing/capital-one-phish.yaml new file mode 100644 index 00000000000..444346b649d --- /dev/null +++ b/http/osint/phishing/capital-one-phish.yaml @@ -0,0 +1,36 @@ +id: capital-one-phish + +info: + name: Capital One phishing Detection + author: rxerium + severity: info + description: | + A Capital One phishing website was detected + reference: + - https://capitalone.com + metadata: + max-request: 1 + tags: phishing,capital-one,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Capital One' + - '<title>Capital One | Credit Cards, Checking, Savings & Auto Loans' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"capitalone.com")' diff --git a/http/osint/phishing/caviar-phish.yaml b/http/osint/phishing/caviar-phish.yaml new file mode 100644 index 00000000000..795fd7854da --- /dev/null +++ b/http/osint/phishing/caviar-phish.yaml @@ -0,0 +1,36 @@ +id: caviar-phish + +info: + name: Caviar phishing Detection + author: rxerium + severity: info + description: | + A Caviar phishing website was detected + reference: + - https://trycaviar.com + metadata: + max-request: 1 + tags: phishing,caviar,food-delivery,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Caviar' + - 'et food, grocery, and retail essentials delivered fast. Shop same-day delivery from local stores and restaurants near you.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"trycaviar.com")' diff --git a/http/osint/phishing/chatgpt-phish.yaml b/http/osint/phishing/chatgpt-phish.yaml new file mode 100644 index 00000000000..fcbafef7863 --- /dev/null +++ b/http/osint/phishing/chatgpt-phish.yaml @@ -0,0 +1,37 @@ +id: chatgpt-phish + +info: + name: ChatGPT phishing Detection + author: rxerium + severity: info + description: | + A ChatGPT phishing website was detected + reference: + - https://chatgpt.com + metadata: + max-request: 1 + tags: phishing,chatgpt,openai,ai,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>ChatGPT' + - 'ChatGPT helps you get answers, find inspiration, and be more productive.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"chatgpt.com")' + - '!contains(host,"openai.com")' diff --git a/http/osint/phishing/chime-phish.yaml b/http/osint/phishing/chime-phish.yaml new file mode 100644 index 00000000000..bbecba2431a --- /dev/null +++ b/http/osint/phishing/chime-phish.yaml @@ -0,0 +1,36 @@ +id: chime-phish + +info: + name: Chime phishing Detection + author: rxerium + severity: info + description: | + A Chime phishing website was detected + reference: + - https://chime.com + metadata: + max-request: 1 + tags: phishing,chime,fintech,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Chime' + - 'No monthly fees. 60k+ ATMs. Build credit. Get fee-free overdraft up to $200.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"chime.com")' diff --git a/http/osint/phishing/cibc-phish.yaml b/http/osint/phishing/cibc-phish.yaml new file mode 100644 index 00000000000..9955ad1f973 --- /dev/null +++ b/http/osint/phishing/cibc-phish.yaml @@ -0,0 +1,36 @@ +id: cibc-phish + +info: + name: CIBC phishing Detection + author: rxerium + severity: info + description: | + A CIBC phishing website was detected + reference: + - https://cibc.com + metadata: + max-request: 1 + tags: phishing,cibc,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'CIBC' + - 'CIBC U.S. provides tailored commercial and personal banking services, private wealth management and small business financial solutions from coast to coast. We invest in businesses, people and communities, striving to build trusting and enduring relationships by putting our clients at the center of all we do.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"cibc.com")' diff --git a/http/osint/phishing/citibank-phish.yaml b/http/osint/phishing/citibank-phish.yaml new file mode 100644 index 00000000000..2be03d391c8 --- /dev/null +++ b/http/osint/phishing/citibank-phish.yaml @@ -0,0 +1,37 @@ +id: citibank-phish + +info: + name: Citibank phishing Detection + author: rxerium + severity: info + description: | + A Citibank phishing website was detected + reference: + - https://citi.com + metadata: + max-request: 1 + tags: phishing,citibank,citi,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Citi' + - 'Citibank is the consumer division of financial services multinational Citigroup. Citibank was founded in 1812 as the City Bank of New York, and later became First National City Bank of New York. Citibank provides credit cards, mortgages, personal loans, commercial loans, and lines of credit.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"citi.com")' + - '!contains(host,"citibank.com")' diff --git a/http/osint/phishing/cj-pony-parts-phish.yaml b/http/osint/phishing/cj-pony-parts-phish.yaml new file mode 100644 index 00000000000..a5f437d7645 --- /dev/null +++ b/http/osint/phishing/cj-pony-parts-phish.yaml @@ -0,0 +1,34 @@ +id: cj-pony-parts-phish + +info: + name: CJ Pony Parts phishing Detection + author: rxerium + severity: info + description: | + A CJ Pony Parts phishing website was detected + reference: + - https://cjponyparts.com + metadata: + max-request: 1 + tags: phishing,cj-pony-parts,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Empowering enthusiasts to build their dream vehicles with top aftermarket parts for Ford Mustangs, Broncos, Focus STs, F-100s, and Chevy C10s. Shop now!' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"cjponyparts.com")' diff --git a/http/osint/phishing/cloudflare-phish.yaml b/http/osint/phishing/cloudflare-phish.yaml new file mode 100644 index 00000000000..16fea638b21 --- /dev/null +++ b/http/osint/phishing/cloudflare-phish.yaml @@ -0,0 +1,36 @@ +id: cloudflare-phish + +info: + name: Cloudflare phishing Detection + author: rxerium + severity: info + description: | + A Cloudflare phishing website was detected + reference: + - https://cloudflare.com + metadata: + max-request: 1 + tags: phishing,cloudflare,cdn,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Cloudflare' + - 'Make employees, applications and networks faster and more secure everywhere, while reducing complexity and cost.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"cloudflare.com")' diff --git a/http/osint/phishing/coinbase-phish.yaml b/http/osint/phishing/coinbase-phish.yaml new file mode 100644 index 00000000000..9cbc85b7149 --- /dev/null +++ b/http/osint/phishing/coinbase-phish.yaml @@ -0,0 +1,36 @@ +id: coinbase-phish + +info: + name: Coinbase phishing Detection + author: rxerium + severity: info + description: | + A Coinbase phishing website was detected + reference: + - https://coinbase.com + metadata: + max-request: 1 + tags: phishing,coinbase,crypto,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Coinbase' + - 'Coinbase - Buy and Sell Bitcoin, Ethereum, and more with trust' + condition: or + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"coinbase.com")' diff --git a/http/osint/phishing/comerica-phish.yaml b/http/osint/phishing/comerica-phish.yaml new file mode 100644 index 00000000000..b906f782d61 --- /dev/null +++ b/http/osint/phishing/comerica-phish.yaml @@ -0,0 +1,36 @@ +id: comerica-phish + +info: + name: Comerica Bank phishing Detection + author: rxerium + severity: info + description: | + A Comerica Bank phishing website was detected + reference: + - https://comerica.com + metadata: + max-request: 1 + tags: phishing,comerica,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Comerica' + - 'Your partner for personal finance, business banking, and wealth management with a legacy of excellence and industry recognition.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"comerica.com")' diff --git a/http/osint/phishing/commonwealth-bank-phish.yaml b/http/osint/phishing/commonwealth-bank-phish.yaml new file mode 100644 index 00000000000..3aff833455d --- /dev/null +++ b/http/osint/phishing/commonwealth-bank-phish.yaml @@ -0,0 +1,36 @@ +id: commonwealth-bank-phish + +info: + name: Commonwealth Bank phishing Detection + author: rxerium + severity: info + description: | + A Commonwealth Bank phishing website was detected + reference: + - https://commbank.com.au + metadata: + max-request: 1 + tags: phishing,commonwealth-bank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Commonwealth Bank' + - 'CommBank offers personal banking, business solutions, institutional banking, company information, and more' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"commbank.com.au")' diff --git a/http/osint/phishing/costco-phish.yaml b/http/osint/phishing/costco-phish.yaml new file mode 100644 index 00000000000..4b95fb0440f --- /dev/null +++ b/http/osint/phishing/costco-phish.yaml @@ -0,0 +1,36 @@ +id: costco-phish + +info: + name: Costco phishing Detection + author: rxerium + severity: info + description: | + A Costco phishing website was detected + reference: + - https://costco.com + metadata: + max-request: 1 + tags: phishing,costco,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Costco' + - 'Shop Costco.com for electronics, computers, furniture, outdoor living, appliances, jewelry and more. Enjoy low warehouse prices on name-brands products delivered to your door' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"costco.com")' diff --git a/http/osint/phishing/credit-agricole-phish.yaml b/http/osint/phishing/credit-agricole-phish.yaml new file mode 100644 index 00000000000..0f801c1f7b2 --- /dev/null +++ b/http/osint/phishing/credit-agricole-phish.yaml @@ -0,0 +1,36 @@ +id: credit-agricole-phish + +info: + name: Crédit Agricole phishing Detection + author: rxerium + severity: info + description: | + A Crédit Agricole phishing website was detected + reference: + - https://credit-agricole.com + metadata: + max-request: 1 + tags: phishing,credit-agricole,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Crédit Agricole' + - 'Crédit Agricole 1re banque de l'habitat, de l'agriculture, des entreprises, des pros, des collectivites territoriales' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"credit-agricole.com")' diff --git a/http/osint/phishing/crunchyroll-phish.yaml b/http/osint/phishing/crunchyroll-phish.yaml new file mode 100644 index 00000000000..b85c0c99f5f --- /dev/null +++ b/http/osint/phishing/crunchyroll-phish.yaml @@ -0,0 +1,36 @@ +id: crunchyroll-phish + +info: + name: Crunchyroll phishing Detection + author: rxerium + severity: info + description: | + A Crunchyroll phishing website was detected + reference: + - https://crunchyroll.com + metadata: + max-request: 1 + tags: phishing,crunchyroll,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'crunchyroll.com' + - 'Crunchyroll' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"crunchyroll.com")' diff --git a/http/osint/phishing/csgo-phish.yaml b/http/osint/phishing/csgo-phish.yaml new file mode 100644 index 00000000000..a99505b7fba --- /dev/null +++ b/http/osint/phishing/csgo-phish.yaml @@ -0,0 +1,37 @@ +id: csgo-phish + +info: + name: CS:GO phishing Detection + author: rxerium + severity: info + description: | + A CS:GO phishing website was detected + reference: + - https://counter-strike.net + metadata: + max-request: 1 + tags: phishing,csgo,steam,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'VALVE_PUBLIC_PATH = "https:\/\/www.counter-strike.net\/\/public\/"' + - 'https://www.counter-strike.net/public/' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"counter-strike.net")' + - '!contains(host,"steampowered.com")' diff --git a/http/osint/phishing/current-phish.yaml b/http/osint/phishing/current-phish.yaml new file mode 100644 index 00000000000..25698b7be43 --- /dev/null +++ b/http/osint/phishing/current-phish.yaml @@ -0,0 +1,36 @@ +id: current-phish + +info: + name: Current phishing Detection + author: rxerium + severity: info + description: | + A Current phishing website was detected + reference: + - https://current.com + metadata: + max-request: 1 + tags: phishing,current,fintech,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Current' + - 'Mobile banking done better. Build credit while you bank. No overdraft fees/hidden fees. Current is a fintech not a bank. Banking services provided by Choice Financial Group, Member FDIC, and Cross River Bank, Member FDIC.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"current.com")' diff --git a/http/osint/phishing/customink-phish.yaml b/http/osint/phishing/customink-phish.yaml new file mode 100644 index 00000000000..3832ae67f2a --- /dev/null +++ b/http/osint/phishing/customink-phish.yaml @@ -0,0 +1,36 @@ +id: customink-phish + +info: + name: CustomInk phishing Detection + author: rxerium + severity: info + description: | + A CustomInk phishing website was detected + reference: + - https://customink.com + metadata: + max-request: 1 + tags: phishing,customink,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'CustomInk' + - '<title>Custom T-shirts - Design T-shirts, Apparel & Promo Products Online' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"customink.com")' diff --git a/http/osint/phishing/cvs-phish.yaml b/http/osint/phishing/cvs-phish.yaml new file mode 100644 index 00000000000..3f6cf95764b --- /dev/null +++ b/http/osint/phishing/cvs-phish.yaml @@ -0,0 +1,36 @@ +id: cvs-phish + +info: + name: CVS phishing Detection + author: rxerium + severity: info + description: | + A CVS phishing website was detected + reference: + - https://cvs.com + metadata: + max-request: 1 + tags: phishing,cvs,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'CVS' + - 'Refill and transfer prescriptions online or find a CVS Pharmacy near you. Shop online, see ExtraCare deals, find MinuteClinic locations and more.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"cvs.com")' diff --git a/http/osint/phishing/dbs-phish.yaml b/http/osint/phishing/dbs-phish.yaml new file mode 100644 index 00000000000..c8e2cf745a7 --- /dev/null +++ b/http/osint/phishing/dbs-phish.yaml @@ -0,0 +1,36 @@ +id: dbs-phish + +info: + name: DBS Bank phishing Detection + author: rxerium + severity: info + description: | + A DBS Bank phishing website was detected + reference: + - https://dbs.com + metadata: + max-request: 1 + tags: phishing,dbs,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'DBS Bank' + - "<title>DBS: Trusted as the World’s Best Bank | DBS Bank" + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"dbs.com")' diff --git a/http/osint/phishing/depop-phish.yaml b/http/osint/phishing/depop-phish.yaml new file mode 100644 index 00000000000..b7ab9a43f87 --- /dev/null +++ b/http/osint/phishing/depop-phish.yaml @@ -0,0 +1,36 @@ +id: depop-phish + +info: + name: Depop phishing Detection + author: rxerium + severity: info + description: | + A Depop phishing website was detected + reference: + - https://depop.com + metadata: + max-request: 1 + tags: phishing,depop,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Depop' + - 'Designer. Preloved. Vintage. Streetwear. Sneakers. Whatever your style. Find it on Depop.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"depop.com")' diff --git a/http/osint/phishing/deutsche-bank-phish.yaml b/http/osint/phishing/deutsche-bank-phish.yaml new file mode 100644 index 00000000000..c97a24ba656 --- /dev/null +++ b/http/osint/phishing/deutsche-bank-phish.yaml @@ -0,0 +1,36 @@ +id: deutsche-bank-phish + +info: + name: Deutsche Bank phishing Detection + author: rxerium + severity: info + description: | + A Deutsche Bank phishing website was detected + reference: + - https://db.com + metadata: + max-request: 1 + tags: phishing,deutsche-bank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Deutsche Bank' + - "Discover Deutsche Bank, one of the world’s leading financial services providers. News and Information about the bank and its products" + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"db.com")' diff --git a/http/osint/phishing/dhl-phish.yaml b/http/osint/phishing/dhl-phish.yaml new file mode 100644 index 00000000000..a5d2b9a503c --- /dev/null +++ b/http/osint/phishing/dhl-phish.yaml @@ -0,0 +1,36 @@ +id: dhl-phish + +info: + name: DHL phishing Detection + author: rxerium + severity: info + description: | + A DHL phishing website was detected + reference: + - https://dhl.com + metadata: + max-request: 1 + tags: phishing,dhl,shipping,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'DHL' + - 'DHL is the global leader in the logistics industry. Specializing in international shipping, courier services and transportation.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"dhl.com")' diff --git a/http/osint/phishing/discover-phish.yaml b/http/osint/phishing/discover-phish.yaml new file mode 100644 index 00000000000..241fe9c6dde --- /dev/null +++ b/http/osint/phishing/discover-phish.yaml @@ -0,0 +1,36 @@ +id: discover-phish + +info: + name: Discover phishing Detection + author: rxerium + severity: info + description: | + A Discover phishing website was detected + reference: + - https://discover.com + metadata: + max-request: 1 + tags: phishing,discover,credit-card,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Discover' + - '<title>Discover - Personal Banking, Credit Cards & Loans' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"discover.com")' From 421066d1f7542579fbd0d9b77a755de30ae98841 Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 12:43:51 +0000 Subject: [PATCH 02/16] Add phishing templates from doordash-phish to grailed-phish --- http/osint/phishing/doordash-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/dota2-phish.yaml | 35 ++++++++++++++++++ http/osint/phishing/ea-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/edelbrock-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/epic-games-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/etsy-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/expedia-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/fanatical-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/fedex-phish.yaml | 36 ++++++++++++++++++ .../phishing/fifth-third-bank-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/footlocker-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/fortnite-phish.yaml | 37 +++++++++++++++++++ http/osint/phishing/fubo-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/g2a-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/gamestop-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/gcp-phish.yaml | 35 ++++++++++++++++++ http/osint/phishing/gemini-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/goat-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/gog-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/google-phish.yaml | 2 +- http/osint/phishing/grailed-phish.yaml | 36 ++++++++++++++++++ 21 files changed, 714 insertions(+), 1 deletion(-) create mode 100644 http/osint/phishing/doordash-phish.yaml create mode 100644 http/osint/phishing/dota2-phish.yaml create mode 100644 http/osint/phishing/ea-phish.yaml create mode 100644 http/osint/phishing/edelbrock-phish.yaml create mode 100644 http/osint/phishing/epic-games-phish.yaml create mode 100644 http/osint/phishing/etsy-phish.yaml create mode 100644 http/osint/phishing/expedia-phish.yaml create mode 100644 http/osint/phishing/fanatical-phish.yaml create mode 100644 http/osint/phishing/fedex-phish.yaml create mode 100644 http/osint/phishing/fifth-third-bank-phish.yaml create mode 100644 http/osint/phishing/footlocker-phish.yaml create mode 100644 http/osint/phishing/fortnite-phish.yaml create mode 100644 http/osint/phishing/fubo-phish.yaml create mode 100644 http/osint/phishing/g2a-phish.yaml create mode 100644 http/osint/phishing/gamestop-phish.yaml create mode 100644 http/osint/phishing/gcp-phish.yaml create mode 100644 http/osint/phishing/gemini-phish.yaml create mode 100644 http/osint/phishing/goat-phish.yaml create mode 100644 http/osint/phishing/gog-phish.yaml create mode 100644 http/osint/phishing/grailed-phish.yaml diff --git a/http/osint/phishing/doordash-phish.yaml b/http/osint/phishing/doordash-phish.yaml new file mode 100644 index 00000000000..bed5578daa3 --- /dev/null +++ b/http/osint/phishing/doordash-phish.yaml @@ -0,0 +1,36 @@ +id: doordash-phish + +info: + name: DoorDash phishing Detection + author: rxerium + severity: info + description: | + A DoorDash phishing website was detected + reference: + - https://doordash.com + metadata: + max-request: 1 + tags: phishing,doordash,food-delivery,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'DoorDash' + - 'Get food, grocery, and retail essentials delivered fast. Shop same-day delivery from local stores and restaurants near you.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"doordash.com")' diff --git a/http/osint/phishing/dota2-phish.yaml b/http/osint/phishing/dota2-phish.yaml new file mode 100644 index 00000000000..4f4ee77b957 --- /dev/null +++ b/http/osint/phishing/dota2-phish.yaml @@ -0,0 +1,35 @@ +id: dota2-phish + +info: + name: Dota 2 phishing Detection + author: rxerium + severity: info + description: | + A Dota 2 phishing website was detected + reference: + - https://dota2.com + metadata: + max-request: 1 + tags: phishing,dota2,steam,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Every day, millions of players worldwide enter battle as one of over a hundred Dota heroes. And no matter if it's their 10th hour of play or 1,000th, there's always something new to discover. With regular updates that ensure a constant evolution of gameplay, features, and heroes, Dota 2 has taken on a life of its own." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"dota2.com")' + - '!contains(host,"steampowered.com")' diff --git a/http/osint/phishing/ea-phish.yaml b/http/osint/phishing/ea-phish.yaml new file mode 100644 index 00000000000..1be09c12689 --- /dev/null +++ b/http/osint/phishing/ea-phish.yaml @@ -0,0 +1,34 @@ +id: ea-phish + +info: + name: EA phishing Detection + author: rxerium + severity: info + description: | + An EA phishing website was detected + reference: + - https://ea.com + metadata: + max-request: 1 + tags: phishing,ea,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "We exist to inspire the world through Play. Electronic Arts is a leading publisher of games on Console, PC and Mobile." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"ea.com")' diff --git a/http/osint/phishing/edelbrock-phish.yaml b/http/osint/phishing/edelbrock-phish.yaml new file mode 100644 index 00000000000..522acc1c4ee --- /dev/null +++ b/http/osint/phishing/edelbrock-phish.yaml @@ -0,0 +1,36 @@ +id: edelbrock-phish + +info: + name: Edelbrock phishing Detection + author: rxerium + severity: info + description: | + An Edelbrock phishing website was detected + reference: + - https://edelbrock.com + metadata: + max-request: 1 + tags: phishing,edelbrock,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Edelbrock' + - 'Edelbrock is the most respected name in performance! Since 1938, Edelbrock has manufactured its core products in the USA for quality and performance.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"edelbrock.com")' diff --git a/http/osint/phishing/epic-games-phish.yaml b/http/osint/phishing/epic-games-phish.yaml new file mode 100644 index 00000000000..e5b6f46659c --- /dev/null +++ b/http/osint/phishing/epic-games-phish.yaml @@ -0,0 +1,36 @@ +id: epic-games-phish + +info: + name: Epic Games phishing Detection + author: rxerium + severity: info + description: | + An Epic Games phishing website was detected + reference: + - https://epicgames.com + metadata: + max-request: 1 + tags: phishing,epic-games,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'The Epic Games Store is now open.' + - 'Epic Games' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"epicgames.com")' diff --git a/http/osint/phishing/etsy-phish.yaml b/http/osint/phishing/etsy-phish.yaml new file mode 100644 index 00000000000..4e1229b8f70 --- /dev/null +++ b/http/osint/phishing/etsy-phish.yaml @@ -0,0 +1,36 @@ +id: etsy-phish + +info: + name: Etsy phishing Detection + author: rxerium + severity: info + description: | + An Etsy phishing website was detected + reference: + - https://etsy.com + metadata: + max-request: 1 + tags: phishing,etsy,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "etsy.com" + - 'Shop for handmade, vintage, custom, and unique gifts' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"etsy.com")' diff --git a/http/osint/phishing/expedia-phish.yaml b/http/osint/phishing/expedia-phish.yaml new file mode 100644 index 00000000000..15c061bceb7 --- /dev/null +++ b/http/osint/phishing/expedia-phish.yaml @@ -0,0 +1,36 @@ +id: expedia-phish + +info: + name: Expedia phishing Detection + author: rxerium + severity: info + description: | + An Expedia phishing website was detected + reference: + - https://expedia.com + metadata: + max-request: 1 + tags: phishing,expedia,travel,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Expedia' + - '<title>Expedia Travel: Vacation Homes, Hotels, Car Rentals, Flights & More' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"expedia.com")' diff --git a/http/osint/phishing/fanatical-phish.yaml b/http/osint/phishing/fanatical-phish.yaml new file mode 100644 index 00000000000..e45656a5581 --- /dev/null +++ b/http/osint/phishing/fanatical-phish.yaml @@ -0,0 +1,36 @@ +id: fanatical-phish + +info: + name: Fanatical phishing Detection + author: rxerium + severity: info + description: | + A Fanatical phishing website was detected + reference: + - https://fanatical.com + metadata: + max-request: 1 + tags: phishing,fanatical,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Fanatical' + - '<title>Fanatical' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"fanatical.com")' diff --git a/http/osint/phishing/fedex-phish.yaml b/http/osint/phishing/fedex-phish.yaml new file mode 100644 index 00000000000..4cab2177c22 --- /dev/null +++ b/http/osint/phishing/fedex-phish.yaml @@ -0,0 +1,36 @@ +id: fedex-phish + +info: + name: FedEx phishing Detection + author: rxerium + severity: info + description: | + A FedEx phishing website was detected + reference: + - https://fedex.com + metadata: + max-request: 1 + tags: phishing,fedex,shipping,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'FedEx' + - '<title>Track & Ship Online or Find Nearby Locations | FedEx' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"fedex.com")' diff --git a/http/osint/phishing/fifth-third-bank-phish.yaml b/http/osint/phishing/fifth-third-bank-phish.yaml new file mode 100644 index 00000000000..8ee441ea0aa --- /dev/null +++ b/http/osint/phishing/fifth-third-bank-phish.yaml @@ -0,0 +1,34 @@ +id: fifth-third-bank-phish + +info: + name: Fifth Third Bank phishing Detection + author: rxerium + severity: info + description: | + A Fifth Third Bank phishing website was detected + reference: + - https://53.com + metadata: + max-request: 1 + tags: phishing,fifth-third-bank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Personal Banking | Fifth Third Bank' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"53.com")' diff --git a/http/osint/phishing/footlocker-phish.yaml b/http/osint/phishing/footlocker-phish.yaml new file mode 100644 index 00000000000..711fd0070a1 --- /dev/null +++ b/http/osint/phishing/footlocker-phish.yaml @@ -0,0 +1,36 @@ +id: footlocker-phish + +info: + name: Foot Locker phishing Detection + author: rxerium + severity: info + description: | + A Foot Locker phishing website was detected + reference: + - https://footlocker.com + metadata: + max-request: 1 + tags: phishing,footlocker,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Foot Locker' + - 'Sneakers, Apparel & More | Foot Locker' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"footlocker.com")' diff --git a/http/osint/phishing/fortnite-phish.yaml b/http/osint/phishing/fortnite-phish.yaml new file mode 100644 index 00000000000..f493c89566d --- /dev/null +++ b/http/osint/phishing/fortnite-phish.yaml @@ -0,0 +1,37 @@ +id: fortnite-phish + +info: + name: Fortnite phishing Detection + author: rxerium + severity: info + description: | + A Fortnite phishing website was detected + reference: + - https://fortnite.com + metadata: + max-request: 1 + tags: phishing,fortnite,epic-games,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Fortnite' + - '<title>Fortnite | Free-to-Play Cross-Platform Game - Fortnite' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"fortnite.com")' + - '!contains(host,"epicgames.com")' diff --git a/http/osint/phishing/fubo-phish.yaml b/http/osint/phishing/fubo-phish.yaml new file mode 100644 index 00000000000..b0281df94bd --- /dev/null +++ b/http/osint/phishing/fubo-phish.yaml @@ -0,0 +1,34 @@ +id: fubo-phish + +info: + name: FuboTV phishing Detection + author: rxerium + severity: info + description: | + A FuboTV phishing website was detected + reference: + - https://fubo.tv + metadata: + max-request: 1 + tags: phishing,fubo,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Watch ABC, CBS, FOX, ESPN and other top channels live - without cable TV. On your phone, TV and more. No contract. DVR included." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"fubo.tv")' diff --git a/http/osint/phishing/g2a-phish.yaml b/http/osint/phishing/g2a-phish.yaml new file mode 100644 index 00000000000..04db1d9a39e --- /dev/null +++ b/http/osint/phishing/g2a-phish.yaml @@ -0,0 +1,36 @@ +id: g2a-phish + +info: + name: G2A phishing Detection + author: rxerium + severity: info + description: | + A G2A phishing website was detected + reference: + - https://g2a.com + metadata: + max-request: 1 + tags: phishing,g2a,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'G2A' + - 'G2A.COM - Open the Gate 2 Adventure in the Digital World' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"g2a.com")' diff --git a/http/osint/phishing/gamestop-phish.yaml b/http/osint/phishing/gamestop-phish.yaml new file mode 100644 index 00000000000..527ea70255a --- /dev/null +++ b/http/osint/phishing/gamestop-phish.yaml @@ -0,0 +1,36 @@ +id: gamestop-phish + +info: + name: GameStop phishing Detection + author: rxerium + severity: info + description: | + A GameStop phishing website was detected + reference: + - https://gamestop.com + metadata: + max-request: 1 + tags: phishing,gamestop,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'GameStop' + - 'Consoles, Collectibles, Video Games, and More – Buy, Sell or Trade | GameStop' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"gamestop.com")' diff --git a/http/osint/phishing/gcp-phish.yaml b/http/osint/phishing/gcp-phish.yaml new file mode 100644 index 00000000000..720beecff54 --- /dev/null +++ b/http/osint/phishing/gcp-phish.yaml @@ -0,0 +1,35 @@ +id: gcp-phish + +info: + name: Google Cloud Platform phishing Detection + author: rxerium + severity: info + description: | + A Google Cloud Platform phishing website was detected + reference: + - https://cloud.google.com + metadata: + max-request: 1 + tags: phishing,gcp,google-cloud,cloud,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Meet your business challenges head on with cloud computing services from Google, including data management, hybrid & multi-cloud, and AI & ML." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"cloud.google.com")' + - '!contains(host,"google.com")' diff --git a/http/osint/phishing/gemini-phish.yaml b/http/osint/phishing/gemini-phish.yaml new file mode 100644 index 00000000000..c12d2faadba --- /dev/null +++ b/http/osint/phishing/gemini-phish.yaml @@ -0,0 +1,36 @@ +id: gemini-phish + +info: + name: Gemini phishing Detection + author: rxerium + severity: info + description: | + A Gemini phishing website was detected + reference: + - https://gemini.com + metadata: + max-request: 1 + tags: phishing,gemini,crypto,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Gemini' + - '<title>Buy, Sell & Trade Bitcoin, Solana, & Other Cryptos with Gemini's Best-in-class Platform | Gemini' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"gemini.com")' diff --git a/http/osint/phishing/goat-phish.yaml b/http/osint/phishing/goat-phish.yaml new file mode 100644 index 00000000000..e960c2a5f40 --- /dev/null +++ b/http/osint/phishing/goat-phish.yaml @@ -0,0 +1,36 @@ +id: goat-phish + +info: + name: GOAT phishing Detection + author: rxerium + severity: info + description: | + A GOAT phishing website was detected + reference: + - https://goat.com + metadata: + max-request: 1 + tags: phishing,goat,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'GOAT' + - '<title>GOAT: Sneakers, Apparel, Accessories' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"goat.com")' diff --git a/http/osint/phishing/gog-phish.yaml b/http/osint/phishing/gog-phish.yaml new file mode 100644 index 00000000000..e151b8a89ec --- /dev/null +++ b/http/osint/phishing/gog-phish.yaml @@ -0,0 +1,36 @@ +id: gog-phish + +info: + name: GOG phishing Detection + author: rxerium + severity: info + description: | + A GOG phishing website was detected + reference: + - https://gog.com + metadata: + max-request: 1 + tags: phishing,gog,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Welcome to GOG.com | best PC games DRM-free' + - 'GOG' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"gog.com")' diff --git a/http/osint/phishing/google-phish.yaml b/http/osint/phishing/google-phish.yaml index d967caeb5bf..59034ddbfb0 100644 --- a/http/osint/phishing/google-phish.yaml +++ b/http/osint/phishing/google-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - 'Sign in - Google Accounts' + - "Google" - type: status status: diff --git a/http/osint/phishing/grailed-phish.yaml b/http/osint/phishing/grailed-phish.yaml new file mode 100644 index 00000000000..7b0c041b938 --- /dev/null +++ b/http/osint/phishing/grailed-phish.yaml @@ -0,0 +1,36 @@ +id: grailed-phish + +info: + name: Grailed phishing Detection + author: rxerium + severity: info + description: | + A Grailed phishing website was detected + reference: + - https://grailed.com + metadata: + max-request: 1 + tags: phishing,grailed,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Grailed' + - '<title>Grailed: Online Marketplace to Buy Fashion' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"grailed.com")' From ceabf411fb01dc29ba27f31bd6b088ae5e14f6e5 Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 12:48:26 +0000 Subject: [PATCH 03/16] Update phishing templates with extracted descriptions/titles from HTML --- .../phishing/green-man-gaming-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/gumroad-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/hbo-max-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/heroku-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/hsbc-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/humble-bundle-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/icbc-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/ing-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/instacart-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/irs-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/itch-io-phish.yaml | 34 +++++++++++++++++ .../phishing/league-of-legends-phish.yaml | 35 ++++++++++++++++++ http/osint/phishing/line-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/loaded-phish.yaml | 35 ++++++++++++++++++ http/osint/phishing/monzo-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/mt-bank-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/n26-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/nab-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/natwest-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/newegg-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/nintendo-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/ocbc-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/okta-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/origin-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/pandora-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/patreon-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/philo-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/playstation-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/pnc-bank-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/puma-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/riot-games-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/rite-aid-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/robinhood-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/rockauto-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/salesforce-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/sams-club-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/santander-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/shopify-phish.yaml | 37 +++++++++++++++++++ http/osint/phishing/shutterfly-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/sling-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/snapfish-phish.yaml | 34 +++++++++++++++++ .../phishing/societe-generale-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/square-phish.yaml | 37 +++++++++++++++++++ http/osint/phishing/steam-phish.yaml | 4 +- http/osint/phishing/stripe-phish.yaml | 36 ++++++++++++++++++ http/osint/phishing/teepublic-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/trello-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/truist-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/ubs-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/under-armour-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/uplay-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/us-bank-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/usps-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/valorant-phish.yaml | 35 ++++++++++++++++++ http/osint/phishing/walgreens-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/wells-fargo-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/westpac-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/wise-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/zazzle-phish.yaml | 34 +++++++++++++++++ http/osint/phishing/zelle-phish.yaml | 36 ++++++++++++++++++ 60 files changed, 2020 insertions(+), 3 deletions(-) create mode 100644 http/osint/phishing/green-man-gaming-phish.yaml create mode 100644 http/osint/phishing/gumroad-phish.yaml create mode 100644 http/osint/phishing/hbo-max-phish.yaml create mode 100644 http/osint/phishing/heroku-phish.yaml create mode 100644 http/osint/phishing/hsbc-phish.yaml create mode 100644 http/osint/phishing/humble-bundle-phish.yaml create mode 100644 http/osint/phishing/icbc-phish.yaml create mode 100644 http/osint/phishing/ing-phish.yaml create mode 100644 http/osint/phishing/instacart-phish.yaml create mode 100644 http/osint/phishing/irs-phish.yaml create mode 100644 http/osint/phishing/itch-io-phish.yaml create mode 100644 http/osint/phishing/league-of-legends-phish.yaml create mode 100644 http/osint/phishing/line-phish.yaml create mode 100644 http/osint/phishing/loaded-phish.yaml create mode 100644 http/osint/phishing/monzo-phish.yaml create mode 100644 http/osint/phishing/mt-bank-phish.yaml create mode 100644 http/osint/phishing/n26-phish.yaml create mode 100644 http/osint/phishing/nab-phish.yaml create mode 100644 http/osint/phishing/natwest-phish.yaml create mode 100644 http/osint/phishing/newegg-phish.yaml create mode 100644 http/osint/phishing/nintendo-phish.yaml create mode 100644 http/osint/phishing/ocbc-phish.yaml create mode 100644 http/osint/phishing/okta-phish.yaml create mode 100644 http/osint/phishing/origin-phish.yaml create mode 100644 http/osint/phishing/pandora-phish.yaml create mode 100644 http/osint/phishing/patreon-phish.yaml create mode 100644 http/osint/phishing/philo-phish.yaml create mode 100644 http/osint/phishing/playstation-phish.yaml create mode 100644 http/osint/phishing/pnc-bank-phish.yaml create mode 100644 http/osint/phishing/puma-phish.yaml create mode 100644 http/osint/phishing/riot-games-phish.yaml create mode 100644 http/osint/phishing/rite-aid-phish.yaml create mode 100644 http/osint/phishing/robinhood-phish.yaml create mode 100644 http/osint/phishing/rockauto-phish.yaml create mode 100644 http/osint/phishing/salesforce-phish.yaml create mode 100644 http/osint/phishing/sams-club-phish.yaml create mode 100644 http/osint/phishing/santander-phish.yaml create mode 100644 http/osint/phishing/shopify-phish.yaml create mode 100644 http/osint/phishing/shutterfly-phish.yaml create mode 100644 http/osint/phishing/sling-phish.yaml create mode 100644 http/osint/phishing/snapfish-phish.yaml create mode 100644 http/osint/phishing/societe-generale-phish.yaml create mode 100644 http/osint/phishing/square-phish.yaml create mode 100644 http/osint/phishing/stripe-phish.yaml create mode 100644 http/osint/phishing/teepublic-phish.yaml create mode 100644 http/osint/phishing/trello-phish.yaml create mode 100644 http/osint/phishing/truist-phish.yaml create mode 100644 http/osint/phishing/ubs-phish.yaml create mode 100644 http/osint/phishing/under-armour-phish.yaml create mode 100644 http/osint/phishing/uplay-phish.yaml create mode 100644 http/osint/phishing/us-bank-phish.yaml create mode 100644 http/osint/phishing/usps-phish.yaml create mode 100644 http/osint/phishing/valorant-phish.yaml create mode 100644 http/osint/phishing/walgreens-phish.yaml create mode 100644 http/osint/phishing/wells-fargo-phish.yaml create mode 100644 http/osint/phishing/westpac-phish.yaml create mode 100644 http/osint/phishing/wise-phish.yaml create mode 100644 http/osint/phishing/zazzle-phish.yaml create mode 100644 http/osint/phishing/zelle-phish.yaml diff --git a/http/osint/phishing/green-man-gaming-phish.yaml b/http/osint/phishing/green-man-gaming-phish.yaml new file mode 100644 index 00000000000..b19ec724851 --- /dev/null +++ b/http/osint/phishing/green-man-gaming-phish.yaml @@ -0,0 +1,34 @@ +id: green-man-gaming-phish + +info: + name: Green Man Gaming phishing Detection + author: rxerium + severity: info + description: | + A Green Man Gaming phishing website was detected + reference: + - https://greenmangaming.com + metadata: + max-request: 1 + tags: phishing,green-man-gaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Buy games & game keys with Green Man Gaming - get the best prices, awesome bundles & exclusive game deals daily! Visit to explore Green Man Gaming now!" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"greenmangaming.com")' diff --git a/http/osint/phishing/gumroad-phish.yaml b/http/osint/phishing/gumroad-phish.yaml new file mode 100644 index 00000000000..4479ed2b9af --- /dev/null +++ b/http/osint/phishing/gumroad-phish.yaml @@ -0,0 +1,34 @@ +id: gumroad-phish + +info: + name: Gumroad phishing Detection + author: rxerium + severity: info + description: | + A Gumroad phishing website was detected + reference: + - https://gumroad.com + metadata: + max-request: 1 + tags: phishing,gumroad,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Start selling what you know, see what sticks, and get paid. Simple and effective." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"gumroad.com")' diff --git a/http/osint/phishing/hbo-max-phish.yaml b/http/osint/phishing/hbo-max-phish.yaml new file mode 100644 index 00000000000..ba213147321 --- /dev/null +++ b/http/osint/phishing/hbo-max-phish.yaml @@ -0,0 +1,34 @@ +id: hbo-max-phish + +info: + name: HBO Max phishing Detection + author: rxerium + severity: info + description: | + An HBO Max phishing website was detected + reference: + - https://hbomax.com + metadata: + max-request: 1 + tags: phishing,hbo-max,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Stream must-see series, hit movies, exclusive originals, family favorites, and live sports." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"hbomax.com")' diff --git a/http/osint/phishing/heroku-phish.yaml b/http/osint/phishing/heroku-phish.yaml new file mode 100644 index 00000000000..f28877de7c7 --- /dev/null +++ b/http/osint/phishing/heroku-phish.yaml @@ -0,0 +1,34 @@ +id: heroku-phish + +info: + name: Heroku phishing Detection + author: rxerium + severity: info + description: | + A Heroku phishing website was detected + reference: + - https://heroku.com + metadata: + max-request: 1 + tags: phishing,heroku,cloud,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Heroku is an AI platform as a service (AI PaaS) that enables developers to build, run, and scale applications entirely in the cloud." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"heroku.com")' diff --git a/http/osint/phishing/hsbc-phish.yaml b/http/osint/phishing/hsbc-phish.yaml new file mode 100644 index 00000000000..524c8a85243 --- /dev/null +++ b/http/osint/phishing/hsbc-phish.yaml @@ -0,0 +1,34 @@ +id: hsbc-phish + +info: + name: HSBC phishing Detection + author: rxerium + severity: info + description: | + An HSBC phishing website was detected + reference: + - https://hsbc.com + metadata: + max-request: 1 + tags: phishing,hsbc,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "HSBC, one of the largest banking and financial services institutions in the world, serves millions of customers through its four global businesses." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"hsbc.com")' diff --git a/http/osint/phishing/humble-bundle-phish.yaml b/http/osint/phishing/humble-bundle-phish.yaml new file mode 100644 index 00000000000..9c3e214af6b --- /dev/null +++ b/http/osint/phishing/humble-bundle-phish.yaml @@ -0,0 +1,34 @@ +id: humble-bundle-phish + +info: + name: Humble Bundle phishing Detection + author: rxerium + severity: info + description: | + A Humble Bundle phishing website was detected + reference: + - https://humblebundle.com + metadata: + max-request: 1 + tags: phishing,humble-bundle,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Humble Bundle sells games, books, software, and more. Our mission is to support charity while providing awesome content to customers at great prices. Since 2010, Humble Bundle customers have given over $275,000,000 to charity." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"humblebundle.com")' diff --git a/http/osint/phishing/icbc-phish.yaml b/http/osint/phishing/icbc-phish.yaml new file mode 100644 index 00000000000..752d64c1cea --- /dev/null +++ b/http/osint/phishing/icbc-phish.yaml @@ -0,0 +1,34 @@ +id: icbc-phish + +info: + name: ICBC phishing Detection + author: rxerium + severity: info + description: | + An ICBC phishing website was detected + reference: + - https://icbc.com.cn + metadata: + max-request: 1 + tags: phishing,icbc,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "工商银行金融服务全面介绍,投资理财信息丰富全面,在线交易方便快捷,满足客户专业化、多元化、人性化的金融服务需求,打造集业务、信息、交易、购物、互动于一体综合性金融服务平台。" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"icbc.com.cn")' diff --git a/http/osint/phishing/ing-phish.yaml b/http/osint/phishing/ing-phish.yaml new file mode 100644 index 00000000000..68e32716a3c --- /dev/null +++ b/http/osint/phishing/ing-phish.yaml @@ -0,0 +1,34 @@ +id: ing-phish + +info: + name: ING phishing Detection + author: rxerium + severity: info + description: | + An ING phishing website was detected + reference: + - https://ing.com + metadata: + max-request: 1 + tags: phishing,ing,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Corporate site of ING, a global financial institution of Dutch origin, providing news, investor relations and general information" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"ing.com")' diff --git a/http/osint/phishing/instacart-phish.yaml b/http/osint/phishing/instacart-phish.yaml new file mode 100644 index 00000000000..58dcd95f409 --- /dev/null +++ b/http/osint/phishing/instacart-phish.yaml @@ -0,0 +1,34 @@ +id: instacart-phish + +info: + name: Instacart phishing Detection + author: rxerium + severity: info + description: | + An Instacart phishing website was detected + reference: + - https://instacart.com + metadata: + max-request: 1 + tags: phishing,instacart,food-delivery,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Instacart | Grocery Delivery or Pickup from Local Stores Near You" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"instacart.com")' diff --git a/http/osint/phishing/irs-phish.yaml b/http/osint/phishing/irs-phish.yaml new file mode 100644 index 00000000000..12fbc0d726e --- /dev/null +++ b/http/osint/phishing/irs-phish.yaml @@ -0,0 +1,34 @@ +id: irs-phish + +info: + name: IRS phishing Detection + author: rxerium + severity: info + description: | + An IRS phishing website was detected + reference: + - https://irs.gov + metadata: + max-request: 1 + tags: phishing,irs,government,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Pay your taxes. Get your refund status. Find IRS forms and answers to tax questions. We help you understand and meet your federal tax responsibilities." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"irs.gov")' diff --git a/http/osint/phishing/itch-io-phish.yaml b/http/osint/phishing/itch-io-phish.yaml new file mode 100644 index 00000000000..6dc71a7d701 --- /dev/null +++ b/http/osint/phishing/itch-io-phish.yaml @@ -0,0 +1,34 @@ +id: itch-io-phish + +info: + name: itch.io phishing Detection + author: rxerium + severity: info + description: | + An itch.io phishing website was detected + reference: + - https://itch.io + metadata: + max-request: 1 + tags: phishing,itch-io,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "itch.io is a simple way to find, download and distribute indie games online. Whether you're a developer looking to upload your game or just someone looking for something new to play itch.io has you covered." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"itch.io")' diff --git a/http/osint/phishing/league-of-legends-phish.yaml b/http/osint/phishing/league-of-legends-phish.yaml new file mode 100644 index 00000000000..e051361d83b --- /dev/null +++ b/http/osint/phishing/league-of-legends-phish.yaml @@ -0,0 +1,35 @@ +id: league-of-legends-phish + +info: + name: League of Legends phishing Detection + author: rxerium + severity: info + description: | + A League of Legends phishing website was detected + reference: + - https://leagueoflegends.com + metadata: + max-request: 1 + tags: phishing,league-of-legends,riot-games,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "League of Legends is a team-based game with over 140 champions to make epic plays with. Play now for free." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"leagueoflegends.com")' + - '!contains(host,"riotgames.com")' diff --git a/http/osint/phishing/line-phish.yaml b/http/osint/phishing/line-phish.yaml new file mode 100644 index 00000000000..fda462c3eff --- /dev/null +++ b/http/osint/phishing/line-phish.yaml @@ -0,0 +1,34 @@ +id: line-phish + +info: + name: LINE phishing Detection + author: rxerium + severity: info + description: | + A LINE phishing website was detected + reference: + - https://line.me + metadata: + max-request: 1 + tags: phishing,line,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "メッセンジャーアプリを超え、新しいコミュニケーションの形を目指して、新時代のインフラ体験をLINEはひとりひとりに届けていきます。" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"line.me")' diff --git a/http/osint/phishing/loaded-phish.yaml b/http/osint/phishing/loaded-phish.yaml new file mode 100644 index 00000000000..6b79a9ea8af --- /dev/null +++ b/http/osint/phishing/loaded-phish.yaml @@ -0,0 +1,35 @@ +id: loaded-phish + +info: + name: Loaded phishing Detection + author: rxerium + severity: info + description: | + A Loaded phishing website was detected + reference: + - https://loaded.com + metadata: + max-request: 1 + tags: phishing,loaded,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Enjoy instant delivery, exclusive discounts, and the same unbeatable prices on PC, Xbox, PlayStation & Nintendo." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"cdkeys.com")' + - '!contains(host,"loaded.com")' diff --git a/http/osint/phishing/monzo-phish.yaml b/http/osint/phishing/monzo-phish.yaml new file mode 100644 index 00000000000..dee284194c6 --- /dev/null +++ b/http/osint/phishing/monzo-phish.yaml @@ -0,0 +1,34 @@ +id: monzo-phish + +info: + name: Monzo phishing Detection + author: rxerium + severity: info + description: | + A Monzo phishing website was detected + reference: + - https://monzo.com + metadata: + max-request: 1 + tags: phishing,monzo,fintech,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Organise, save & invest with a free UK current account, joint account or business account. Make your money more Monzo." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"monzo.com")' diff --git a/http/osint/phishing/mt-bank-phish.yaml b/http/osint/phishing/mt-bank-phish.yaml new file mode 100644 index 00000000000..4549c5b2b56 --- /dev/null +++ b/http/osint/phishing/mt-bank-phish.yaml @@ -0,0 +1,34 @@ +id: mt-bank-phish + +info: + name: M&T Bank phishing Detection + author: rxerium + severity: info + description: | + An M&T Bank phishing website was detected + reference: + - https://mtb.com + metadata: + max-request: 1 + tags: phishing,mt-bank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "With a community bank approach, M&T Bank helps people reach their personal and business goals with banking, mortgage, loan and investment services." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"mtb.com")' diff --git a/http/osint/phishing/n26-phish.yaml b/http/osint/phishing/n26-phish.yaml new file mode 100644 index 00000000000..5fb461dfb45 --- /dev/null +++ b/http/osint/phishing/n26-phish.yaml @@ -0,0 +1,34 @@ +id: n26-phish + +info: + name: N26 phishing Detection + author: rxerium + severity: info + description: | + An N26 phishing website was detected + reference: + - https://n26.com + metadata: + max-request: 1 + tags: phishing,n26,fintech,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "It is with sincere gratitude and appreciation of everything we built together, that we made the tough decision to sharpen our focus on our European business." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"n26.com")' diff --git a/http/osint/phishing/nab-phish.yaml b/http/osint/phishing/nab-phish.yaml new file mode 100644 index 00000000000..c7660745aea --- /dev/null +++ b/http/osint/phishing/nab-phish.yaml @@ -0,0 +1,34 @@ +id: nab-phish + +info: + name: NAB phishing Detection + author: rxerium + severity: info + description: | + A NAB phishing website was detected + reference: + - https://nab.com.au + metadata: + max-request: 1 + tags: phishing,nab,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "NAB personal banking services include online banking, bank accounts, credit cards, home loans and personal loans. We’re here to help you with more than money." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"nab.com.au")' diff --git a/http/osint/phishing/natwest-phish.yaml b/http/osint/phishing/natwest-phish.yaml new file mode 100644 index 00000000000..bc088c9a5cd --- /dev/null +++ b/http/osint/phishing/natwest-phish.yaml @@ -0,0 +1,34 @@ +id: natwest-phish + +info: + name: NatWest phishing Detection + author: rxerium + severity: info + description: | + A NatWest phishing website was detected + reference: + - https://natwest.com + metadata: + max-request: 1 + tags: phishing,natwest,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Welcome to NatWest. Our extensive personal banking products include bank accounts, mortgages, credit cards, loans and more. Visit today to see how we can serve you." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"natwest.com")' diff --git a/http/osint/phishing/newegg-phish.yaml b/http/osint/phishing/newegg-phish.yaml new file mode 100644 index 00000000000..38dd64052d1 --- /dev/null +++ b/http/osint/phishing/newegg-phish.yaml @@ -0,0 +1,34 @@ +id: newegg-phish + +info: + name: Newegg phishing Detection + author: rxerium + severity: info + description: | + A Newegg phishing website was detected + reference: + - https://newegg.com + metadata: + max-request: 1 + tags: phishing,newegg,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Shop Newegg today for all of your gaming, PC & technology needs. Don’t miss today’s best electronics deals with fast shipping & great customer service!" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"newegg.com")' diff --git a/http/osint/phishing/nintendo-phish.yaml b/http/osint/phishing/nintendo-phish.yaml new file mode 100644 index 00000000000..1c00358a237 --- /dev/null +++ b/http/osint/phishing/nintendo-phish.yaml @@ -0,0 +1,34 @@ +id: nintendo-phish + +info: + name: Nintendo phishing Detection + author: rxerium + severity: info + description: | + A Nintendo phishing website was detected + reference: + - https://nintendo.com + metadata: + max-request: 1 + tags: phishing,nintendo,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Visit the official Nintendo site to shop for Nintendo Switch™ systems and video games, read the latest news, find fun gear and gifts with a Nintendo twist, and much more." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"nintendo.com")' diff --git a/http/osint/phishing/ocbc-phish.yaml b/http/osint/phishing/ocbc-phish.yaml new file mode 100644 index 00000000000..fa6209612d5 --- /dev/null +++ b/http/osint/phishing/ocbc-phish.yaml @@ -0,0 +1,34 @@ +id: ocbc-phish + +info: + name: OCBC Bank phishing Detection + author: rxerium + severity: info + description: | + An OCBC Bank phishing website was detected + reference: + - https://ocbc.com + metadata: + max-request: 1 + tags: phishing,ocbc,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Discover a world of financial services with OCBC, the best trusted and established Singapore bank. Explore our range of banking solutions today." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"ocbc.com")' diff --git a/http/osint/phishing/okta-phish.yaml b/http/osint/phishing/okta-phish.yaml new file mode 100644 index 00000000000..61b4adea6cd --- /dev/null +++ b/http/osint/phishing/okta-phish.yaml @@ -0,0 +1,34 @@ +id: okta-phish + +info: + name: Okta phishing Detection + author: rxerium + severity: info + description: | + An Okta phishing website was detected + reference: + - https://okta.com + metadata: + max-request: 1 + tags: phishing,okta,sso,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "The Okta and Auth0 Platforms enable secure access, authentication, and automation — putting Identity at the heart of business security and growth." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"okta.com")' diff --git a/http/osint/phishing/origin-phish.yaml b/http/osint/phishing/origin-phish.yaml new file mode 100644 index 00000000000..489b6d19102 --- /dev/null +++ b/http/osint/phishing/origin-phish.yaml @@ -0,0 +1,34 @@ +id: origin-phish + +info: + name: Origin phishing Detection + author: rxerium + severity: info + description: | + An Origin phishing website was detected + reference: + - https://origin.com + metadata: + max-request: 1 + tags: phishing,origin,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Explore PC video games available for download right now. Electronic Arts is a leading publisher of games for the PC, consoles, and mobile." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"origin.com")' diff --git a/http/osint/phishing/pandora-phish.yaml b/http/osint/phishing/pandora-phish.yaml new file mode 100644 index 00000000000..7c0b81d38ec --- /dev/null +++ b/http/osint/phishing/pandora-phish.yaml @@ -0,0 +1,34 @@ +id: pandora-phish + +info: + name: Pandora phishing Detection + author: rxerium + severity: info + description: | + A Pandora phishing website was detected + reference: + - https://pandora.com + metadata: + max-request: 1 + tags: phishing,pandora,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Play the songs, albums, playlists and podcasts you love on the all-new Pandora. Sign up for a subscription plan to stream ad-free and on-demand. Listen on your mobile phone, desktop, TV, smart speakers or in the car." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"pandora.com")' diff --git a/http/osint/phishing/patreon-phish.yaml b/http/osint/phishing/patreon-phish.yaml new file mode 100644 index 00000000000..7f1c7ee46d5 --- /dev/null +++ b/http/osint/phishing/patreon-phish.yaml @@ -0,0 +1,34 @@ +id: patreon-phish + +info: + name: Patreon phishing Detection + author: rxerium + severity: info + description: | + A Patreon phishing website was detected + reference: + - https://patreon.com + metadata: + max-request: 1 + tags: phishing,patreon,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Patreon is the best place to build community with your biggest fans, share exclusive work, and turn your passion into a lasting creative business." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"patreon.com")' diff --git a/http/osint/phishing/philo-phish.yaml b/http/osint/phishing/philo-phish.yaml new file mode 100644 index 00000000000..3ac451fe02d --- /dev/null +++ b/http/osint/phishing/philo-phish.yaml @@ -0,0 +1,34 @@ +id: philo-phish + +info: + name: Philo phishing Detection + author: rxerium + severity: info + description: | + A Philo phishing website was detected + reference: + - https://philo.com + metadata: + max-request: 1 + tags: phishing,philo,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Why pay more for TV? Philo offers live TV and on-demand content for just $33/month. Stream your favorite shows, movies, and more across all your devices." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"philo.com")' diff --git a/http/osint/phishing/playstation-phish.yaml b/http/osint/phishing/playstation-phish.yaml new file mode 100644 index 00000000000..76d8f1330e8 --- /dev/null +++ b/http/osint/phishing/playstation-phish.yaml @@ -0,0 +1,34 @@ +id: playstation-phish + +info: + name: PlayStation phishing Detection + author: rxerium + severity: info + description: | + A PlayStation phishing website was detected + reference: + - https://playstation.com + metadata: + max-request: 1 + tags: phishing,playstation,sony,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Explore the new generation PlayStation 4 and PS5 consoles - experience immersive gaming with thousands of hit games in every genre to rewrite the rules for what a PlayStation console can do." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"playstation.com")' diff --git a/http/osint/phishing/pnc-bank-phish.yaml b/http/osint/phishing/pnc-bank-phish.yaml new file mode 100644 index 00000000000..31e0e4bfebc --- /dev/null +++ b/http/osint/phishing/pnc-bank-phish.yaml @@ -0,0 +1,34 @@ +id: pnc-bank-phish + +info: + name: PNC Bank phishing Detection + author: rxerium + severity: info + description: | + A PNC Bank phishing website was detected + reference: + - https://pnc.com + metadata: + max-request: 1 + tags: phishing,pnc-bank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "PNC Bank offers a wide range of personal banking services including checking and savings accounts, credit cards, mortgage loans, auto loans and much more." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"pnc.com")' diff --git a/http/osint/phishing/puma-phish.yaml b/http/osint/phishing/puma-phish.yaml new file mode 100644 index 00000000000..d63b4193916 --- /dev/null +++ b/http/osint/phishing/puma-phish.yaml @@ -0,0 +1,34 @@ +id: puma-phish + +info: + name: Puma phishing Detection + author: rxerium + severity: info + description: | + A Puma phishing website was detected + reference: + - https://puma.com + metadata: + max-request: 1 + tags: phishing,puma,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Run The Streets. Do You. Research and shop all the latest gear from the world of Fashion, Sport, and everywhere in between." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"puma.com")' diff --git a/http/osint/phishing/riot-games-phish.yaml b/http/osint/phishing/riot-games-phish.yaml new file mode 100644 index 00000000000..9243a956bf1 --- /dev/null +++ b/http/osint/phishing/riot-games-phish.yaml @@ -0,0 +1,34 @@ +id: riot-games-phish + +info: + name: Riot Games phishing Detection + author: rxerium + severity: info + description: | + A Riot Games phishing website was detected + reference: + - https://riotgames.com + metadata: + max-request: 1 + tags: phishing,riot-games,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Riot Games. Developer of League of Legends, VALORANT, Teamfight Tactics, Legends of Runeterra, and Wild Rift. Creators of Arcane. Home of LOL and VALORANT Esports." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"riotgames.com")' diff --git a/http/osint/phishing/rite-aid-phish.yaml b/http/osint/phishing/rite-aid-phish.yaml new file mode 100644 index 00000000000..0e867db6863 --- /dev/null +++ b/http/osint/phishing/rite-aid-phish.yaml @@ -0,0 +1,34 @@ +id: rite-aid-phish + +info: + name: Rite Aid phishing Detection + author: rxerium + severity: info + description: | + A Rite Aid phishing website was detected + reference: + - https://riteaid.com + metadata: + max-request: 1 + tags: phishing,rite-aid,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Rite Aid pharmacy offers products and services to help you lead a healthy, happy life. Visit our online pharmacy, shop now, or find a store near you." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"riteaid.com")' diff --git a/http/osint/phishing/robinhood-phish.yaml b/http/osint/phishing/robinhood-phish.yaml new file mode 100644 index 00000000000..8bcaf5e7c94 --- /dev/null +++ b/http/osint/phishing/robinhood-phish.yaml @@ -0,0 +1,34 @@ +id: robinhood-phish + +info: + name: Robinhood phishing Detection + author: rxerium + severity: info + description: | + A Robinhood phishing website was detected + reference: + - https://robinhood.com + metadata: + max-request: 1 + tags: phishing,robinhood,trading,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Robinhood: 24/5 Commission-Free Stock Trading & Investing" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"robinhood.com")' diff --git a/http/osint/phishing/rockauto-phish.yaml b/http/osint/phishing/rockauto-phish.yaml new file mode 100644 index 00000000000..b2b1e70b02c --- /dev/null +++ b/http/osint/phishing/rockauto-phish.yaml @@ -0,0 +1,34 @@ +id: rockauto-phish + +info: + name: RockAuto phishing Detection + author: rxerium + severity: info + description: | + A RockAuto phishing website was detected + reference: + - https://rockauto.com + metadata: + max-request: 1 + tags: phishing,rockauto,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Auto Parts for Your Vehicle at Reliably Low Prices. Fast Online Catalog. DIY-Easy. Your Choice of Quality. Full Manufacturer Warranty." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"rockauto.com")' diff --git a/http/osint/phishing/salesforce-phish.yaml b/http/osint/phishing/salesforce-phish.yaml new file mode 100644 index 00000000000..7bafdfa163b --- /dev/null +++ b/http/osint/phishing/salesforce-phish.yaml @@ -0,0 +1,34 @@ +id: salesforce-phish + +info: + name: Salesforce phishing Detection + author: rxerium + severity: info + description: | + A Salesforce phishing website was detected + reference: + - https://salesforce.com + metadata: + max-request: 1 + tags: phishing,salesforce,crm,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Salesforce is the #1 AI CRM, helping companies become Agentic Enterprises where humans and agents drive success together through a unified AI, data, and Customer 360 platform." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"salesforce.com")' diff --git a/http/osint/phishing/sams-club-phish.yaml b/http/osint/phishing/sams-club-phish.yaml new file mode 100644 index 00000000000..3b4d256385e --- /dev/null +++ b/http/osint/phishing/sams-club-phish.yaml @@ -0,0 +1,34 @@ +id: sams-club-phish + +info: + name: Sam's Club phishing Detection + author: rxerium + severity: info + description: | + A Sam's Club phishing website was detected + reference: + - https://samsclub.com + metadata: + max-request: 1 + tags: phishing,sams-club,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Shop Samsclub.com today for Every Day Low Prices. Join Sam's Club as a Plus Member and get free same-day or next-day delivery from your club & free shipping on eligible items totaling $50 or more." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"samsclub.com")' diff --git a/http/osint/phishing/santander-phish.yaml b/http/osint/phishing/santander-phish.yaml new file mode 100644 index 00000000000..e3a4b737fdf --- /dev/null +++ b/http/osint/phishing/santander-phish.yaml @@ -0,0 +1,34 @@ +id: santander-phish + +info: + name: Santander Bank phishing Detection + author: rxerium + severity: info + description: | + A Santander Bank phishing website was detected + reference: + - https://santander.com + metadata: + max-request: 1 + tags: phishing,santander,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Our purpose is to help people and businesses prosper. We strive to make all we do Simple, Personal and Fair." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"santander.com")' diff --git a/http/osint/phishing/shopify-phish.yaml b/http/osint/phishing/shopify-phish.yaml new file mode 100644 index 00000000000..6ae9edf1a35 --- /dev/null +++ b/http/osint/phishing/shopify-phish.yaml @@ -0,0 +1,37 @@ +id: shopify-phish + +info: + name: Shopify phishing Detection + author: rxerium + severity: info + description: | + A Shopify phishing website was detected + reference: + - https://shopify.com + metadata: + max-request: 1 + tags: phishing,shopify,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Try Shopify free and start a business or grow an existing one. Get more than ecommerce software with tools to manage every part of your business." + - 'Start your free trial' + condition: or + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"shopify.com")' + - '!contains(host,"myshopify.com")' diff --git a/http/osint/phishing/shutterfly-phish.yaml b/http/osint/phishing/shutterfly-phish.yaml new file mode 100644 index 00000000000..9148e8beb4c --- /dev/null +++ b/http/osint/phishing/shutterfly-phish.yaml @@ -0,0 +1,34 @@ +id: shutterfly-phish + +info: + name: Shutterfly phishing Detection + author: rxerium + severity: info + description: | + A Shutterfly phishing website was detected + reference: + - https://shutterfly.com + metadata: + max-request: 1 + tags: phishing,shutterfly,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Create photo books, personalize photo cards & stationery, and share photos with family and friends at Shutterfly.com." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"shutterfly.com")' diff --git a/http/osint/phishing/sling-phish.yaml b/http/osint/phishing/sling-phish.yaml new file mode 100644 index 00000000000..b85ce7e334d --- /dev/null +++ b/http/osint/phishing/sling-phish.yaml @@ -0,0 +1,34 @@ +id: sling-phish + +info: + name: Sling TV phishing Detection + author: rxerium + severity: info + description: | + A Sling TV phishing website was detected + reference: + - https://sling.com + metadata: + max-request: 1 + tags: phishing,sling,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Ditch cable & stream live TV for the best price with Sling. Watch live news, sports, movies, and entertainment + top channels like ESPN, TNT, TBS and more." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"sling.com")' diff --git a/http/osint/phishing/snapfish-phish.yaml b/http/osint/phishing/snapfish-phish.yaml new file mode 100644 index 00000000000..f2a53edc3b7 --- /dev/null +++ b/http/osint/phishing/snapfish-phish.yaml @@ -0,0 +1,34 @@ +id: snapfish-phish + +info: + name: Snapfish phishing Detection + author: rxerium + severity: info + description: | + A Snapfish phishing website was detected + reference: + - https://snapfish.com + metadata: + max-request: 1 + tags: phishing,snapfish,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Design and send the best personalized gifts, cards, home decor, photo books, and prints with Snapfish." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"snapfish.com")' diff --git a/http/osint/phishing/societe-generale-phish.yaml b/http/osint/phishing/societe-generale-phish.yaml new file mode 100644 index 00000000000..14808a1a8cd --- /dev/null +++ b/http/osint/phishing/societe-generale-phish.yaml @@ -0,0 +1,34 @@ +id: societe-generale-phish + +info: + name: Société Générale phishing Detection + author: rxerium + severity: info + description: | + A Société Générale phishing website was detected + reference: + - https://societegenerale.com + metadata: + max-request: 1 + tags: phishing,societe-generale,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Un leader européen des services financiers depuis plus de 150 ans, Société Générale s’appuie sur trois métiers complémentaires, la Banque de détail en France, la Banque de détail et Services Financiers Internationaux et la Banque de Grande Clientèle et Solutions Investisseurs." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"societegenerale.com")' diff --git a/http/osint/phishing/square-phish.yaml b/http/osint/phishing/square-phish.yaml new file mode 100644 index 00000000000..bf50122b656 --- /dev/null +++ b/http/osint/phishing/square-phish.yaml @@ -0,0 +1,37 @@ +id: square-phish + +info: + name: Square phishing Detection + author: rxerium + severity: info + description: | + A Square phishing website was detected + reference: + - https://squareup.com + metadata: + max-request: 1 + tags: phishing,square,payment,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Sell anywhere. Diversify revenue streams. Streamline operations. Manage your staff. Get paid faster. Sign up for Square today." + - 'Square Dashboard' + condition: or + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"squareup.com")' + - '!contains(host,"square.com")' diff --git a/http/osint/phishing/steam-phish.yaml b/http/osint/phishing/steam-phish.yaml index 2cd9b77561e..42639b7d48e 100644 --- a/http/osint/phishing/steam-phish.yaml +++ b/http/osint/phishing/steam-phish.yaml @@ -23,9 +23,7 @@ http: matchers: - type: word words: - - 'Welcome to Steam' - - 'Steam is the ultimate destination for playing, discussing, and creating games.' - condition: and + - "The Steam Winter Sale is on now — find great deals on thousands of games! Plus cast your votes in the 2025 Steam Awards." - type: status diff --git a/http/osint/phishing/stripe-phish.yaml b/http/osint/phishing/stripe-phish.yaml new file mode 100644 index 00000000000..eb964c4eed2 --- /dev/null +++ b/http/osint/phishing/stripe-phish.yaml @@ -0,0 +1,36 @@ +id: stripe-phish + +info: + name: Stripe phishing Detection + author: rxerium + severity: info + description: | + A Stripe phishing website was detected + reference: + - https://stripe.com + metadata: + max-request: 1 + tags: phishing,stripe,payment,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Stripe is a suite of APIs powering online payment processing and commerce solutions for internet businesses of all sizes. Accept payments and scale faster with AI." + - 'Stripe Dashboard' + condition: or + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"stripe.com")' diff --git a/http/osint/phishing/teepublic-phish.yaml b/http/osint/phishing/teepublic-phish.yaml new file mode 100644 index 00000000000..04840066733 --- /dev/null +++ b/http/osint/phishing/teepublic-phish.yaml @@ -0,0 +1,34 @@ +id: teepublic-phish + +info: + name: TeePublic phishing Detection + author: rxerium + severity: info + description: | + A TeePublic phishing website was detected + reference: + - https://teepublic.com + metadata: + max-request: 1 + tags: phishing,teepublic,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Artist-Made Apparel and Other Gift Ideas. BFCM Deals Up to 40% Off! | TeePublic" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"teepublic.com")' diff --git a/http/osint/phishing/trello-phish.yaml b/http/osint/phishing/trello-phish.yaml new file mode 100644 index 00000000000..c2d778725c5 --- /dev/null +++ b/http/osint/phishing/trello-phish.yaml @@ -0,0 +1,34 @@ +id: trello-phish + +info: + name: Trello phishing Detection + author: rxerium + severity: info + description: | + A Trello phishing website was detected + reference: + - https://trello.com + metadata: + max-request: 1 + tags: phishing,trello,productivity,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Make the impossible, possible with Trello. The ultimate tool to boost your productivity. Escape the clutter and chaos—stay efficient with Inbox, Boards, and Planner from anywhere, even on mobile." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"trello.com")' diff --git a/http/osint/phishing/truist-phish.yaml b/http/osint/phishing/truist-phish.yaml new file mode 100644 index 00000000000..d6c229c3c9b --- /dev/null +++ b/http/osint/phishing/truist-phish.yaml @@ -0,0 +1,34 @@ +id: truist-phish + +info: + name: truist phishing Detection + author: rxerium + severity: info + description: | + A truist phishing website was detected + reference: + - https://www.truist.com/ + metadata: + max-request: 1 + tags: phishing,bbt,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Your journey to better banking starts with Truist. Checking and savings accounts, credit cards, mortgages, small business, commercial banking, and more." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"truist.com")' diff --git a/http/osint/phishing/ubs-phish.yaml b/http/osint/phishing/ubs-phish.yaml new file mode 100644 index 00000000000..755cc49e314 --- /dev/null +++ b/http/osint/phishing/ubs-phish.yaml @@ -0,0 +1,34 @@ +id: ubs-phish + +info: + name: UBS phishing Detection + author: rxerium + severity: info + description: | + A UBS phishing website was detected + reference: + - https://ubs.com + metadata: + max-request: 1 + tags: phishing,ubs,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "UBS is a global firm providing financial services in over 50 countries. Visit our site to find out what we offer." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"ubs.com")' diff --git a/http/osint/phishing/under-armour-phish.yaml b/http/osint/phishing/under-armour-phish.yaml new file mode 100644 index 00000000000..6d4d3f5e5fc --- /dev/null +++ b/http/osint/phishing/under-armour-phish.yaml @@ -0,0 +1,34 @@ +id: under-armour-phish + +info: + name: Under Armour phishing Detection + author: rxerium + severity: info + description: | + An Under Armour phishing website was detected + reference: + - https://underarmour.com + metadata: + max-request: 1 + tags: phishing,under-armour,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Under Armour builds game-changing sportswear, athletic shirts, shoes and more. FREE SHIPPING available and FREE returns on workout clothes, shoes, and gear." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"underarmour.com")' diff --git a/http/osint/phishing/uplay-phish.yaml b/http/osint/phishing/uplay-phish.yaml new file mode 100644 index 00000000000..9eb296d35b1 --- /dev/null +++ b/http/osint/phishing/uplay-phish.yaml @@ -0,0 +1,34 @@ +id: uplay-phish + +info: + name: Uplay phishing Detection + author: rxerium + severity: info + description: | + A Uplay phishing website was detected + reference: + - https://ubisoft.com + metadata: + max-request: 1 + tags: phishing,uplay,ubisoft,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Welcome to the official website for Ubisoft, creator of Assassin's Creed, Just Dance, Tom Clancy's video game series, Rayman, Far Cry, Watch Dogs and many others. Learn more about our breathtaking games here!" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"ubisoft.com")' diff --git a/http/osint/phishing/us-bank-phish.yaml b/http/osint/phishing/us-bank-phish.yaml new file mode 100644 index 00000000000..1007f2365d8 --- /dev/null +++ b/http/osint/phishing/us-bank-phish.yaml @@ -0,0 +1,34 @@ +id: us-bank-phish + +info: + name: US Bank phishing Detection + author: rxerium + severity: info + description: | + A US Bank phishing website was detected + reference: + - https://usbank.com + metadata: + max-request: 1 + tags: phishing,us-bank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Experience personalized banking services for your unique needs with U.S. Bank - Checking, credit cards, home loans & convenient online banking. Member FDIC." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"usbank.com")' diff --git a/http/osint/phishing/usps-phish.yaml b/http/osint/phishing/usps-phish.yaml new file mode 100644 index 00000000000..c5c191d50c0 --- /dev/null +++ b/http/osint/phishing/usps-phish.yaml @@ -0,0 +1,34 @@ +id: usps-phish + +info: + name: USPS phishing Detection + author: rxerium + severity: info + description: | + A USPS phishing website was detected + reference: + - https://usps.com + metadata: + max-request: 1 + tags: phishing,usps,government,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Welcome to USPS.com. Track packages, pay and print postage with Click-N-Ship, schedule free package pickups, look up ZIP Codes, calculate postage prices, and find everything you need for sending mail and shipping packages." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"usps.com")' diff --git a/http/osint/phishing/valorant-phish.yaml b/http/osint/phishing/valorant-phish.yaml new file mode 100644 index 00000000000..6d096ded6ce --- /dev/null +++ b/http/osint/phishing/valorant-phish.yaml @@ -0,0 +1,35 @@ +id: valorant-phish + +info: + name: VALORANT phishing Detection + author: rxerium + severity: info + description: | + A VALORANT phishing website was detected + reference: + - https://playvalorant.com + metadata: + max-request: 1 + tags: phishing,valorant,riot-games,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Riot Games presents VALORANT: a 5v5 character-based tactical FPS where precise gunplay meets unique agent abilities. Learn about VALORANT and its stylish cast" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"playvalorant.com")' + - '!contains(host,"riotgames.com")' diff --git a/http/osint/phishing/walgreens-phish.yaml b/http/osint/phishing/walgreens-phish.yaml new file mode 100644 index 00000000000..509ce484d0f --- /dev/null +++ b/http/osint/phishing/walgreens-phish.yaml @@ -0,0 +1,34 @@ +id: walgreens-phish + +info: + name: Walgreens phishing Detection + author: rxerium + severity: info + description: | + A Walgreens phishing website was detected + reference: + - https://walgreens.com + metadata: + max-request: 1 + tags: phishing,walgreens,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Your go-to for Pharmacy, Health & Wellness and Photo products. Refill prescriptions online, order items for delivery or store pickup, and create Photo Gifts." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"walgreens.com")' diff --git a/http/osint/phishing/wells-fargo-phish.yaml b/http/osint/phishing/wells-fargo-phish.yaml new file mode 100644 index 00000000000..4bb43fe0d5a --- /dev/null +++ b/http/osint/phishing/wells-fargo-phish.yaml @@ -0,0 +1,34 @@ +id: wells-fargo-phish + +info: + name: Wells Fargo phishing Detection + author: rxerium + severity: info + description: | + A Wells Fargo phishing website was detected + reference: + - https://wellsfargo.com + metadata: + max-request: 1 + tags: phishing,wells-fargo,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Committed to the financial health of our customers and communities. Explore bank accounts, loans, mortgages, investing, credit cards & banking services»" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"wellsfargo.com")' diff --git a/http/osint/phishing/westpac-phish.yaml b/http/osint/phishing/westpac-phish.yaml new file mode 100644 index 00000000000..d44ca474c9a --- /dev/null +++ b/http/osint/phishing/westpac-phish.yaml @@ -0,0 +1,34 @@ +id: westpac-phish + +info: + name: Westpac phishing Detection + author: rxerium + severity: info + description: | + A Westpac phishing website was detected + reference: + - https://westpac.com.au + metadata: + max-request: 1 + tags: phishing,westpac,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "From to-do to done, it takes a little Westpac. Westpac offers a range of smart solutions to support your personal, business and corporate banking needs." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"westpac.com.au")' diff --git a/http/osint/phishing/wise-phish.yaml b/http/osint/phishing/wise-phish.yaml new file mode 100644 index 00000000000..6be9ac9dc23 --- /dev/null +++ b/http/osint/phishing/wise-phish.yaml @@ -0,0 +1,34 @@ +id: wise-phish + +info: + name: Wise phishing Detection + author: rxerium + severity: info + description: | + A Wise phishing website was detected + reference: + - https://wise.com + metadata: + max-request: 1 + tags: phishing,wise,fintech,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "160+ countries, 40 currencies, one account. Save when you send, spend and manage your money internationally." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"wise.com")' diff --git a/http/osint/phishing/zazzle-phish.yaml b/http/osint/phishing/zazzle-phish.yaml new file mode 100644 index 00000000000..449f93bc910 --- /dev/null +++ b/http/osint/phishing/zazzle-phish.yaml @@ -0,0 +1,34 @@ +id: zazzle-phish + +info: + name: Zazzle phishing Detection + author: rxerium + severity: info + description: | + A Zazzle phishing website was detected + reference: + - https://zazzle.com + metadata: + max-request: 1 + tags: phishing,zazzle,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Celebrate life’s moments with custom invitations, announcements, photo cards, and more. Discover unique gifts crafted by our community of Independent Creators." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"zazzle.com")' diff --git a/http/osint/phishing/zelle-phish.yaml b/http/osint/phishing/zelle-phish.yaml new file mode 100644 index 00000000000..c5b4789c002 --- /dev/null +++ b/http/osint/phishing/zelle-phish.yaml @@ -0,0 +1,36 @@ +id: zelle-phish + +info: + name: Zelle phishing Detection + author: rxerium + severity: info + description: | + A Zelle phishing website was detected + reference: + - https://zellepay.com + metadata: + max-request: 1 + tags: phishing,zelle,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Zelle® is a direct and fast way to send and receive money with enrolled friends, family and others you trust. Look for Zelle® in your banking app to get started." + - 'Send money with Zelle' + condition: or + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"zellepay.com")' From ecc414df013f7554ae1406a376af65e21838f158 Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 14:09:36 +0000 Subject: [PATCH 04/16] Add phishing templates from nike-phish to grubhub-phish --- http/osint/phishing/nike-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/onlyfans-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/oracle-cloud-phish.yaml | 35 +++++++++++++++++ http/osint/phishing/oreilly-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/overstock-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/paramount-plus-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/partsgeek-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/peacock-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/pepboys-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/pinterest-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/poshmark-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/postmates-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/priceline-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/printful-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/printify-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/pubg-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/rabobank-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/rbc-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/redbubble-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/regions-bank-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/revolut-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/rockstar-phish.yaml | 34 ++++++++++++++++ .../phishing/rockstar-social-club-phish.yaml | 35 +++++++++++++++++ http/osint/phishing/scotiabank-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/scribd-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/seamless-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/showtime-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/snapchat-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/society6-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/sofi-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/soundcloud-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/spreadshirt-phish.yaml | 34 ++++++++++++++++ .../phishing/standard-chartered-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/starz-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/stockx-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/substack-phish.yaml | 36 +++++++++++++++++ .../osint/phishing/sumitomo-mitsui-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/summit-racing-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/suntrust-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/td-bank-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/teespring-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/threadless-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/tidal-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/tractor-supply-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/tripadvisor-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/twitter-phish.yaml | 39 +++++++++++++++++++ http/osint/phishing/uber-eats-phish.yaml | 37 ++++++++++++++++++ http/osint/phishing/unicredit-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/uob-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/ups-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/varo-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/venmo-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/viber-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/visa-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/vistaprint-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/vrbo-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/vudu-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/wayfair-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/wechat-phish.yaml | 34 ++++++++++++++++ http/osint/phishing/wish-phish.yaml | 36 +++++++++++++++++ http/osint/phishing/xbox-phish.yaml | 35 +++++++++++++++++ http/osint/phishing/youtube-music-phish.yaml | 35 +++++++++++++++++ http/osint/phishing/youtube-phish.yaml | 37 ++++++++++++++++++ 63 files changed, 2237 insertions(+) create mode 100644 http/osint/phishing/nike-phish.yaml create mode 100644 http/osint/phishing/onlyfans-phish.yaml create mode 100644 http/osint/phishing/oracle-cloud-phish.yaml create mode 100644 http/osint/phishing/oreilly-phish.yaml create mode 100644 http/osint/phishing/overstock-phish.yaml create mode 100644 http/osint/phishing/paramount-plus-phish.yaml create mode 100644 http/osint/phishing/partsgeek-phish.yaml create mode 100644 http/osint/phishing/peacock-phish.yaml create mode 100644 http/osint/phishing/pepboys-phish.yaml create mode 100644 http/osint/phishing/pinterest-phish.yaml create mode 100644 http/osint/phishing/poshmark-phish.yaml create mode 100644 http/osint/phishing/postmates-phish.yaml create mode 100644 http/osint/phishing/priceline-phish.yaml create mode 100644 http/osint/phishing/printful-phish.yaml create mode 100644 http/osint/phishing/printify-phish.yaml create mode 100644 http/osint/phishing/pubg-phish.yaml create mode 100644 http/osint/phishing/rabobank-phish.yaml create mode 100644 http/osint/phishing/rbc-phish.yaml create mode 100644 http/osint/phishing/redbubble-phish.yaml create mode 100644 http/osint/phishing/regions-bank-phish.yaml create mode 100644 http/osint/phishing/revolut-phish.yaml create mode 100644 http/osint/phishing/rockstar-phish.yaml create mode 100644 http/osint/phishing/rockstar-social-club-phish.yaml create mode 100644 http/osint/phishing/scotiabank-phish.yaml create mode 100644 http/osint/phishing/scribd-phish.yaml create mode 100644 http/osint/phishing/seamless-phish.yaml create mode 100644 http/osint/phishing/showtime-phish.yaml create mode 100644 http/osint/phishing/snapchat-phish.yaml create mode 100644 http/osint/phishing/society6-phish.yaml create mode 100644 http/osint/phishing/sofi-phish.yaml create mode 100644 http/osint/phishing/soundcloud-phish.yaml create mode 100644 http/osint/phishing/spreadshirt-phish.yaml create mode 100644 http/osint/phishing/standard-chartered-phish.yaml create mode 100644 http/osint/phishing/starz-phish.yaml create mode 100644 http/osint/phishing/stockx-phish.yaml create mode 100644 http/osint/phishing/substack-phish.yaml create mode 100644 http/osint/phishing/sumitomo-mitsui-phish.yaml create mode 100644 http/osint/phishing/summit-racing-phish.yaml create mode 100644 http/osint/phishing/suntrust-phish.yaml create mode 100644 http/osint/phishing/td-bank-phish.yaml create mode 100644 http/osint/phishing/teespring-phish.yaml create mode 100644 http/osint/phishing/threadless-phish.yaml create mode 100644 http/osint/phishing/tidal-phish.yaml create mode 100644 http/osint/phishing/tractor-supply-phish.yaml create mode 100644 http/osint/phishing/tripadvisor-phish.yaml create mode 100644 http/osint/phishing/twitter-phish.yaml create mode 100644 http/osint/phishing/uber-eats-phish.yaml create mode 100644 http/osint/phishing/unicredit-phish.yaml create mode 100644 http/osint/phishing/uob-phish.yaml create mode 100644 http/osint/phishing/ups-phish.yaml create mode 100644 http/osint/phishing/varo-phish.yaml create mode 100644 http/osint/phishing/venmo-phish.yaml create mode 100644 http/osint/phishing/viber-phish.yaml create mode 100644 http/osint/phishing/visa-phish.yaml create mode 100644 http/osint/phishing/vistaprint-phish.yaml create mode 100644 http/osint/phishing/vrbo-phish.yaml create mode 100644 http/osint/phishing/vudu-phish.yaml create mode 100644 http/osint/phishing/wayfair-phish.yaml create mode 100644 http/osint/phishing/wechat-phish.yaml create mode 100644 http/osint/phishing/wish-phish.yaml create mode 100644 http/osint/phishing/xbox-phish.yaml create mode 100644 http/osint/phishing/youtube-music-phish.yaml create mode 100644 http/osint/phishing/youtube-phish.yaml diff --git a/http/osint/phishing/nike-phish.yaml b/http/osint/phishing/nike-phish.yaml new file mode 100644 index 00000000000..9e0f242853e --- /dev/null +++ b/http/osint/phishing/nike-phish.yaml @@ -0,0 +1,36 @@ +id: nike-phish + +info: + name: Nike phishing Detection + author: rxerium + severity: info + description: | + A Nike phishing website was detected + reference: + - https://nike.com + metadata: + max-request: 1 + tags: phishing,nike,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Nike' + - '<title>Nike. Just Do It. Nike.com' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"nike.com")' diff --git a/http/osint/phishing/onlyfans-phish.yaml b/http/osint/phishing/onlyfans-phish.yaml new file mode 100644 index 00000000000..ca607a8991a --- /dev/null +++ b/http/osint/phishing/onlyfans-phish.yaml @@ -0,0 +1,36 @@ +id: onlyfans-phish + +info: + name: OnlyFans phishing Detection + author: rxerium + severity: info + description: | + An OnlyFans phishing website was detected + reference: + - https://onlyfans.com + metadata: + max-request: 1 + tags: phishing,onlyfans,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'OnlyFans' + - 'Sign in to OnlyFans' + condition: or + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"onlyfans.com")' diff --git a/http/osint/phishing/oracle-cloud-phish.yaml b/http/osint/phishing/oracle-cloud-phish.yaml new file mode 100644 index 00000000000..a5161883a22 --- /dev/null +++ b/http/osint/phishing/oracle-cloud-phish.yaml @@ -0,0 +1,35 @@ +id: oracle-cloud-phish + +info: + name: Oracle Cloud phishing Detection + author: rxerium + severity: info + description: | + An Oracle Cloud phishing website was detected + reference: + - https://oracle.com/cloud + metadata: + max-request: 1 + tags: phishing,oracle-cloud,cloud,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "fw_error_www" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"oracle.com")' + - '!contains(host,"oraclecloud.com")' diff --git a/http/osint/phishing/oreilly-phish.yaml b/http/osint/phishing/oreilly-phish.yaml new file mode 100644 index 00000000000..732a08ce476 --- /dev/null +++ b/http/osint/phishing/oreilly-phish.yaml @@ -0,0 +1,36 @@ +id: oreilly-phish + +info: + name: O'Reilly Auto Parts phishing Detection + author: rxerium + severity: info + description: | + An O'Reilly Auto Parts phishing website was detected + reference: + - https://oreillyauto.com + metadata: + max-request: 1 + tags: phishing,oreilly,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "O'Reilly Auto Parts" + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"oreillyauto.com")' diff --git a/http/osint/phishing/overstock-phish.yaml b/http/osint/phishing/overstock-phish.yaml new file mode 100644 index 00000000000..2591181bb29 --- /dev/null +++ b/http/osint/phishing/overstock-phish.yaml @@ -0,0 +1,36 @@ +id: overstock-phish + +info: + name: Overstock phishing Detection + author: rxerium + severity: info + description: | + An Overstock phishing website was detected + reference: + - https://overstock.com + metadata: + max-request: 1 + tags: phishing,overstock,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Overstock' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"overstock.com")' diff --git a/http/osint/phishing/paramount-plus-phish.yaml b/http/osint/phishing/paramount-plus-phish.yaml new file mode 100644 index 00000000000..82fb9d40618 --- /dev/null +++ b/http/osint/phishing/paramount-plus-phish.yaml @@ -0,0 +1,36 @@ +id: paramount-plus-phish + +info: + name: Paramount+ phishing Detection + author: rxerium + severity: info + description: | + A Paramount+ phishing website was detected + reference: + - https://paramountplus.com + metadata: + max-request: 1 + tags: phishing,paramount-plus,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Paramount+' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"paramountplus.com")' diff --git a/http/osint/phishing/partsgeek-phish.yaml b/http/osint/phishing/partsgeek-phish.yaml new file mode 100644 index 00000000000..33156fc5c29 --- /dev/null +++ b/http/osint/phishing/partsgeek-phish.yaml @@ -0,0 +1,36 @@ +id: partsgeek-phish + +info: + name: PartsGeek phishing Detection + author: rxerium + severity: info + description: | + A PartsGeek phishing website was detected + reference: + - https://partsgeek.com + metadata: + max-request: 1 + tags: phishing,partsgeek,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'PartsGeek' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"partsgeek.com")' diff --git a/http/osint/phishing/peacock-phish.yaml b/http/osint/phishing/peacock-phish.yaml new file mode 100644 index 00000000000..fd743bf5dfc --- /dev/null +++ b/http/osint/phishing/peacock-phish.yaml @@ -0,0 +1,36 @@ +id: peacock-phish + +info: + name: Peacock phishing Detection + author: rxerium + severity: info + description: | + A Peacock phishing website was detected + reference: + - https://peacocktv.com + metadata: + max-request: 1 + tags: phishing,peacock,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Peacock' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"peacocktv.com")' diff --git a/http/osint/phishing/pepboys-phish.yaml b/http/osint/phishing/pepboys-phish.yaml new file mode 100644 index 00000000000..99e94ee396f --- /dev/null +++ b/http/osint/phishing/pepboys-phish.yaml @@ -0,0 +1,34 @@ +id: pepboys-phish + +info: + name: Pep Boys phishing Detection + author: rxerium + severity: info + description: | + A Pep Boys phishing website was detected + reference: + - https://pepboys.com + metadata: + max-request: 1 + tags: phishing,pepboys,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "px-captcha" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"pepboys.com")' diff --git a/http/osint/phishing/pinterest-phish.yaml b/http/osint/phishing/pinterest-phish.yaml new file mode 100644 index 00000000000..6f4bea0c80b --- /dev/null +++ b/http/osint/phishing/pinterest-phish.yaml @@ -0,0 +1,36 @@ +id: pinterest-phish + +info: + name: Pinterest phishing Detection + author: rxerium + severity: info + description: | + A Pinterest phishing website was detected + reference: + - https://pinterest.com + metadata: + max-request: 1 + tags: phishing,pinterest,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Log in to Pinterest' + - 'Pinterest' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"pinterest.com")' diff --git a/http/osint/phishing/poshmark-phish.yaml b/http/osint/phishing/poshmark-phish.yaml new file mode 100644 index 00000000000..16692ecdb26 --- /dev/null +++ b/http/osint/phishing/poshmark-phish.yaml @@ -0,0 +1,36 @@ +id: poshmark-phish + +info: + name: Poshmark phishing Detection + author: rxerium + severity: info + description: | + A Poshmark phishing website was detected + reference: + - https://poshmark.com + metadata: + max-request: 1 + tags: phishing,poshmark,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Poshmark' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"poshmark.com")' diff --git a/http/osint/phishing/postmates-phish.yaml b/http/osint/phishing/postmates-phish.yaml new file mode 100644 index 00000000000..2987202e3d8 --- /dev/null +++ b/http/osint/phishing/postmates-phish.yaml @@ -0,0 +1,36 @@ +id: postmates-phish + +info: + name: Postmates phishing Detection + author: rxerium + severity: info + description: | + A Postmates phishing website was detected + reference: + - https://postmates.com + metadata: + max-request: 1 + tags: phishing,postmates,food-delivery,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Postmates' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"postmates.com")' diff --git a/http/osint/phishing/priceline-phish.yaml b/http/osint/phishing/priceline-phish.yaml new file mode 100644 index 00000000000..976565d12bb --- /dev/null +++ b/http/osint/phishing/priceline-phish.yaml @@ -0,0 +1,36 @@ +id: priceline-phish + +info: + name: Priceline phishing Detection + author: rxerium + severity: info + description: | + A Priceline phishing website was detected + reference: + - https://priceline.com + metadata: + max-request: 1 + tags: phishing,priceline,travel,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Priceline' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"priceline.com")' diff --git a/http/osint/phishing/printful-phish.yaml b/http/osint/phishing/printful-phish.yaml new file mode 100644 index 00000000000..9bf42b4867c --- /dev/null +++ b/http/osint/phishing/printful-phish.yaml @@ -0,0 +1,36 @@ +id: printful-phish + +info: + name: Printful phishing Detection + author: rxerium + severity: info + description: | + A Printful phishing website was detected + reference: + - https://printful.com + metadata: + max-request: 1 + tags: phishing,printful,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Printful' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"printful.com")' diff --git a/http/osint/phishing/printify-phish.yaml b/http/osint/phishing/printify-phish.yaml new file mode 100644 index 00000000000..75c4ff5f1b6 --- /dev/null +++ b/http/osint/phishing/printify-phish.yaml @@ -0,0 +1,36 @@ +id: printify-phish + +info: + name: Printify phishing Detection + author: rxerium + severity: info + description: | + A Printify phishing website was detected + reference: + - https://printify.com + metadata: + max-request: 1 + tags: phishing,printify,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Printify' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"printify.com")' diff --git a/http/osint/phishing/pubg-phish.yaml b/http/osint/phishing/pubg-phish.yaml new file mode 100644 index 00000000000..8a1f40013c8 --- /dev/null +++ b/http/osint/phishing/pubg-phish.yaml @@ -0,0 +1,36 @@ +id: pubg-phish + +info: + name: PUBG phishing Detection + author: rxerium + severity: info + description: | + A PUBG phishing website was detected + reference: + - https://pubg.com + metadata: + max-request: 1 + tags: phishing,pubg,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'PUBG' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"pubg.com")' diff --git a/http/osint/phishing/rabobank-phish.yaml b/http/osint/phishing/rabobank-phish.yaml new file mode 100644 index 00000000000..4891ca50eb7 --- /dev/null +++ b/http/osint/phishing/rabobank-phish.yaml @@ -0,0 +1,34 @@ +id: rabobank-phish + +info: + name: Rabobank phishing Detection + author: rxerium + severity: info + description: | + A Rabobank phishing website was detected + reference: + - https://rabobank.com + metadata: + max-request: 1 + tags: phishing,rabobank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Looks like something went wrong…" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"rabobank.com")' diff --git a/http/osint/phishing/rbc-phish.yaml b/http/osint/phishing/rbc-phish.yaml new file mode 100644 index 00000000000..d8dfb5b1e6b --- /dev/null +++ b/http/osint/phishing/rbc-phish.yaml @@ -0,0 +1,36 @@ +id: rbc-phish + +info: + name: RBC phishing Detection + author: rxerium + severity: info + description: | + An RBC phishing website was detected + reference: + - https://rbc.com + metadata: + max-request: 1 + tags: phishing,rbc,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'RBC' + - 'Sign On' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"rbc.com")' diff --git a/http/osint/phishing/redbubble-phish.yaml b/http/osint/phishing/redbubble-phish.yaml new file mode 100644 index 00000000000..27c1a3cd5cf --- /dev/null +++ b/http/osint/phishing/redbubble-phish.yaml @@ -0,0 +1,36 @@ +id: redbubble-phish + +info: + name: Redbubble phishing Detection + author: rxerium + severity: info + description: | + A Redbubble phishing website was detected + reference: + - https://redbubble.com + metadata: + max-request: 1 + tags: phishing,redbubble,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Redbubble' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"redbubble.com")' diff --git a/http/osint/phishing/regions-bank-phish.yaml b/http/osint/phishing/regions-bank-phish.yaml new file mode 100644 index 00000000000..bfb7920b970 --- /dev/null +++ b/http/osint/phishing/regions-bank-phish.yaml @@ -0,0 +1,36 @@ +id: regions-bank-phish + +info: + name: Regions Bank phishing Detection + author: rxerium + severity: info + description: | + A Regions Bank phishing website was detected + reference: + - https://regions.com + metadata: + max-request: 1 + tags: phishing,regions-bank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Regions Bank' + - 'Sign On' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"regions.com")' diff --git a/http/osint/phishing/revolut-phish.yaml b/http/osint/phishing/revolut-phish.yaml new file mode 100644 index 00000000000..f4e9edd71fd --- /dev/null +++ b/http/osint/phishing/revolut-phish.yaml @@ -0,0 +1,36 @@ +id: revolut-phish + +info: + name: Revolut phishing Detection + author: rxerium + severity: info + description: | + A Revolut phishing website was detected + reference: + - https://revolut.com + metadata: + max-request: 1 + tags: phishing,revolut,fintech,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Revolut' + - 'Log in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"revolut.com")' diff --git a/http/osint/phishing/rockstar-phish.yaml b/http/osint/phishing/rockstar-phish.yaml new file mode 100644 index 00000000000..6f10022155e --- /dev/null +++ b/http/osint/phishing/rockstar-phish.yaml @@ -0,0 +1,34 @@ +id: rockstar-phish + +info: + name: Rockstar Games phishing Detection + author: rxerium + severity: info + description: | + A Rockstar Games phishing website was detected + reference: + - https://rockstargames.com + metadata: + max-request: 1 + tags: phishing,rockstar,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "The official home of Rockstar Games" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"rockstargames.com")' diff --git a/http/osint/phishing/rockstar-social-club-phish.yaml b/http/osint/phishing/rockstar-social-club-phish.yaml new file mode 100644 index 00000000000..f1f8e8d1987 --- /dev/null +++ b/http/osint/phishing/rockstar-social-club-phish.yaml @@ -0,0 +1,35 @@ +id: rockstar-social-club-phish + +info: + name: Rockstar Social Club phishing Detection + author: rxerium + severity: info + description: | + A Rockstar Social Club phishing website was detected + reference: + - https://socialclub.rockstargames.com + metadata: + max-request: 1 + tags: phishing,rockstar-social-club,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "The official home of Rockstar Games" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"socialclub.rockstargames.com")' + - '!contains(host,"rockstargames.com")' diff --git a/http/osint/phishing/scotiabank-phish.yaml b/http/osint/phishing/scotiabank-phish.yaml new file mode 100644 index 00000000000..440be203b86 --- /dev/null +++ b/http/osint/phishing/scotiabank-phish.yaml @@ -0,0 +1,34 @@ +id: scotiabank-phish + +info: + name: Scotiabank phishing Detection + author: rxerium + severity: info + description: | + A Scotiabank phishing website was detected + reference: + - https://scotiabank.com + metadata: + max-request: 1 + tags: phishing,scotiabank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Scotiabank Global Site" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"scotiabank.com")' diff --git a/http/osint/phishing/scribd-phish.yaml b/http/osint/phishing/scribd-phish.yaml new file mode 100644 index 00000000000..c2ee59c4d3d --- /dev/null +++ b/http/osint/phishing/scribd-phish.yaml @@ -0,0 +1,36 @@ +id: scribd-phish + +info: + name: Scribd phishing Detection + author: rxerium + severity: info + description: | + A Scribd phishing website was detected + reference: + - https://scribd.com + metadata: + max-request: 1 + tags: phishing,scribd,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Scribd' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"scribd.com")' diff --git a/http/osint/phishing/seamless-phish.yaml b/http/osint/phishing/seamless-phish.yaml new file mode 100644 index 00000000000..d5112d415c1 --- /dev/null +++ b/http/osint/phishing/seamless-phish.yaml @@ -0,0 +1,34 @@ +id: seamless-phish + +info: + name: Seamless phishing Detection + author: rxerium + severity: info + description: | + A Seamless phishing website was detected + reference: + - https://seamless.com + metadata: + max-request: 1 + tags: phishing,seamless,food-delivery,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Prepare your taste buds..." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"seamless.com")' diff --git a/http/osint/phishing/showtime-phish.yaml b/http/osint/phishing/showtime-phish.yaml new file mode 100644 index 00000000000..fa48c324f8c --- /dev/null +++ b/http/osint/phishing/showtime-phish.yaml @@ -0,0 +1,36 @@ +id: showtime-phish + +info: + name: Showtime phishing Detection + author: rxerium + severity: info + description: | + A Showtime phishing website was detected + reference: + - https://showtime.com + metadata: + max-request: 1 + tags: phishing,showtime,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Showtime' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"showtime.com")' diff --git a/http/osint/phishing/snapchat-phish.yaml b/http/osint/phishing/snapchat-phish.yaml new file mode 100644 index 00000000000..7dbf4a64643 --- /dev/null +++ b/http/osint/phishing/snapchat-phish.yaml @@ -0,0 +1,36 @@ +id: snapchat-phish + +info: + name: Snapchat phishing Detection + author: rxerium + severity: info + description: | + A Snapchat phishing website was detected + reference: + - https://snapchat.com + metadata: + max-request: 1 + tags: phishing,snapchat,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Snapchat - Say It In A Snap" + - 'Snapchat' + condition: or + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"snapchat.com")' diff --git a/http/osint/phishing/society6-phish.yaml b/http/osint/phishing/society6-phish.yaml new file mode 100644 index 00000000000..33782a320d9 --- /dev/null +++ b/http/osint/phishing/society6-phish.yaml @@ -0,0 +1,36 @@ +id: society6-phish + +info: + name: Society6 phishing Detection + author: rxerium + severity: info + description: | + A Society6 phishing website was detected + reference: + - https://society6.com + metadata: + max-request: 1 + tags: phishing,society6,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Society6' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"society6.com")' diff --git a/http/osint/phishing/sofi-phish.yaml b/http/osint/phishing/sofi-phish.yaml new file mode 100644 index 00000000000..8147463c8ad --- /dev/null +++ b/http/osint/phishing/sofi-phish.yaml @@ -0,0 +1,36 @@ +id: sofi-phish + +info: + name: SoFi phishing Detection + author: rxerium + severity: info + description: | + A SoFi phishing website was detected + reference: + - https://sofi.com + metadata: + max-request: 1 + tags: phishing,sofi,fintech,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'SoFi' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"sofi.com")' diff --git a/http/osint/phishing/soundcloud-phish.yaml b/http/osint/phishing/soundcloud-phish.yaml new file mode 100644 index 00000000000..99f8ef5e7fe --- /dev/null +++ b/http/osint/phishing/soundcloud-phish.yaml @@ -0,0 +1,36 @@ +id: soundcloud-phish + +info: + name: SoundCloud phishing Detection + author: rxerium + severity: info + description: | + A SoundCloud phishing website was detected + reference: + - https://soundcloud.com + metadata: + max-request: 1 + tags: phishing,soundcloud,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Sign in to SoundCloud' + - 'SoundCloud' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"soundcloud.com")' diff --git a/http/osint/phishing/spreadshirt-phish.yaml b/http/osint/phishing/spreadshirt-phish.yaml new file mode 100644 index 00000000000..5b701459d26 --- /dev/null +++ b/http/osint/phishing/spreadshirt-phish.yaml @@ -0,0 +1,34 @@ +id: spreadshirt-phish + +info: + name: Spreadshirt phishing Detection + author: rxerium + severity: info + description: | + A Spreadshirt phishing website was detected + reference: + - https://spreadshirt.com + metadata: + max-request: 1 + tags: phishing,spreadshirt,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Spreadshirt Print on Demand Platform | Spreadshirt" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"spreadshirt.com")' diff --git a/http/osint/phishing/standard-chartered-phish.yaml b/http/osint/phishing/standard-chartered-phish.yaml new file mode 100644 index 00000000000..b9874391353 --- /dev/null +++ b/http/osint/phishing/standard-chartered-phish.yaml @@ -0,0 +1,34 @@ +id: standard-chartered-phish + +info: + name: Standard Chartered phishing Detection + author: rxerium + severity: info + description: | + A Standard Chartered phishing website was detected + reference: + - https://sc.com + metadata: + max-request: 1 + tags: phishing,standard-chartered,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Standard Chartered Bank" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"sc.com")' diff --git a/http/osint/phishing/starz-phish.yaml b/http/osint/phishing/starz-phish.yaml new file mode 100644 index 00000000000..59986da6d81 --- /dev/null +++ b/http/osint/phishing/starz-phish.yaml @@ -0,0 +1,36 @@ +id: starz-phish + +info: + name: Starz phishing Detection + author: rxerium + severity: info + description: | + A Starz phishing website was detected + reference: + - https://starz.com + metadata: + max-request: 1 + tags: phishing,starz,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Starz' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"starz.com")' diff --git a/http/osint/phishing/stockx-phish.yaml b/http/osint/phishing/stockx-phish.yaml new file mode 100644 index 00000000000..da2ef02daa7 --- /dev/null +++ b/http/osint/phishing/stockx-phish.yaml @@ -0,0 +1,36 @@ +id: stockx-phish + +info: + name: StockX phishing Detection + author: rxerium + severity: info + description: | + A StockX phishing website was detected + reference: + - https://stockx.com + metadata: + max-request: 1 + tags: phishing,stockx,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'StockX' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"stockx.com")' diff --git a/http/osint/phishing/substack-phish.yaml b/http/osint/phishing/substack-phish.yaml new file mode 100644 index 00000000000..745c6021634 --- /dev/null +++ b/http/osint/phishing/substack-phish.yaml @@ -0,0 +1,36 @@ +id: substack-phish + +info: + name: Substack phishing Detection + author: rxerium + severity: info + description: | + A Substack phishing website was detected + reference: + - https://substack.com + metadata: + max-request: 1 + tags: phishing,substack,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Substack' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"substack.com")' diff --git a/http/osint/phishing/sumitomo-mitsui-phish.yaml b/http/osint/phishing/sumitomo-mitsui-phish.yaml new file mode 100644 index 00000000000..bbd6402072f --- /dev/null +++ b/http/osint/phishing/sumitomo-mitsui-phish.yaml @@ -0,0 +1,36 @@ +id: sumitomo-mitsui-phish + +info: + name: Sumitomo Mitsui Bank phishing Detection + author: rxerium + severity: info + description: | + A Sumitomo Mitsui Bank phishing website was detected + reference: + - https://smbc.co.jp + metadata: + max-request: 1 + tags: phishing,sumitomo-mitsui,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Sumitomo Mitsui' + - 'Sign On' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"smbc.co.jp")' diff --git a/http/osint/phishing/summit-racing-phish.yaml b/http/osint/phishing/summit-racing-phish.yaml new file mode 100644 index 00000000000..00720fcf49a --- /dev/null +++ b/http/osint/phishing/summit-racing-phish.yaml @@ -0,0 +1,36 @@ +id: summit-racing-phish + +info: + name: Summit Racing phishing Detection + author: rxerium + severity: info + description: | + A Summit Racing phishing website was detected + reference: + - https://summitracing.com + metadata: + max-request: 1 + tags: phishing,summit-racing,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Summit Racing' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"summitracing.com")' diff --git a/http/osint/phishing/suntrust-phish.yaml b/http/osint/phishing/suntrust-phish.yaml new file mode 100644 index 00000000000..bb9ada96821 --- /dev/null +++ b/http/osint/phishing/suntrust-phish.yaml @@ -0,0 +1,36 @@ +id: suntrust-phish + +info: + name: SunTrust phishing Detection + author: rxerium + severity: info + description: | + A SunTrust phishing website was detected + reference: + - https://suntrust.com + metadata: + max-request: 1 + tags: phishing,suntrust,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'SunTrust' + - 'Sign On' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"suntrust.com")' diff --git a/http/osint/phishing/td-bank-phish.yaml b/http/osint/phishing/td-bank-phish.yaml new file mode 100644 index 00000000000..c192a1e7f42 --- /dev/null +++ b/http/osint/phishing/td-bank-phish.yaml @@ -0,0 +1,34 @@ +id: td-bank-phish + +info: + name: TD Bank phishing Detection + author: rxerium + severity: info + description: | + A TD Bank phishing website was detected + reference: + - https://td.com + metadata: + max-request: 1 + tags: phishing,td-bank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Explore TD's online banking services, credit cards, checking accounts, savings accounts, loans and more financial products for you and your business." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"td.com")' diff --git a/http/osint/phishing/teespring-phish.yaml b/http/osint/phishing/teespring-phish.yaml new file mode 100644 index 00000000000..b3fd2670525 --- /dev/null +++ b/http/osint/phishing/teespring-phish.yaml @@ -0,0 +1,36 @@ +id: teespring-phish + +info: + name: Teespring phishing Detection + author: rxerium + severity: info + description: | + A Teespring phishing website was detected + reference: + - https://teespring.com + metadata: + max-request: 1 + tags: phishing,teespring,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Teespring' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"teespring.com")' diff --git a/http/osint/phishing/threadless-phish.yaml b/http/osint/phishing/threadless-phish.yaml new file mode 100644 index 00000000000..db0e1f2b4b8 --- /dev/null +++ b/http/osint/phishing/threadless-phish.yaml @@ -0,0 +1,36 @@ +id: threadless-phish + +info: + name: Threadless phishing Detection + author: rxerium + severity: info + description: | + A Threadless phishing website was detected + reference: + - https://threadless.com + metadata: + max-request: 1 + tags: phishing,threadless,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Threadless' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"threadless.com")' diff --git a/http/osint/phishing/tidal-phish.yaml b/http/osint/phishing/tidal-phish.yaml new file mode 100644 index 00000000000..ef33daff0a2 --- /dev/null +++ b/http/osint/phishing/tidal-phish.yaml @@ -0,0 +1,34 @@ +id: tidal-phish + +info: + name: Tidal phishing Detection + author: rxerium + severity: info + description: | + A Tidal phishing website was detected + reference: + - https://tidal.com + metadata: + max-request: 1 + tags: phishing,tidal,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "tidal.com" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"tidal.com")' diff --git a/http/osint/phishing/tractor-supply-phish.yaml b/http/osint/phishing/tractor-supply-phish.yaml new file mode 100644 index 00000000000..4116beae6aa --- /dev/null +++ b/http/osint/phishing/tractor-supply-phish.yaml @@ -0,0 +1,36 @@ +id: tractor-supply-phish + +info: + name: Tractor Supply phishing Detection + author: rxerium + severity: info + description: | + A Tractor Supply phishing website was detected + reference: + - https://tractorsupply.com + metadata: + max-request: 1 + tags: phishing,tractor-supply,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Tractor Supply' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"tractorsupply.com")' diff --git a/http/osint/phishing/tripadvisor-phish.yaml b/http/osint/phishing/tripadvisor-phish.yaml new file mode 100644 index 00000000000..5c188256647 --- /dev/null +++ b/http/osint/phishing/tripadvisor-phish.yaml @@ -0,0 +1,34 @@ +id: tripadvisor-phish + +info: + name: TripAdvisor phishing Detection + author: rxerium + severity: info + description: | + A TripAdvisor phishing website was detected + reference: + - https://tripadvisor.com + metadata: + max-request: 1 + tags: phishing,tripadvisor,travel,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "tripadvisor.com" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"tripadvisor.com")' diff --git a/http/osint/phishing/twitter-phish.yaml b/http/osint/phishing/twitter-phish.yaml new file mode 100644 index 00000000000..4d23ef62120 --- /dev/null +++ b/http/osint/phishing/twitter-phish.yaml @@ -0,0 +1,39 @@ +id: twitter-phish + +info: + name: Twitter/X phishing Detection + author: rxerium + severity: info + description: | + A Twitter/X phishing website was detected + reference: + - https://twitter.com + - https://x.com + metadata: + max-request: 1 + tags: phishing,twitter,x,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Sign in to X' + - 'Happening now' + - 'Join today' + condition: or + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"twitter.com")' + - '!contains(host,"x.com")' diff --git a/http/osint/phishing/uber-eats-phish.yaml b/http/osint/phishing/uber-eats-phish.yaml new file mode 100644 index 00000000000..4ec991f064d --- /dev/null +++ b/http/osint/phishing/uber-eats-phish.yaml @@ -0,0 +1,37 @@ +id: uber-eats-phish + +info: + name: Uber Eats phishing Detection + author: rxerium + severity: info + description: | + An Uber Eats phishing website was detected + reference: + - https://ubereats.com + metadata: + max-request: 1 + tags: phishing,uber-eats,food-delivery,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Uber Eats' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"ubereats.com")' + - '!contains(host,"uber.com")' diff --git a/http/osint/phishing/unicredit-phish.yaml b/http/osint/phishing/unicredit-phish.yaml new file mode 100644 index 00000000000..57c98adcc02 --- /dev/null +++ b/http/osint/phishing/unicredit-phish.yaml @@ -0,0 +1,36 @@ +id: unicredit-phish + +info: + name: UniCredit phishing Detection + author: rxerium + severity: info + description: | + A UniCredit phishing website was detected + reference: + - https://unicredit.com + metadata: + max-request: 1 + tags: phishing,unicredit,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'UniCredit' + - 'Sign On' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"unicredit.com")' diff --git a/http/osint/phishing/uob-phish.yaml b/http/osint/phishing/uob-phish.yaml new file mode 100644 index 00000000000..00b3ee4fff0 --- /dev/null +++ b/http/osint/phishing/uob-phish.yaml @@ -0,0 +1,34 @@ +id: uob-phish + +info: + name: UOB phishing Detection + author: rxerium + severity: info + description: | + A UOB phishing website was detected + reference: + - https://uob.com.sg + metadata: + max-request: 1 + tags: phishing,uob,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "United Overseas Bank" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"uob.com.sg")' diff --git a/http/osint/phishing/ups-phish.yaml b/http/osint/phishing/ups-phish.yaml new file mode 100644 index 00000000000..a686b36e33b --- /dev/null +++ b/http/osint/phishing/ups-phish.yaml @@ -0,0 +1,36 @@ +id: ups-phish + +info: + name: UPS phishing Detection + author: rxerium + severity: info + description: | + A UPS phishing website was detected + reference: + - https://ups.com + metadata: + max-request: 1 + tags: phishing,ups,shipping,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'UPS' + - 'Sign In' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"ups.com")' diff --git a/http/osint/phishing/varo-phish.yaml b/http/osint/phishing/varo-phish.yaml new file mode 100644 index 00000000000..3cab7b7154a --- /dev/null +++ b/http/osint/phishing/varo-phish.yaml @@ -0,0 +1,34 @@ +id: varo-phish + +info: + name: Varo phishing Detection + author: rxerium + severity: info + description: | + A Varo phishing website was detected + reference: + - https://varo.com + metadata: + max-request: 1 + tags: phishing,varo,fintech,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Home - Varo" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"varo.com")' diff --git a/http/osint/phishing/venmo-phish.yaml b/http/osint/phishing/venmo-phish.yaml new file mode 100644 index 00000000000..e72724040fb --- /dev/null +++ b/http/osint/phishing/venmo-phish.yaml @@ -0,0 +1,36 @@ +id: venmo-phish + +info: + name: Venmo phishing Detection + author: rxerium + severity: info + description: | + A Venmo phishing website was detected + reference: + - https://venmo.com + metadata: + max-request: 1 + tags: phishing,venmo,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Pay Friends | Payments App | Venmo" + - 'Pay. Get paid. Shop. Share.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"venmo.com")' diff --git a/http/osint/phishing/viber-phish.yaml b/http/osint/phishing/viber-phish.yaml new file mode 100644 index 00000000000..47852028958 --- /dev/null +++ b/http/osint/phishing/viber-phish.yaml @@ -0,0 +1,34 @@ +id: viber-phish + +info: + name: Viber phishing Detection + author: rxerium + severity: info + description: | + A Viber phishing website was detected + reference: + - https://viber.com + metadata: + max-request: 1 + tags: phishing,viber,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Home | Viber" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"viber.com")' diff --git a/http/osint/phishing/visa-phish.yaml b/http/osint/phishing/visa-phish.yaml new file mode 100644 index 00000000000..889b438af36 --- /dev/null +++ b/http/osint/phishing/visa-phish.yaml @@ -0,0 +1,34 @@ +id: visa-phish + +info: + name: Visa phishing Detection + author: rxerium + severity: info + description: | + A Visa phishing website was detected + reference: + - https://visa.com + metadata: + max-request: 1 + tags: phishing,visa,credit-card,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Discover Visa personal payment solutions, secure transactions, travel support, cards and rewards designed to bring more value to your everyday experiences." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"visa.com")' diff --git a/http/osint/phishing/vistaprint-phish.yaml b/http/osint/phishing/vistaprint-phish.yaml new file mode 100644 index 00000000000..7c7f91991d9 --- /dev/null +++ b/http/osint/phishing/vistaprint-phish.yaml @@ -0,0 +1,36 @@ +id: vistaprint-phish + +info: + name: Vistaprint phishing Detection + author: rxerium + severity: info + description: | + A Vistaprint phishing website was detected + reference: + - https://vistaprint.com + metadata: + max-request: 1 + tags: phishing,vistaprint,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Vistaprint' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"vistaprint.com")' diff --git a/http/osint/phishing/vrbo-phish.yaml b/http/osint/phishing/vrbo-phish.yaml new file mode 100644 index 00000000000..633b673b305 --- /dev/null +++ b/http/osint/phishing/vrbo-phish.yaml @@ -0,0 +1,36 @@ +id: vrbo-phish + +info: + name: VRBO phishing Detection + author: rxerium + severity: info + description: | + A VRBO phishing website was detected + reference: + - https://vrbo.com + metadata: + max-request: 1 + tags: phishing,vrbo,travel,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'VRBO' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"vrbo.com")' diff --git a/http/osint/phishing/vudu-phish.yaml b/http/osint/phishing/vudu-phish.yaml new file mode 100644 index 00000000000..1d9e2c010b6 --- /dev/null +++ b/http/osint/phishing/vudu-phish.yaml @@ -0,0 +1,36 @@ +id: vudu-phish + +info: + name: Vudu phishing Detection + author: rxerium + severity: info + description: | + A Vudu phishing website was detected + reference: + - https://vudu.com + metadata: + max-request: 1 + tags: phishing,vudu,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Vudu' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"vudu.com")' diff --git a/http/osint/phishing/wayfair-phish.yaml b/http/osint/phishing/wayfair-phish.yaml new file mode 100644 index 00000000000..c4afb7a3c86 --- /dev/null +++ b/http/osint/phishing/wayfair-phish.yaml @@ -0,0 +1,34 @@ +id: wayfair-phish + +info: + name: Wayfair phishing Detection + author: rxerium + severity: info + description: | + A Wayfair phishing website was detected + reference: + - https://wayfair.com + metadata: + max-request: 1 + tags: phishing,wayfair,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "px-captcha" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"wayfair.com")' diff --git a/http/osint/phishing/wechat-phish.yaml b/http/osint/phishing/wechat-phish.yaml new file mode 100644 index 00000000000..eca73707a1b --- /dev/null +++ b/http/osint/phishing/wechat-phish.yaml @@ -0,0 +1,34 @@ +id: wechat-phish + +info: + name: WeChat phishing Detection + author: rxerium + severity: info + description: | + A WeChat phishing website was detected + reference: + - https://wechat.com + metadata: + max-request: 1 + tags: phishing,wechat,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "WeChat - Free messaging and calling app" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"wechat.com")' diff --git a/http/osint/phishing/wish-phish.yaml b/http/osint/phishing/wish-phish.yaml new file mode 100644 index 00000000000..b17ee2d189b --- /dev/null +++ b/http/osint/phishing/wish-phish.yaml @@ -0,0 +1,36 @@ +id: wish-phish + +info: + name: Wish phishing Detection + author: rxerium + severity: info + description: | + A Wish phishing website was detected + reference: + - https://wish.com + metadata: + max-request: 1 + tags: phishing,wish,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Wish' + - 'Sign in' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"wish.com")' diff --git a/http/osint/phishing/xbox-phish.yaml b/http/osint/phishing/xbox-phish.yaml new file mode 100644 index 00000000000..d08ebe92e26 --- /dev/null +++ b/http/osint/phishing/xbox-phish.yaml @@ -0,0 +1,35 @@ +id: xbox-phish + +info: + name: Xbox phishing Detection + author: rxerium + severity: info + description: | + An Xbox phishing website was detected + reference: + - https://xbox.com + metadata: + max-request: 1 + tags: phishing,xbox,microsoft,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Xbox Official Site: Play Games Anywhere | Xbox" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"xbox.com")' + - '!contains(host,"microsoft.com")' diff --git a/http/osint/phishing/youtube-music-phish.yaml b/http/osint/phishing/youtube-music-phish.yaml new file mode 100644 index 00000000000..a888254b270 --- /dev/null +++ b/http/osint/phishing/youtube-music-phish.yaml @@ -0,0 +1,35 @@ +id: youtube-music-phish + +info: + name: YouTube Music phishing Detection + author: rxerium + severity: info + description: | + A YouTube Music phishing website was detected + reference: + - https://music.youtube.com + metadata: + max-request: 1 + tags: phishing,youtube-music,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Your browser is deprecated. Please upgrade." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"music.youtube.com")' + - '!contains(host,"youtube.com")' diff --git a/http/osint/phishing/youtube-phish.yaml b/http/osint/phishing/youtube-phish.yaml new file mode 100644 index 00000000000..41f5e6a2b96 --- /dev/null +++ b/http/osint/phishing/youtube-phish.yaml @@ -0,0 +1,37 @@ +id: youtube-phish + +info: + name: YouTube phishing Detection + author: rxerium + severity: info + description: | + A YouTube phishing website was detected + reference: + - https://youtube.com + metadata: + max-request: 1 + tags: phishing,youtube,google,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Sign in - Google Accounts' + - 'YouTube' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"youtube.com")' + - '!contains(host,"google.com")' From b077fe6b673a211eef47033e65a9f93d8d5cb436 Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 14:10:09 +0000 Subject: [PATCH 05/16] phishing templates --- http/osint/phishing/grubhub-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/harbor-freight-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/holley-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/homeaway-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/hotels-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/hulu-phish.yaml | 36 +++++++++++++++++++ .../osint/phishing/huntington-bank-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/jegs-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/keybank-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/kinguin-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/ko-fi-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/kraken-phish.yaml | 36 +++++++++++++++++++ .../phishing/latemodel-restoration-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/linode-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/lloyds-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/lowes-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/lyft-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/mastercard-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/medium-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/menards-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/mercari-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/monday-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/mpix-phish.yaml | 36 +++++++++++++++++++ http/osint/phishing/napa-phish.yaml | 34 ++++++++++++++++++ 24 files changed, 858 insertions(+) create mode 100644 http/osint/phishing/grubhub-phish.yaml create mode 100644 http/osint/phishing/harbor-freight-phish.yaml create mode 100644 http/osint/phishing/holley-phish.yaml create mode 100644 http/osint/phishing/homeaway-phish.yaml create mode 100644 http/osint/phishing/hotels-phish.yaml create mode 100644 http/osint/phishing/hulu-phish.yaml create mode 100644 http/osint/phishing/huntington-bank-phish.yaml create mode 100644 http/osint/phishing/jegs-phish.yaml create mode 100644 http/osint/phishing/keybank-phish.yaml create mode 100644 http/osint/phishing/kinguin-phish.yaml create mode 100644 http/osint/phishing/ko-fi-phish.yaml create mode 100644 http/osint/phishing/kraken-phish.yaml create mode 100644 http/osint/phishing/latemodel-restoration-phish.yaml create mode 100644 http/osint/phishing/linode-phish.yaml create mode 100644 http/osint/phishing/lloyds-phish.yaml create mode 100644 http/osint/phishing/lowes-phish.yaml create mode 100644 http/osint/phishing/lyft-phish.yaml create mode 100644 http/osint/phishing/mastercard-phish.yaml create mode 100644 http/osint/phishing/medium-phish.yaml create mode 100644 http/osint/phishing/menards-phish.yaml create mode 100644 http/osint/phishing/mercari-phish.yaml create mode 100644 http/osint/phishing/monday-phish.yaml create mode 100644 http/osint/phishing/mpix-phish.yaml create mode 100644 http/osint/phishing/napa-phish.yaml diff --git a/http/osint/phishing/grubhub-phish.yaml b/http/osint/phishing/grubhub-phish.yaml new file mode 100644 index 00000000000..2cd9af15bc4 --- /dev/null +++ b/http/osint/phishing/grubhub-phish.yaml @@ -0,0 +1,34 @@ +id: grubhub-phish + +info: + name: Grubhub phishing Detection + author: rxerium + severity: info + description: | + A Grubhub phishing website was detected + reference: + - https://grubhub.com + metadata: + max-request: 1 + tags: phishing,grubhub,food-delivery,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Prepare your taste buds..." + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"grubhub.com")' diff --git a/http/osint/phishing/harbor-freight-phish.yaml b/http/osint/phishing/harbor-freight-phish.yaml new file mode 100644 index 00000000000..3bc0d656496 --- /dev/null +++ b/http/osint/phishing/harbor-freight-phish.yaml @@ -0,0 +1,36 @@ +id: harbor-freight-phish + +info: + name: Harbor Freight phishing Detection + author: rxerium + severity: info + description: | + A Harbor Freight phishing website was detected + reference: + - https://harborfreight.com + metadata: + max-request: 1 + tags: phishing,harbor-freight,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Harbor Freight' + - 'Harbor Freight is America's go-to store for low prices on power tools, generators, jacks, tool boxes and more. Shop our 1600+ locations. Do More for Less at Harbor Freight.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"harborfreight.com")' diff --git a/http/osint/phishing/holley-phish.yaml b/http/osint/phishing/holley-phish.yaml new file mode 100644 index 00000000000..31a7f78bac8 --- /dev/null +++ b/http/osint/phishing/holley-phish.yaml @@ -0,0 +1,36 @@ +id: holley-phish + +info: + name: Holley phishing Detection + author: rxerium + severity: info + description: | + A Holley phishing website was detected + reference: + - https://holley.com + metadata: + max-request: 1 + tags: phishing,holley,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Holley' + - 'Holley is home to the top automotive performance brands including Flowmaster exhaust, MSD Ignition, Holley EFI, Hurst Shifters, Accel plug wires, Hooker Headers and many more.' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"holley.com")' diff --git a/http/osint/phishing/homeaway-phish.yaml b/http/osint/phishing/homeaway-phish.yaml new file mode 100644 index 00000000000..c8dc8c8a994 --- /dev/null +++ b/http/osint/phishing/homeaway-phish.yaml @@ -0,0 +1,36 @@ +id: homeaway-phish + +info: + name: HomeAway phishing Detection + author: rxerium + severity: info + description: | + A HomeAway phishing website was detected + reference: + - https://homeaway.com + metadata: + max-request: 1 + tags: phishing,homeaway,travel,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'HomeAway' + - '<title>Vrbo | Book Your Vacation Home Rentals: Beach Houses, Cabins, Condos & More' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"homeaway.com")' diff --git a/http/osint/phishing/hotels-phish.yaml b/http/osint/phishing/hotels-phish.yaml new file mode 100644 index 00000000000..7dcb5cb7075 --- /dev/null +++ b/http/osint/phishing/hotels-phish.yaml @@ -0,0 +1,36 @@ +id: hotels-phish + +info: + name: Hotels.com phishing Detection + author: rxerium + severity: info + description: | + A Hotels.com phishing website was detected + reference: + - https://hotels.com + metadata: + max-request: 1 + tags: phishing,hotels,travel,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Hotels.com' + - '<title>Hotels.com - Deals & Discounts for Hotel Reservations from Luxury Hotels to Budget Accommodations' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"hotels.com")' diff --git a/http/osint/phishing/hulu-phish.yaml b/http/osint/phishing/hulu-phish.yaml new file mode 100644 index 00000000000..ba139d24616 --- /dev/null +++ b/http/osint/phishing/hulu-phish.yaml @@ -0,0 +1,36 @@ +id: hulu-phish + +info: + name: Hulu phishing Detection + author: rxerium + severity: info + description: | + A Hulu phishing website was detected + reference: + - https://hulu.com + metadata: + max-request: 1 + tags: phishing,hulu,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Hulu' + - 'Stream TV and Movies Live and Online | Hulu"' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"hulu.com")' diff --git a/http/osint/phishing/huntington-bank-phish.yaml b/http/osint/phishing/huntington-bank-phish.yaml new file mode 100644 index 00000000000..30c3d26ddc8 --- /dev/null +++ b/http/osint/phishing/huntington-bank-phish.yaml @@ -0,0 +1,36 @@ +id: huntington-bank-phish + +info: + name: Huntington Bank phishing Detection + author: rxerium + severity: info + description: | + A Huntington Bank phishing website was detected + reference: + - https://huntington.com + metadata: + max-request: 1 + tags: phishing,huntington-bank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Huntington Bank' + - 'Online Banking, Insurance, Investing, Loans & Credit Cards' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"huntington.com")' diff --git a/http/osint/phishing/jegs-phish.yaml b/http/osint/phishing/jegs-phish.yaml new file mode 100644 index 00000000000..54e9fe359f9 --- /dev/null +++ b/http/osint/phishing/jegs-phish.yaml @@ -0,0 +1,36 @@ +id: jegs-phish + +info: + name: JEGS phishing Detection + author: rxerium + severity: info + description: | + A JEGS phishing website was detected + reference: + - https://jegs.com + metadata: + max-request: 1 + tags: phishing,jegs,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'JEGS' + - 'JEGS Aftermarket Auto Parts & High Performance Racing & Replacement Accessories Online' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"jegs.com")' diff --git a/http/osint/phishing/keybank-phish.yaml b/http/osint/phishing/keybank-phish.yaml new file mode 100644 index 00000000000..acd6f9021df --- /dev/null +++ b/http/osint/phishing/keybank-phish.yaml @@ -0,0 +1,36 @@ +id: keybank-phish + +info: + name: KeyBank phishing Detection + author: rxerium + severity: info + description: | + A KeyBank phishing website was detected + reference: + - https://key.com + metadata: + max-request: 1 + tags: phishing,keybank,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'KeyBank' + - '<title>KeyBank | Banking, Credit Cards, Mortgages, and Loans' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"key.com")' diff --git a/http/osint/phishing/kinguin-phish.yaml b/http/osint/phishing/kinguin-phish.yaml new file mode 100644 index 00000000000..c5517d04c23 --- /dev/null +++ b/http/osint/phishing/kinguin-phish.yaml @@ -0,0 +1,36 @@ +id: kinguin-phish + +info: + name: Kinguin phishing Detection + author: rxerium + severity: info + description: | + A Kinguin phishing website was detected + reference: + - https://kinguin.net + metadata: + max-request: 1 + tags: phishing,kinguin,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Kinguin' + - 'Steam CD Keys and PC Game Keys - Compare & Buy | Kinguin.net' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"kinguin.net")' diff --git a/http/osint/phishing/ko-fi-phish.yaml b/http/osint/phishing/ko-fi-phish.yaml new file mode 100644 index 00000000000..286700fb887 --- /dev/null +++ b/http/osint/phishing/ko-fi-phish.yaml @@ -0,0 +1,36 @@ +id: ko-fi-phish + +info: + name: Ko-fi phishing Detection + author: rxerium + severity: info + description: | + A Ko-fi phishing website was detected + reference: + - https://ko-fi.com + metadata: + max-request: 1 + tags: phishing,ko-fi,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Ko-fi' + - '<title>Ko-fi | Make money doing what you love' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"ko-fi.com")' diff --git a/http/osint/phishing/kraken-phish.yaml b/http/osint/phishing/kraken-phish.yaml new file mode 100644 index 00000000000..7dabc3eab5a --- /dev/null +++ b/http/osint/phishing/kraken-phish.yaml @@ -0,0 +1,36 @@ +id: kraken-phish + +info: + name: Kraken phishing Detection + author: rxerium + severity: info + description: | + A Kraken phishing website was detected + reference: + - https://kraken.com + metadata: + max-request: 1 + tags: phishing,kraken,crypto,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Kraken' + - 'Kraken: Buy and sell crypto securely' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"kraken.com")' diff --git a/http/osint/phishing/latemodel-restoration-phish.yaml b/http/osint/phishing/latemodel-restoration-phish.yaml new file mode 100644 index 00000000000..8f23afefc4c --- /dev/null +++ b/http/osint/phishing/latemodel-restoration-phish.yaml @@ -0,0 +1,36 @@ +id: latemodel-restoration-phish + +info: + name: Late Model Restoration phishing Detection + author: rxerium + severity: info + description: | + A Late Model Restoration phishing website was detected + reference: + - https://lmr.com + metadata: + max-request: 1 + tags: phishing,latemodel-restoration,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "lmr.com" + - '<title>Ford Mustang Parts & Accessories | Late Model Restoration' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"lmr.com")' diff --git a/http/osint/phishing/linode-phish.yaml b/http/osint/phishing/linode-phish.yaml new file mode 100644 index 00000000000..51646ce0495 --- /dev/null +++ b/http/osint/phishing/linode-phish.yaml @@ -0,0 +1,36 @@ +id: linode-phish + +info: + name: Linode phishing Detection + author: rxerium + severity: info + description: | + A Linode phishing website was detected + reference: + - https://linode.com + metadata: + max-request: 1 + tags: phishing,linode,cloud,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Linode' + - "<title>The World's Most Distributed Cloud Computing Platform | Akamai" + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"linode.com")' diff --git a/http/osint/phishing/lloyds-phish.yaml b/http/osint/phishing/lloyds-phish.yaml new file mode 100644 index 00000000000..9e23b954f54 --- /dev/null +++ b/http/osint/phishing/lloyds-phish.yaml @@ -0,0 +1,34 @@ +id: lloyds-phish + +info: + name: Lloyds Bank phishing Detection + author: rxerium + severity: info + description: | + A Lloyds Bank phishing website was detected + reference: + - https://lloydsbank.com + metadata: + max-request: 1 + tags: phishing,lloyds,bank,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "<title>Lloyds Bank - Personal Banking, Personal Finances & Bank Accounts" + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"lloydsbank.com")' diff --git a/http/osint/phishing/lowes-phish.yaml b/http/osint/phishing/lowes-phish.yaml new file mode 100644 index 00000000000..3d9b8e42e22 --- /dev/null +++ b/http/osint/phishing/lowes-phish.yaml @@ -0,0 +1,36 @@ +id: lowes-phish + +info: + name: Lowe's phishing Detection + author: rxerium + severity: info + description: | + A Lowe's phishing website was detected + reference: + - https://lowes.com + metadata: + max-request: 1 + tags: phishing,lowes,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - "Lowe's" + - "Lowe’s Home Improvement" + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"lowes.com")' diff --git a/http/osint/phishing/lyft-phish.yaml b/http/osint/phishing/lyft-phish.yaml new file mode 100644 index 00000000000..e6f68ee61ce --- /dev/null +++ b/http/osint/phishing/lyft-phish.yaml @@ -0,0 +1,36 @@ +id: lyft-phish + +info: + name: Lyft phishing Detection + author: rxerium + severity: info + description: | + A Lyft phishing website was detected + reference: + - https://lyft.com + metadata: + max-request: 1 + tags: phishing,lyft,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Ride or drive with Lyft' + - 'Lyft' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"lyft.com")' diff --git a/http/osint/phishing/mastercard-phish.yaml b/http/osint/phishing/mastercard-phish.yaml new file mode 100644 index 00000000000..4bef5623d51 --- /dev/null +++ b/http/osint/phishing/mastercard-phish.yaml @@ -0,0 +1,36 @@ +id: mastercard-phish + +info: + name: Mastercard phishing Detection + author: rxerium + severity: info + description: | + A Mastercard phishing website was detected + reference: + - https://mastercard.com + metadata: + max-request: 1 + tags: phishing,mastercard,credit-card,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Mastercard' + - '<title>Mastercard - A global technology company in the payments industry' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"mastercard.com")' diff --git a/http/osint/phishing/medium-phish.yaml b/http/osint/phishing/medium-phish.yaml new file mode 100644 index 00000000000..76c9907bb9c --- /dev/null +++ b/http/osint/phishing/medium-phish.yaml @@ -0,0 +1,36 @@ +id: medium-phish + +info: + name: Medium phishing Detection + author: rxerium + severity: info + description: | + A Medium phishing website was detected + reference: + - https://medium.com + metadata: + max-request: 1 + tags: phishing,medium,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Medium: Read and write stories.' + - 'Medium' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"medium.com")' diff --git a/http/osint/phishing/menards-phish.yaml b/http/osint/phishing/menards-phish.yaml new file mode 100644 index 00000000000..1f78411c26e --- /dev/null +++ b/http/osint/phishing/menards-phish.yaml @@ -0,0 +1,36 @@ +id: menards-phish + +info: + name: Menards phishing Detection + author: rxerium + severity: info + description: | + A Menards phishing website was detected + reference: + - https://menards.com + metadata: + max-request: 1 + tags: phishing,menards,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Menards' + - 'title>Home at Menards®' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"menards.com")' diff --git a/http/osint/phishing/mercari-phish.yaml b/http/osint/phishing/mercari-phish.yaml new file mode 100644 index 00000000000..f460654de0e --- /dev/null +++ b/http/osint/phishing/mercari-phish.yaml @@ -0,0 +1,36 @@ +id: mercari-phish + +info: + name: Mercari phishing Detection + author: rxerium + severity: info + description: | + A Mercari phishing website was detected + reference: + - https://mercari.com + metadata: + max-request: 1 + tags: phishing,mercari,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Mercari' + - 'Your Go-to Marketplace for Deals on Used & Secondhand Items | Mercari' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"mercari.com")' diff --git a/http/osint/phishing/monday-phish.yaml b/http/osint/phishing/monday-phish.yaml new file mode 100644 index 00000000000..dec8aa826cb --- /dev/null +++ b/http/osint/phishing/monday-phish.yaml @@ -0,0 +1,36 @@ +id: monday-phish + +info: + name: Monday.com phishing Detection + author: rxerium + severity: info + description: | + A Monday.com phishing website was detected + reference: + - https://monday.com + metadata: + max-request: 1 + tags: phishing,monday,productivity,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>monday.com' + - 'Monday.com' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"monday.com")' diff --git a/http/osint/phishing/mpix-phish.yaml b/http/osint/phishing/mpix-phish.yaml new file mode 100644 index 00000000000..d887f5b8a63 --- /dev/null +++ b/http/osint/phishing/mpix-phish.yaml @@ -0,0 +1,36 @@ +id: mpix-phish + +info: + name: MPIX phishing Detection + author: rxerium + severity: info + description: | + An MPIX phishing website was detected + reference: + - https://mpix.com + metadata: + max-request: 1 + tags: phishing,mpix,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Mpix' + - '<title>Mpix Photo Lab | Create Custom Photo Products' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"mpix.com")' diff --git a/http/osint/phishing/napa-phish.yaml b/http/osint/phishing/napa-phish.yaml new file mode 100644 index 00000000000..03f317cffa7 --- /dev/null +++ b/http/osint/phishing/napa-phish.yaml @@ -0,0 +1,34 @@ +id: napa-phish + +info: + name: NAPA Auto Parts phishing Detection + author: rxerium + severity: info + description: | + A NAPA Auto Parts phishing website was detected + reference: + - https://napaonline.com + metadata: + max-request: 1 + tags: phishing,napa,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'NAPA Auto Parts - Buy Car & Truck Parts Online | Auto Supply Stores Near Me' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"napaonline.com")' From 258c31c758a9d87f4e14523c7a1291c9b1815b6b Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 15:00:56 +0000 Subject: [PATCH 06/16] more phishing templates --- http/osint/phishing/amazon-phish.yaml | 1 + http/osint/phishing/onlyfans-phish.yaml | 6 +-- http/osint/phishing/oreilly-phish.yaml | 4 +- http/osint/phishing/overstock-phish.yaml | 4 +- http/osint/phishing/paramount-plus-phish.yaml | 1 + http/osint/phishing/partsgeek-phish.yaml | 2 +- http/osint/phishing/peacock-phish.yaml | 2 +- http/osint/phishing/poshmark-phish.yaml | 2 +- http/osint/phishing/postmates-phish.yaml | 2 +- http/osint/phishing/priceline-phish.yaml | 2 +- http/osint/phishing/printful-phish.yaml | 2 +- http/osint/phishing/printify-phish.yaml | 2 +- http/osint/phishing/pubg-phish.yaml | 2 +- http/osint/phishing/redbubble-phish.yaml | 2 +- http/osint/phishing/scribd-phish.yaml | 2 +- http/osint/phishing/showtime-phish.yaml | 36 ------------------ http/osint/phishing/society6-phish.yaml | 2 +- http/osint/phishing/sofi-phish.yaml | 2 +- http/osint/phishing/soundcloud-phish.yaml | 4 +- http/osint/phishing/starz-phish.yaml | 2 +- http/osint/phishing/stockx-phish.yaml | 2 +- http/osint/phishing/substack-phish.yaml | 2 +- http/osint/phishing/summit-racing-phish.yaml | 2 +- http/osint/phishing/teespring-phish.yaml | 2 +- http/osint/phishing/threadless-phish.yaml | 2 +- http/osint/phishing/tractor-supply-phish.yaml | 2 +- http/osint/phishing/uber-eats-phish.yaml | 37 ------------------- http/osint/phishing/ups-phish.yaml | 36 ------------------ http/osint/phishing/vistaprint-phish.yaml | 2 +- http/osint/phishing/vrbo-phish.yaml | 2 +- http/osint/phishing/vudu-phish.yaml | 2 +- http/osint/phishing/wish-phish.yaml | 2 +- http/osint/phishing/youtube-phish.yaml | 37 ------------------- 33 files changed, 31 insertions(+), 181 deletions(-) delete mode 100644 http/osint/phishing/showtime-phish.yaml delete mode 100644 http/osint/phishing/uber-eats-phish.yaml delete mode 100644 http/osint/phishing/ups-phish.yaml delete mode 100644 http/osint/phishing/youtube-phish.yaml diff --git a/http/osint/phishing/amazon-phish.yaml b/http/osint/phishing/amazon-phish.yaml index fabb0c2cc84..1c5083cc39b 100644 --- a/http/osint/phishing/amazon-phish.yaml +++ b/http/osint/phishing/amazon-phish.yaml @@ -25,6 +25,7 @@ http: words: - 'Amazon Sign In' - 'Amazon Sign-In' + - 'Amazon Login' condition: or - type: status diff --git a/http/osint/phishing/onlyfans-phish.yaml b/http/osint/phishing/onlyfans-phish.yaml index ca607a8991a..a612d9b1f5a 100644 --- a/http/osint/phishing/onlyfans-phish.yaml +++ b/http/osint/phishing/onlyfans-phish.yaml @@ -23,9 +23,9 @@ http: matchers: - type: word words: - - 'OnlyFans' - - 'Sign in to OnlyFans' - condition: or + - '<title>OnlyFans' + - 'OnlyFans is the social platform revolutionizing creator and fan connections. The site is inclusive of artists and content creators from all genres and allows them to monetize their content while developing authentic relationships with their fanbase.' + condition: and - type: status status: diff --git a/http/osint/phishing/oreilly-phish.yaml b/http/osint/phishing/oreilly-phish.yaml index 732a08ce476..6edee322bce 100644 --- a/http/osint/phishing/oreilly-phish.yaml +++ b/http/osint/phishing/oreilly-phish.yaml @@ -23,9 +23,7 @@ http: matchers: - type: word words: - - "O'Reilly Auto Parts" - - 'Sign in' - condition: and + - "Find auto parts, tools, and more at O'Reilly Auto Parts. Shop online for FREE Next Day shipping or pick up your order at one of more than 6,000 stores." - type: status status: diff --git a/http/osint/phishing/overstock-phish.yaml b/http/osint/phishing/overstock-phish.yaml index 2591181bb29..0cabdf43ea1 100644 --- a/http/osint/phishing/overstock-phish.yaml +++ b/http/osint/phishing/overstock-phish.yaml @@ -23,9 +23,7 @@ http: matchers: - type: word words: - - 'Overstock' - - 'Sign in' - condition: and + - 'Let Overstock.com help you discover designer brands and home goods at the lowest prices online. See for yourself why shoppers love our selection and award-winning customer service.' - type: status status: diff --git a/http/osint/phishing/paramount-plus-phish.yaml b/http/osint/phishing/paramount-plus-phish.yaml index 82fb9d40618..10d435e0290 100644 --- a/http/osint/phishing/paramount-plus-phish.yaml +++ b/http/osint/phishing/paramount-plus-phish.yaml @@ -25,6 +25,7 @@ http: words: - 'Paramount+' - 'Sign in' + - 'Paramount+ Login' condition: and - type: status diff --git a/http/osint/phishing/partsgeek-phish.yaml b/http/osint/phishing/partsgeek-phish.yaml index 33156fc5c29..7155f480f6c 100644 --- a/http/osint/phishing/partsgeek-phish.yaml +++ b/http/osint/phishing/partsgeek-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'PartsGeek' - - 'Sign in' + - "SHOP Partsgeek's online auto parts warehouse for original OEM & aftermarket replacement car parts. The dealer alternative store for quality discount auto parts and accessories." condition: and - type: status diff --git a/http/osint/phishing/peacock-phish.yaml b/http/osint/phishing/peacock-phish.yaml index fd743bf5dfc..7d50b2f3b15 100644 --- a/http/osint/phishing/peacock-phish.yaml +++ b/http/osint/phishing/peacock-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Peacock' - - 'Sign in' + - "Watch TV shows and movies online with Peacock. Stream iconic shows and movies, exclusive Peacock Originals, live news and sports and more." condition: and - type: status diff --git a/http/osint/phishing/poshmark-phish.yaml b/http/osint/phishing/poshmark-phish.yaml index 16692ecdb26..b326d7359a7 100644 --- a/http/osint/phishing/poshmark-phish.yaml +++ b/http/osint/phishing/poshmark-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Poshmark' - - 'Sign in' + - '<title>Poshmark: Buy and sell fashion, home decor, beauty & more' condition: and - type: status diff --git a/http/osint/phishing/postmates-phish.yaml b/http/osint/phishing/postmates-phish.yaml index 2987202e3d8..42be15636ca 100644 --- a/http/osint/phishing/postmates-phish.yaml +++ b/http/osint/phishing/postmates-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Postmates' - - 'Sign in' + - 'Order delivery or pickup from more than 600,000 restaurants, retailers, grocers, and more all across your city. Download the app now to get everything you crave, on-demand.' condition: and - type: status diff --git a/http/osint/phishing/priceline-phish.yaml b/http/osint/phishing/priceline-phish.yaml index 976565d12bb..69fff4fda77 100644 --- a/http/osint/phishing/priceline-phish.yaml +++ b/http/osint/phishing/priceline-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Priceline' - - 'Sign in' + - 'Deep Discounts on Hotels, Flights and Rental Cars. Get Exclusive Savings with Priceline.com' condition: and - type: status diff --git a/http/osint/phishing/printful-phish.yaml b/http/osint/phishing/printful-phish.yaml index 9bf42b4867c..40d9454c4f7 100644 --- a/http/osint/phishing/printful-phish.yaml +++ b/http/osint/phishing/printful-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Printful' - - 'Sign in' + - '<title>Printful: Custom Print On Demand & Dropshipping' condition: and - type: status diff --git a/http/osint/phishing/printify-phish.yaml b/http/osint/phishing/printify-phish.yaml index 75c4ff5f1b6..ca6fcacef45 100644 --- a/http/osint/phishing/printify-phish.yaml +++ b/http/osint/phishing/printify-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Printify' - - 'Sign in' + - '<title>Printify: Build your eCommerce business in minutes.' condition: and - type: status diff --git a/http/osint/phishing/pubg-phish.yaml b/http/osint/phishing/pubg-phish.yaml index 8a1f40013c8..bbd74cdf809 100644 --- a/http/osint/phishing/pubg-phish.yaml +++ b/http/osint/phishing/pubg-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'PUBG' - - 'Sign in' + - '<title>PUBG: BATTLEGROUNDS' condition: and - type: status diff --git a/http/osint/phishing/redbubble-phish.yaml b/http/osint/phishing/redbubble-phish.yaml index 27c1a3cd5cf..6906df8e459 100644 --- a/http/osint/phishing/redbubble-phish.yaml +++ b/http/osint/phishing/redbubble-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Redbubble' - - 'Sign in' + - 'Over 700,000 creatives worldwide making things like shirts, stickers, phone cases, and pillows weirdly meaningful. Find your thing or open your own shop.' condition: and - type: status diff --git a/http/osint/phishing/scribd-phish.yaml b/http/osint/phishing/scribd-phish.yaml index c2ee59c4d3d..5d8a8dfe2ba 100644 --- a/http/osint/phishing/scribd-phish.yaml +++ b/http/osint/phishing/scribd-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Scribd' - - 'Sign in' + - 'Get to the source. Specialized knowledge on any topic, and answers you won’t find anywhere else. Home to the world’s documents, 300M+ and counting.' condition: and - type: status diff --git a/http/osint/phishing/showtime-phish.yaml b/http/osint/phishing/showtime-phish.yaml deleted file mode 100644 index fa48c324f8c..00000000000 --- a/http/osint/phishing/showtime-phish.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: showtime-phish - -info: - name: Showtime phishing Detection - author: rxerium - severity: info - description: | - A Showtime phishing website was detected - reference: - - https://showtime.com - metadata: - max-request: 1 - tags: phishing,showtime,streaming,osint,discovery -http: - - method: GET - path: - - "{{BaseURL}}" - - host-redirects: true - max-redirects: 2 - - matchers-condition: and - matchers: - - type: word - words: - - 'Showtime' - - 'Sign in' - condition: and - - - type: status - status: - - 200 - - - type: dsl - dsl: - - '!contains(host,"showtime.com")' diff --git a/http/osint/phishing/society6-phish.yaml b/http/osint/phishing/society6-phish.yaml index 33782a320d9..f104072dfb3 100644 --- a/http/osint/phishing/society6-phish.yaml +++ b/http/osint/phishing/society6-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Society6' - - 'Sign in' + - 'Society6 features art prints, home decor, bed & bath, iPhone cases, apparel and tech accessories you'll love with designs by artists worldwide.' condition: and - type: status diff --git a/http/osint/phishing/sofi-phish.yaml b/http/osint/phishing/sofi-phish.yaml index 8147463c8ad..4cbac3e379b 100644 --- a/http/osint/phishing/sofi-phish.yaml +++ b/http/osint/phishing/sofi-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'SoFi' - - 'Sign in' + - '<title>SoFi: Banking, Loans, Invest, Credit Card, & Mortgages' condition: and - type: status diff --git a/http/osint/phishing/soundcloud-phish.yaml b/http/osint/phishing/soundcloud-phish.yaml index 99f8ef5e7fe..5a2e61a0a6f 100644 --- a/http/osint/phishing/soundcloud-phish.yaml +++ b/http/osint/phishing/soundcloud-phish.yaml @@ -23,9 +23,7 @@ http: matchers: - type: word words: - - 'Sign in to SoundCloud' - - 'SoundCloud' - condition: and + - '<title>Stream and listen to music online for free with SoundCloud' - type: status status: diff --git a/http/osint/phishing/starz-phish.yaml b/http/osint/phishing/starz-phish.yaml index 59986da6d81..03a0e5bc435 100644 --- a/http/osint/phishing/starz-phish.yaml +++ b/http/osint/phishing/starz-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Starz' - - 'Sign in' + - 'STARZ brings diverse perspectives to life through bold storytelling. Sign-up to stream original series, movies, extras, and more—on-demand and ad-free.' condition: and - type: status diff --git a/http/osint/phishing/stockx-phish.yaml b/http/osint/phishing/stockx-phish.yaml index da2ef02daa7..b4a4c630225 100644 --- a/http/osint/phishing/stockx-phish.yaml +++ b/http/osint/phishing/stockx-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'StockX' - - 'Sign in' + - 'Buy and sell the hottest sneakers including Adidas Yeezy and Retro Jordans, Supreme streetwear, trading cards, collectibles, designer handbags and watches.' condition: and - type: status diff --git a/http/osint/phishing/substack-phish.yaml b/http/osint/phishing/substack-phish.yaml index 745c6021634..b76a5a09661 100644 --- a/http/osint/phishing/substack-phish.yaml +++ b/http/osint/phishing/substack-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Substack' - - 'Sign in' + - '<title data-rh="true">Home | Substack' condition: and - type: status diff --git a/http/osint/phishing/summit-racing-phish.yaml b/http/osint/phishing/summit-racing-phish.yaml index 00720fcf49a..93e4ef1e478 100644 --- a/http/osint/phishing/summit-racing-phish.yaml +++ b/http/osint/phishing/summit-racing-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Summit Racing' - - 'Sign in' + - '<title>Summit Racing | Aftermarket Parts & Accessories, Performance Parts, OEM Auto Parts' condition: and - type: status diff --git a/http/osint/phishing/teespring-phish.yaml b/http/osint/phishing/teespring-phish.yaml index b3fd2670525..f2bbc3f76f6 100644 --- a/http/osint/phishing/teespring-phish.yaml +++ b/http/osint/phishing/teespring-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Teespring' - - 'Sign in' + - 'Teespring is the free and easy way to bring your ideas to life. Design your product, set a price, and start selling. Teespring handles the rest - production, shipping, and customer service - and you keep the profit!' condition: and - type: status diff --git a/http/osint/phishing/threadless-phish.yaml b/http/osint/phishing/threadless-phish.yaml index db0e1f2b4b8..4cfeb4d4eb7 100644 --- a/http/osint/phishing/threadless-phish.yaml +++ b/http/osint/phishing/threadless-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Threadless' - - 'Sign in' + - 'Shop our collection of awesome t-shirts, art prints, iphone cases, and more featuring unique designs by the global Threadless artist community.' condition: and - type: status diff --git a/http/osint/phishing/tractor-supply-phish.yaml b/http/osint/phishing/tractor-supply-phish.yaml index 4116beae6aa..d6372f7a739 100644 --- a/http/osint/phishing/tractor-supply-phish.yaml +++ b/http/osint/phishing/tractor-supply-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Tractor Supply' - - 'Sign in' + - '<title>For Life Out Here | Tractor Supply Co.' condition: and - type: status diff --git a/http/osint/phishing/uber-eats-phish.yaml b/http/osint/phishing/uber-eats-phish.yaml deleted file mode 100644 index 4ec991f064d..00000000000 --- a/http/osint/phishing/uber-eats-phish.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: uber-eats-phish - -info: - name: Uber Eats phishing Detection - author: rxerium - severity: info - description: | - An Uber Eats phishing website was detected - reference: - - https://ubereats.com - metadata: - max-request: 1 - tags: phishing,uber-eats,food-delivery,osint,discovery -http: - - method: GET - path: - - "{{BaseURL}}" - - host-redirects: true - max-redirects: 2 - - matchers-condition: and - matchers: - - type: word - words: - - 'Uber Eats' - - 'Sign in' - condition: and - - - type: status - status: - - 200 - - - type: dsl - dsl: - - '!contains(host,"ubereats.com")' - - '!contains(host,"uber.com")' diff --git a/http/osint/phishing/ups-phish.yaml b/http/osint/phishing/ups-phish.yaml deleted file mode 100644 index a686b36e33b..00000000000 --- a/http/osint/phishing/ups-phish.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: ups-phish - -info: - name: UPS phishing Detection - author: rxerium - severity: info - description: | - A UPS phishing website was detected - reference: - - https://ups.com - metadata: - max-request: 1 - tags: phishing,ups,shipping,osint,discovery -http: - - method: GET - path: - - "{{BaseURL}}" - - host-redirects: true - max-redirects: 2 - - matchers-condition: and - matchers: - - type: word - words: - - 'UPS' - - 'Sign In' - condition: and - - - type: status - status: - - 200 - - - type: dsl - dsl: - - '!contains(host,"ups.com")' diff --git a/http/osint/phishing/vistaprint-phish.yaml b/http/osint/phishing/vistaprint-phish.yaml index 7c7f91991d9..75358929356 100644 --- a/http/osint/phishing/vistaprint-phish.yaml +++ b/http/osint/phishing/vistaprint-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Vistaprint' - - 'Sign in' + - '<title>VistaPrint Official Website: Online Printing Services' condition: and - type: status diff --git a/http/osint/phishing/vrbo-phish.yaml b/http/osint/phishing/vrbo-phish.yaml index 633b673b305..8636c0a37eb 100644 --- a/http/osint/phishing/vrbo-phish.yaml +++ b/http/osint/phishing/vrbo-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'VRBO' - - 'Sign in' + - '<title>Vrbo | Book Your Vacation Home Rentals: Beach Houses, Cabins, Condos & More' condition: and - type: status diff --git a/http/osint/phishing/vudu-phish.yaml b/http/osint/phishing/vudu-phish.yaml index 1d9e2c010b6..fe439016155 100644 --- a/http/osint/phishing/vudu-phish.yaml +++ b/http/osint/phishing/vudu-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Vudu' - - 'Sign in' + - 'title="Fandango at Home"' condition: and - type: status diff --git a/http/osint/phishing/wish-phish.yaml b/http/osint/phishing/wish-phish.yaml index b17ee2d189b..7c484ebbe86 100644 --- a/http/osint/phishing/wish-phish.yaml +++ b/http/osint/phishing/wish-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - 'Wish' - - 'Sign in' + - '<title>Wish | Shop and Save' condition: and - type: status diff --git a/http/osint/phishing/youtube-phish.yaml b/http/osint/phishing/youtube-phish.yaml deleted file mode 100644 index 41f5e6a2b96..00000000000 --- a/http/osint/phishing/youtube-phish.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: youtube-phish - -info: - name: YouTube phishing Detection - author: rxerium - severity: info - description: | - A YouTube phishing website was detected - reference: - - https://youtube.com - metadata: - max-request: 1 - tags: phishing,youtube,google,osint,discovery -http: - - method: GET - path: - - "{{BaseURL}}" - - host-redirects: true - max-redirects: 2 - - matchers-condition: and - matchers: - - type: word - words: - - 'Sign in - Google Accounts' - - 'YouTube' - condition: and - - - type: status - status: - - 200 - - - type: dsl - dsl: - - '!contains(host,"youtube.com")' - - '!contains(host,"google.com")' From 391786344379a2be4456476931bc56c6ed953e24 Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 16:55:23 +0000 Subject: [PATCH 07/16] further templates --- http/osint/phishing/airtable-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/anthropic-phish.yaml | 37 ++++++++++++++++++++++ http/osint/phishing/authy-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/backblaze-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/calendly-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/clickup-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/expressvpn-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/godaddy-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/hubspot-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/linear-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/loom-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/mailchimp-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/midjourney-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/miro-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/namecheap-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/netlify-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/nordvpn-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/obsidian-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/ring-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/shein-phish.yaml | 36 +++++++++++++++++++++ http/osint/phishing/squarespace-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/surfshark-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/typeform-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/vercel-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/wasabi-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/webflow-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/wix-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/zapier-phish.yaml | 34 ++++++++++++++++++++ 28 files changed, 957 insertions(+) create mode 100644 http/osint/phishing/airtable-phish.yaml create mode 100644 http/osint/phishing/anthropic-phish.yaml create mode 100644 http/osint/phishing/authy-phish.yaml create mode 100644 http/osint/phishing/backblaze-phish.yaml create mode 100644 http/osint/phishing/calendly-phish.yaml create mode 100644 http/osint/phishing/clickup-phish.yaml create mode 100644 http/osint/phishing/expressvpn-phish.yaml create mode 100644 http/osint/phishing/godaddy-phish.yaml create mode 100644 http/osint/phishing/hubspot-phish.yaml create mode 100644 http/osint/phishing/linear-phish.yaml create mode 100644 http/osint/phishing/loom-phish.yaml create mode 100644 http/osint/phishing/mailchimp-phish.yaml create mode 100644 http/osint/phishing/midjourney-phish.yaml create mode 100644 http/osint/phishing/miro-phish.yaml create mode 100644 http/osint/phishing/namecheap-phish.yaml create mode 100644 http/osint/phishing/netlify-phish.yaml create mode 100644 http/osint/phishing/nordvpn-phish.yaml create mode 100644 http/osint/phishing/obsidian-phish.yaml create mode 100644 http/osint/phishing/ring-phish.yaml create mode 100644 http/osint/phishing/shein-phish.yaml create mode 100644 http/osint/phishing/squarespace-phish.yaml create mode 100644 http/osint/phishing/surfshark-phish.yaml create mode 100644 http/osint/phishing/typeform-phish.yaml create mode 100644 http/osint/phishing/vercel-phish.yaml create mode 100644 http/osint/phishing/wasabi-phish.yaml create mode 100644 http/osint/phishing/webflow-phish.yaml create mode 100644 http/osint/phishing/wix-phish.yaml create mode 100644 http/osint/phishing/zapier-phish.yaml diff --git a/http/osint/phishing/airtable-phish.yaml b/http/osint/phishing/airtable-phish.yaml new file mode 100644 index 00000000000..40bf570c5d6 --- /dev/null +++ b/http/osint/phishing/airtable-phish.yaml @@ -0,0 +1,34 @@ +id: airtable-phish + +info: + name: Airtable phishing Detection + author: rxerium + severity: info + description: | + A Airtable phishing website was detected + reference: + - https://airtable.com + metadata: + max-request: 1 + tags: phishing,airtable,productivity,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Airtable: AI App Building for Enterprise - Airtable' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"airtable.com")' diff --git a/http/osint/phishing/anthropic-phish.yaml b/http/osint/phishing/anthropic-phish.yaml new file mode 100644 index 00000000000..cf4d4de1c87 --- /dev/null +++ b/http/osint/phishing/anthropic-phish.yaml @@ -0,0 +1,37 @@ +id: anthropic-phish + +info: + name: Anthropic phishing Detection + author: rxerium + severity: info + description: | + A Anthropic phishing website was detected + reference: + - https://anthropic.com + metadata: + max-request: 1 + tags: phishing,anthropic,claude,ai,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Anthropic' + - '<title>Home \ Anthropic' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"anthropic.com")' + - '!contains(host,"claude.ai")' diff --git a/http/osint/phishing/authy-phish.yaml b/http/osint/phishing/authy-phish.yaml new file mode 100644 index 00000000000..609757510f1 --- /dev/null +++ b/http/osint/phishing/authy-phish.yaml @@ -0,0 +1,34 @@ +id: authy-phish + +info: + name: Authy phishing Detection + author: rxerium + severity: info + description: | + A Authy phishing website was detected + reference: + - https://authy.com + metadata: + max-request: 1 + tags: phishing,authy,security,2fa,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Authy: Two-factor Authentication (2FA) App & Guides | Authy' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"authy.com")' diff --git a/http/osint/phishing/backblaze-phish.yaml b/http/osint/phishing/backblaze-phish.yaml new file mode 100644 index 00000000000..f004699db50 --- /dev/null +++ b/http/osint/phishing/backblaze-phish.yaml @@ -0,0 +1,34 @@ +id: backblaze-phish + +info: + name: Backblaze phishing Detection + author: rxerium + severity: info + description: | + A Backblaze phishing website was detected + reference: + - https://backblaze.com + metadata: + max-request: 1 + tags: phishing,backblaze,backup,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>The Leading Open Cloud Storage Platform - Backblaze' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"backblaze.com")' diff --git a/http/osint/phishing/calendly-phish.yaml b/http/osint/phishing/calendly-phish.yaml new file mode 100644 index 00000000000..9b921893498 --- /dev/null +++ b/http/osint/phishing/calendly-phish.yaml @@ -0,0 +1,34 @@ +id: calendly-phish + +info: + name: Calendly phishing Detection + author: rxerium + severity: info + description: | + A Calendly phishing website was detected + reference: + - https://calendly.com + metadata: + max-request: 1 + tags: phishing,calendly,scheduling,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Calendly is the modern scheduling platform that makes “finding time” a breeze. When connecting is easy, your teams can get more done.' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"calendly.com")' diff --git a/http/osint/phishing/clickup-phish.yaml b/http/osint/phishing/clickup-phish.yaml new file mode 100644 index 00000000000..1b165083501 --- /dev/null +++ b/http/osint/phishing/clickup-phish.yaml @@ -0,0 +1,34 @@ +id: clickup-phish + +info: + name: ClickUp phishing Detection + author: rxerium + severity: info + description: | + A ClickUp phishing website was detected + reference: + - https://clickup.com + metadata: + max-request: 1 + tags: phishing,clickup,productivity,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'ClickUp™ | Maximize productivity • Software, AI, and humans converge' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"clickup.com")' diff --git a/http/osint/phishing/expressvpn-phish.yaml b/http/osint/phishing/expressvpn-phish.yaml new file mode 100644 index 00000000000..b828b2985a8 --- /dev/null +++ b/http/osint/phishing/expressvpn-phish.yaml @@ -0,0 +1,34 @@ +id: expressvpn-phish + +info: + name: ExpressVPN phishing Detection + author: rxerium + severity: info + description: | + A ExpressVPN phishing website was detected + reference: + - https://expressvpn.com + metadata: + max-request: 1 + tags: phishing,expressvpn,vpn,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>ExpressVPN: Best VPN Service for Speed & Privacy in 2025' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"expressvpn.com")' diff --git a/http/osint/phishing/godaddy-phish.yaml b/http/osint/phishing/godaddy-phish.yaml new file mode 100644 index 00000000000..b1fd48909c8 --- /dev/null +++ b/http/osint/phishing/godaddy-phish.yaml @@ -0,0 +1,34 @@ +id: godaddy-phish + +info: + name: GoDaddy phishing Detection + author: rxerium + severity: info + description: | + A GoDaddy phishing website was detected + reference: + - https://godaddy.com + metadata: + max-request: 1 + tags: phishing,godaddy,domain,hosting,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Domain Names, Websites, Hosting & Online Marketing Tools - GoDaddy' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"godaddy.com")' diff --git a/http/osint/phishing/hubspot-phish.yaml b/http/osint/phishing/hubspot-phish.yaml new file mode 100644 index 00000000000..279cb9863fc --- /dev/null +++ b/http/osint/phishing/hubspot-phish.yaml @@ -0,0 +1,34 @@ +id: hubspot-phish + +info: + name: HubSpot phishing Detection + author: rxerium + severity: info + description: | + A HubSpot phishing website was detected + reference: + - https://hubspot.com + metadata: + max-request: 1 + tags: phishing,hubspot,crm,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>HubSpot | Software & Tools for your Business - Homepage' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"hubspot.com")' diff --git a/http/osint/phishing/linear-phish.yaml b/http/osint/phishing/linear-phish.yaml new file mode 100644 index 00000000000..d7466a7ff3d --- /dev/null +++ b/http/osint/phishing/linear-phish.yaml @@ -0,0 +1,34 @@ +id: linear-phish + +info: + name: Linear phishing Detection + author: rxerium + severity: info + description: | + A Linear phishing website was detected + reference: + - https://linear.app + metadata: + max-request: 1 + tags: phishing,linear,productivity,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Linear – Plan and build products' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"linear.app")' diff --git a/http/osint/phishing/loom-phish.yaml b/http/osint/phishing/loom-phish.yaml new file mode 100644 index 00000000000..00487bcfa34 --- /dev/null +++ b/http/osint/phishing/loom-phish.yaml @@ -0,0 +1,34 @@ +id: loom-phish + +info: + name: Loom phishing Detection + author: rxerium + severity: info + description: | + A Loom phishing website was detected + reference: + - https://loom.com + metadata: + max-request: 1 + tags: phishing,loom,video,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Best free online screen recording tool with advanced video editing and video storage trusted by over 22 million people and easy sharing from Loom.com." property="og:description"/><meta content="Best free online screen recording tool with advanced video editing and video storage trusted by over 22 million people and easy sharing from Loom.com.' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"loom.com")' diff --git a/http/osint/phishing/mailchimp-phish.yaml b/http/osint/phishing/mailchimp-phish.yaml new file mode 100644 index 00000000000..b8650b26417 --- /dev/null +++ b/http/osint/phishing/mailchimp-phish.yaml @@ -0,0 +1,34 @@ +id: mailchimp-phish + +info: + name: Mailchimp phishing Detection + author: rxerium + severity: info + description: | + A Mailchimp phishing website was detected + reference: + - https://mailchimp.com + metadata: + max-request: 1 + tags: phishing,mailchimp,marketing,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Use real-time behavior data and AI to convert more customers with Mailchimp's marketing, automation & email marketing platform. Easy to use - start for free!' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"mailchimp.com")' diff --git a/http/osint/phishing/midjourney-phish.yaml b/http/osint/phishing/midjourney-phish.yaml new file mode 100644 index 00000000000..1823262e562 --- /dev/null +++ b/http/osint/phishing/midjourney-phish.yaml @@ -0,0 +1,34 @@ +id: midjourney-phish + +info: + name: Midjourney phishing Detection + author: rxerium + severity: info + description: | + A Midjourney phishing website was detected + reference: + - https://midjourney.com + metadata: + max-request: 1 + tags: phishing,midjourney,ai,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Midjourney' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"midjourney.com")' diff --git a/http/osint/phishing/miro-phish.yaml b/http/osint/phishing/miro-phish.yaml new file mode 100644 index 00000000000..f837d8c612f --- /dev/null +++ b/http/osint/phishing/miro-phish.yaml @@ -0,0 +1,34 @@ +id: miro-phish + +info: + name: Miro phishing Detection + author: rxerium + severity: info + description: | + A Miro phishing website was detected + reference: + - https://miro.com + metadata: + max-request: 1 + tags: phishing,miro,collaboration,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>AI Innovation Workspace | Miro' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"miro.com")' diff --git a/http/osint/phishing/namecheap-phish.yaml b/http/osint/phishing/namecheap-phish.yaml new file mode 100644 index 00000000000..bf3016bb409 --- /dev/null +++ b/http/osint/phishing/namecheap-phish.yaml @@ -0,0 +1,34 @@ +id: namecheap-phish + +info: + name: Namecheap phishing Detection + author: rxerium + severity: info + description: | + A Namecheap phishing website was detected + reference: + - https://namecheap.com + metadata: + max-request: 1 + tags: phishing,namecheap,domain,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Register domain names at Namecheap. Buy cheap domain names and enjoy 24/7 support. With over 18 million domains under management, you know you’re in good hands.' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"namecheap.com")' diff --git a/http/osint/phishing/netlify-phish.yaml b/http/osint/phishing/netlify-phish.yaml new file mode 100644 index 00000000000..f91cc03df76 --- /dev/null +++ b/http/osint/phishing/netlify-phish.yaml @@ -0,0 +1,34 @@ +id: netlify-phish + +info: + name: Netlify phishing Detection + author: rxerium + severity: info + description: | + A Netlify phishing website was detected + reference: + - https://netlify.com + metadata: + max-request: 1 + tags: phishing,netlify,hosting,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Build with AI or code, deploy instantly. One platform with everything you need to make real apps live.' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"netlify.com")' diff --git a/http/osint/phishing/nordvpn-phish.yaml b/http/osint/phishing/nordvpn-phish.yaml new file mode 100644 index 00000000000..aa3b7fb42c3 --- /dev/null +++ b/http/osint/phishing/nordvpn-phish.yaml @@ -0,0 +1,34 @@ +id: nordvpn-phish + +info: + name: NordVPN phishing Detection + author: rxerium + severity: info + description: | + A NordVPN phishing website was detected + reference: + - https://nordvpn.com + metadata: + max-request: 1 + tags: phishing,nordvpn,vpn,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>The best VPN service online for free, open internet | NordVPN' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"nordvpn.com")' diff --git a/http/osint/phishing/obsidian-phish.yaml b/http/osint/phishing/obsidian-phish.yaml new file mode 100644 index 00000000000..373e83af423 --- /dev/null +++ b/http/osint/phishing/obsidian-phish.yaml @@ -0,0 +1,34 @@ +id: obsidian-phish + +info: + name: Obsidian phishing Detection + author: rxerium + severity: info + description: | + A Obsidian phishing website was detected + reference: + - https://obsidian.md + metadata: + max-request: 1 + tags: phishing,obsidian,notes,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Obsidian - Sharpen your thinking' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"obsidian.md")' diff --git a/http/osint/phishing/ring-phish.yaml b/http/osint/phishing/ring-phish.yaml new file mode 100644 index 00000000000..9c6e0d5f9c2 --- /dev/null +++ b/http/osint/phishing/ring-phish.yaml @@ -0,0 +1,34 @@ +id: ring-phish + +info: + name: Ring phishing Detection + author: rxerium + severity: info + description: | + A Ring phishing website was detected + reference: + - https://ring.com + metadata: + max-request: 1 + tags: phishing,ring,security,iot,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Home Security Systems - Cameras, Alarms, Doorbells | Ring' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"ring.com")' diff --git a/http/osint/phishing/shein-phish.yaml b/http/osint/phishing/shein-phish.yaml new file mode 100644 index 00000000000..4f995144932 --- /dev/null +++ b/http/osint/phishing/shein-phish.yaml @@ -0,0 +1,36 @@ +id: shein-phish + +info: + name: Shein phishing Detection + author: rxerium + severity: info + description: | + A Shein phishing website was detected + reference: + - https://shein.com + metadata: + max-request: 1 + tags: phishing,shein,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'SHEIN' + - 'Exclusive discounts and the latest trends at SHEIN' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"shein.com")' diff --git a/http/osint/phishing/squarespace-phish.yaml b/http/osint/phishing/squarespace-phish.yaml new file mode 100644 index 00000000000..495badf10aa --- /dev/null +++ b/http/osint/phishing/squarespace-phish.yaml @@ -0,0 +1,34 @@ +id: squarespace-phish + +info: + name: Squarespace phishing Detection + author: rxerium + severity: info + description: | + A Squarespace phishing website was detected + reference: + - https://squarespace.com + metadata: + max-request: 1 + tags: phishing,squarespace,website-builder,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Website Builder — Easily Create Your Own Website — Squarespace' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"squarespace.com")' diff --git a/http/osint/phishing/surfshark-phish.yaml b/http/osint/phishing/surfshark-phish.yaml new file mode 100644 index 00000000000..888003f315c --- /dev/null +++ b/http/osint/phishing/surfshark-phish.yaml @@ -0,0 +1,34 @@ +id: surfshark-phish + +info: + name: Surfshark phishing Detection + author: rxerium + severity: info + description: | + A Surfshark phishing website was detected + reference: + - https://surfshark.com + metadata: + max-request: 1 + tags: phishing,surfshark,vpn,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Surfshark VPN & all-in-one cybersecurity suites - Official Site' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"surfshark.com")' diff --git a/http/osint/phishing/typeform-phish.yaml b/http/osint/phishing/typeform-phish.yaml new file mode 100644 index 00000000000..1ed487f3d81 --- /dev/null +++ b/http/osint/phishing/typeform-phish.yaml @@ -0,0 +1,34 @@ +id: typeform-phish + +info: + name: Typeform phishing Detection + author: rxerium + severity: info + description: | + A Typeform phishing website was detected + reference: + - https://typeform.com + metadata: + max-request: 1 + tags: phishing,typeform,forms,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Typeform: People-Friendly Forms and Surveys' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"typeform.com")' diff --git a/http/osint/phishing/vercel-phish.yaml b/http/osint/phishing/vercel-phish.yaml new file mode 100644 index 00000000000..ab116caa67b --- /dev/null +++ b/http/osint/phishing/vercel-phish.yaml @@ -0,0 +1,34 @@ +id: vercel-phish + +info: + name: Vercel phishing Detection + author: rxerium + severity: info + description: | + A Vercel phishing website was detected + reference: + - https://vercel.com + metadata: + max-request: 1 + tags: phishing,vercel,hosting,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Vercel: Build and deploy the best web experiences with the AI Cloud' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"vercel.com")' diff --git a/http/osint/phishing/wasabi-phish.yaml b/http/osint/phishing/wasabi-phish.yaml new file mode 100644 index 00000000000..8a6f2c606c5 --- /dev/null +++ b/http/osint/phishing/wasabi-phish.yaml @@ -0,0 +1,34 @@ +id: wasabi-phish + +info: + name: Wasabi phishing Detection + author: rxerium + severity: info + description: | + A Wasabi phishing website was detected + reference: + - https://wasabi.com + metadata: + max-request: 1 + tags: phishing,wasabi,storage,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Store More and Do More with Your Data | Wasabi' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"wasabi.com")' diff --git a/http/osint/phishing/webflow-phish.yaml b/http/osint/phishing/webflow-phish.yaml new file mode 100644 index 00000000000..fcc0ec0782c --- /dev/null +++ b/http/osint/phishing/webflow-phish.yaml @@ -0,0 +1,34 @@ +id: webflow-phish + +info: + name: Webflow phishing Detection + author: rxerium + severity: info + description: | + A Webflow phishing website was detected + reference: + - https://webflow.com + metadata: + max-request: 1 + tags: phishing,webflow,website-builder,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Webflow: Create a custom website | Visual website builder' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"webflow.com")' diff --git a/http/osint/phishing/wix-phish.yaml b/http/osint/phishing/wix-phish.yaml new file mode 100644 index 00000000000..86069641e6a --- /dev/null +++ b/http/osint/phishing/wix-phish.yaml @@ -0,0 +1,34 @@ +id: wix-phish + +info: + name: Wix phishing Detection + author: rxerium + severity: info + description: | + A Wix phishing website was detected + reference: + - https://wix.com + metadata: + max-request: 1 + tags: phishing,wix,website-builder,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Website Builder - Create a Free Website In Minutes | Wix.com' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"wix.com")' diff --git a/http/osint/phishing/zapier-phish.yaml b/http/osint/phishing/zapier-phish.yaml new file mode 100644 index 00000000000..7759ae4c71e --- /dev/null +++ b/http/osint/phishing/zapier-phish.yaml @@ -0,0 +1,34 @@ +id: zapier-phish + +info: + name: Zapier phishing Detection + author: rxerium + severity: info + description: | + A Zapier phishing website was detected + reference: + - https://zapier.com + metadata: + max-request: 1 + tags: phishing,zapier,automation,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'Zapier: Automate AI Workflows, Agents, and Apps' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"zapier.com")' From 54d8a99ce206004fb929ab89f56b3c76509e1b0a Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 17:00:08 +0000 Subject: [PATCH 08/16] 5 more templates --- http/osint/phishing/grammarly-phish.yaml | 34 +++++++++++++++++++++++ http/osint/phishing/jetbrains-phish.yaml | 34 +++++++++++++++++++++++ http/osint/phishing/roku-phish.yaml | 34 +++++++++++++++++++++++ http/osint/phishing/webex-phish.yaml | 35 ++++++++++++++++++++++++ http/osint/phishing/zoho-phish.yaml | 34 +++++++++++++++++++++++ 5 files changed, 171 insertions(+) create mode 100644 http/osint/phishing/grammarly-phish.yaml create mode 100644 http/osint/phishing/jetbrains-phish.yaml create mode 100644 http/osint/phishing/roku-phish.yaml create mode 100644 http/osint/phishing/webex-phish.yaml create mode 100644 http/osint/phishing/zoho-phish.yaml diff --git a/http/osint/phishing/grammarly-phish.yaml b/http/osint/phishing/grammarly-phish.yaml new file mode 100644 index 00000000000..0a964687947 --- /dev/null +++ b/http/osint/phishing/grammarly-phish.yaml @@ -0,0 +1,34 @@ +id: grammarly-phish + +info: + name: Grammarly phishing Detection + author: rxerium + severity: info + description: | + A Grammarly phishing website was detected + reference: + - https://grammarly.com + metadata: + max-request: 1 + tags: phishing,grammarly,writing,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Grammarly: Free AI Writing Assistant' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"grammarly.com")' diff --git a/http/osint/phishing/jetbrains-phish.yaml b/http/osint/phishing/jetbrains-phish.yaml new file mode 100644 index 00000000000..64d6c8cd6be --- /dev/null +++ b/http/osint/phishing/jetbrains-phish.yaml @@ -0,0 +1,34 @@ +id: jetbrains-phish + +info: + name: JetBrains phishing Detection + author: rxerium + severity: info + description: | + A JetBrains phishing website was detected + reference: + - https://jetbrains.com + metadata: + max-request: 1 + tags: phishing,jetbrains,developer,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>JetBrains: Essential tools for software developers and teams' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"jetbrains.com")' diff --git a/http/osint/phishing/roku-phish.yaml b/http/osint/phishing/roku-phish.yaml new file mode 100644 index 00000000000..21290fa5426 --- /dev/null +++ b/http/osint/phishing/roku-phish.yaml @@ -0,0 +1,34 @@ +id: roku-phish + +info: + name: Roku phishing Detection + author: rxerium + severity: info + description: | + A Roku phishing website was detected + reference: + - https://roku.com + metadata: + max-request: 1 + tags: phishing,roku,streaming,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Roku: Streaming TV Players, Streaming Media Players & Smart TVs' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"roku.com")' diff --git a/http/osint/phishing/webex-phish.yaml b/http/osint/phishing/webex-phish.yaml new file mode 100644 index 00000000000..b047a841886 --- /dev/null +++ b/http/osint/phishing/webex-phish.yaml @@ -0,0 +1,35 @@ +id: webex-phish + +info: + name: Webex phishing Detection + author: rxerium + severity: info + description: | + A Webex phishing website was detected + reference: + - https://webex.com + metadata: + max-request: 1 + tags: phishing,webex,cisco,video,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Webex: Video Conferencing, Online Meetings, Screen Share | Cisco Webex' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"webex.com")' + - '!contains(host,"cisco.com")' diff --git a/http/osint/phishing/zoho-phish.yaml b/http/osint/phishing/zoho-phish.yaml new file mode 100644 index 00000000000..29933e4a45f --- /dev/null +++ b/http/osint/phishing/zoho-phish.yaml @@ -0,0 +1,34 @@ +id: zoho-phish + +info: + name: Zoho phishing Detection + author: rxerium + severity: info + description: | + A Zoho phishing website was detected + reference: + - https://zoho.com + metadata: + max-request: 1 + tags: phishing,zoho,business,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Zoho - Cloud Software Suite and SaaS Applications for Businesses' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"zoho.com")' From 24647c587de533c88d23d8e4ba236ce481b1ae34 Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 17:05:38 +0000 Subject: [PATCH 09/16] fixes --- http/osint/phishing/autodesk-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/brevo-phish.yaml | 35 ++++++++++++++++++++ http/osint/phishing/docusign-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/freshworks-phish.yaml | 34 ++++++++++++++++++++ http/osint/phishing/intercom-phish.yaml | 36 +++++++++++++++++++++ http/osint/phishing/pintrest-phish.yaml | 39 ----------------------- http/osint/phishing/twilio-phish.yaml | 34 ++++++++++++++++++++ 7 files changed, 207 insertions(+), 39 deletions(-) create mode 100644 http/osint/phishing/autodesk-phish.yaml create mode 100644 http/osint/phishing/brevo-phish.yaml create mode 100644 http/osint/phishing/docusign-phish.yaml create mode 100644 http/osint/phishing/freshworks-phish.yaml create mode 100644 http/osint/phishing/intercom-phish.yaml delete mode 100644 http/osint/phishing/pintrest-phish.yaml create mode 100644 http/osint/phishing/twilio-phish.yaml diff --git a/http/osint/phishing/autodesk-phish.yaml b/http/osint/phishing/autodesk-phish.yaml new file mode 100644 index 00000000000..8f275f554ea --- /dev/null +++ b/http/osint/phishing/autodesk-phish.yaml @@ -0,0 +1,34 @@ +id: autodesk-phish + +info: + name: Autodesk phishing Detection + author: rxerium + severity: info + description: | + A Autodesk phishing website was detected + reference: + - https://autodesk.com + metadata: + max-request: 1 + tags: phishing,autodesk,design,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Autodesk | 3D Design, Engineering & Construction Software' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"autodesk.com")' diff --git a/http/osint/phishing/brevo-phish.yaml b/http/osint/phishing/brevo-phish.yaml new file mode 100644 index 00000000000..e42c9674dd8 --- /dev/null +++ b/http/osint/phishing/brevo-phish.yaml @@ -0,0 +1,35 @@ +id: brevo-phish + +info: + name: Brevo phishing Detection + author: rxerium + severity: info + description: | + A Brevo phishing website was detected + reference: + - https://brevo.com + metadata: + max-request: 1 + tags: phishing,brevo,sendinblue,email,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Brevo | All-in-one Marketing & Sales Platform' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"brevo.com")' + - '!contains(host,"sendinblue.com")' diff --git a/http/osint/phishing/docusign-phish.yaml b/http/osint/phishing/docusign-phish.yaml new file mode 100644 index 00000000000..cca18f2fc74 --- /dev/null +++ b/http/osint/phishing/docusign-phish.yaml @@ -0,0 +1,34 @@ +id: docusign-phish + +info: + name: DocuSign phishing Detection + author: rxerium + severity: info + description: | + A DocuSign phishing website was detected + reference: + - https://docusign.com + metadata: + max-request: 1 + tags: phishing,docusign,esignature,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'title>Docusign | #1 in Electronic Signature and Intelligent Agreement Management' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"docusign.com")' diff --git a/http/osint/phishing/freshworks-phish.yaml b/http/osint/phishing/freshworks-phish.yaml new file mode 100644 index 00000000000..bc669ffe155 --- /dev/null +++ b/http/osint/phishing/freshworks-phish.yaml @@ -0,0 +1,34 @@ +id: freshworks-phish + +info: + name: Freshworks phishing Detection + author: rxerium + severity: info + description: | + A Freshworks phishing website was detected + reference: + - https://freshworks.com + metadata: + max-request: 1 + tags: phishing,freshworks,business,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'title>Freshworks: Uncomplicated Software | IT Service, Customer Service' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"freshworks.com")' diff --git a/http/osint/phishing/intercom-phish.yaml b/http/osint/phishing/intercom-phish.yaml new file mode 100644 index 00000000000..fbf404eeaa6 --- /dev/null +++ b/http/osint/phishing/intercom-phish.yaml @@ -0,0 +1,36 @@ +id: intercom-phish + +info: + name: Intercom phishing Detection + author: rxerium + severity: info + description: | + A Intercom phishing website was detected + reference: + - https://intercom.com + metadata: + max-request: 1 + tags: phishing,intercom,customer-support,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>The AI customer service company' + - 'Intercom' + condition: and + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"intercom.com")' diff --git a/http/osint/phishing/pintrest-phish.yaml b/http/osint/phishing/pintrest-phish.yaml deleted file mode 100644 index 88cd69456ef..00000000000 --- a/http/osint/phishing/pintrest-phish.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: pinterest-phish - -info: - name: pinterest phishing Detection - author: rxerium - severity: info - description: | - A pinterest phishing website was detected - reference: - - https://pinterest.com - metadata: - max-request: 1 - tags: phishing,pinterest,osint,discovery -http: - - method: GET - path: - - "{{BaseURL}}" - - host-redirects: true - max-redirects: 2 - - matchers-condition: and - matchers: - - type: word - words: - - 'Discover recipes, home ideas, style inspiration and other ideas to try' - - - type: word - words: - - 'Pinterest' - - - type: status - status: - - 200 - - - type: dsl - dsl: - - '!contains(host,"pinterest.com")' -# digest: 490a00463044022048a280237451320bc61cdd1a9c84424d04a509e0564ec9903f2c895650038af702202686ebafa062727f0d08ac731f491ab037ffa1e4ed00a4c0697bec48f1acd697:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/osint/phishing/twilio-phish.yaml b/http/osint/phishing/twilio-phish.yaml new file mode 100644 index 00000000000..77e9a2b45e0 --- /dev/null +++ b/http/osint/phishing/twilio-phish.yaml @@ -0,0 +1,34 @@ +id: twilio-phish + +info: + name: Twilio phishing Detection + author: rxerium + severity: info + description: | + A Twilio phishing website was detected + reference: + - https://twilio.com + metadata: + max-request: 1 + tags: phishing,twilio,communication,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Communications APIs with AI and data for SMS, Voice, Email | Twilio' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"twilio.com")' From 23308642b4284229efe21bf0489e3286ca114fd6 Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 17:38:14 +0000 Subject: [PATCH 10/16] final templates --- .../oauth-authorization-server-exposure.yaml | 2 +- http/osint/phishing/affirm-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/afterpay-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/amplitude-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/anydo-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/bigcommerce-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/codesandbox-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/cyberghost-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/dribbble-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/fastmail-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/framer-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/fullstory-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/gitlab-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/gitpod-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/hetzner-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/hotjar-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/jitsi-phish.yaml | 35 +++++++++++++++++++ http/osint/phishing/klarna-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/magento-phish.yaml | 35 +++++++++++++++++++ http/osint/phishing/mattermost-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/mixpanel-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/mullvad-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/ovh-phish.yaml | 35 +++++++++++++++++++ http/osint/phishing/pia-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/protonvpn-phish.yaml | 35 +++++++++++++++++++ http/osint/phishing/roam-research-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/rocketchat-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/scaleway-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/segment-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/sketch-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/todoist-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/tutanota-phish.yaml | 34 ++++++++++++++++++ http/osint/phishing/whereby-phish.yaml | 34 ++++++++++++++++++ 33 files changed, 1093 insertions(+), 1 deletion(-) create mode 100644 http/osint/phishing/affirm-phish.yaml create mode 100644 http/osint/phishing/afterpay-phish.yaml create mode 100644 http/osint/phishing/amplitude-phish.yaml create mode 100644 http/osint/phishing/anydo-phish.yaml create mode 100644 http/osint/phishing/bigcommerce-phish.yaml create mode 100644 http/osint/phishing/codesandbox-phish.yaml create mode 100644 http/osint/phishing/cyberghost-phish.yaml create mode 100644 http/osint/phishing/dribbble-phish.yaml create mode 100644 http/osint/phishing/fastmail-phish.yaml create mode 100644 http/osint/phishing/framer-phish.yaml create mode 100644 http/osint/phishing/fullstory-phish.yaml create mode 100644 http/osint/phishing/gitlab-phish.yaml create mode 100644 http/osint/phishing/gitpod-phish.yaml create mode 100644 http/osint/phishing/hetzner-phish.yaml create mode 100644 http/osint/phishing/hotjar-phish.yaml create mode 100644 http/osint/phishing/jitsi-phish.yaml create mode 100644 http/osint/phishing/klarna-phish.yaml create mode 100644 http/osint/phishing/magento-phish.yaml create mode 100644 http/osint/phishing/mattermost-phish.yaml create mode 100644 http/osint/phishing/mixpanel-phish.yaml create mode 100644 http/osint/phishing/mullvad-phish.yaml create mode 100644 http/osint/phishing/ovh-phish.yaml create mode 100644 http/osint/phishing/pia-phish.yaml create mode 100644 http/osint/phishing/protonvpn-phish.yaml create mode 100644 http/osint/phishing/roam-research-phish.yaml create mode 100644 http/osint/phishing/rocketchat-phish.yaml create mode 100644 http/osint/phishing/scaleway-phish.yaml create mode 100644 http/osint/phishing/segment-phish.yaml create mode 100644 http/osint/phishing/sketch-phish.yaml create mode 100644 http/osint/phishing/todoist-phish.yaml create mode 100644 http/osint/phishing/tutanota-phish.yaml create mode 100644 http/osint/phishing/whereby-phish.yaml diff --git a/http/miscellaneous/oauth-authorization-server-exposure.yaml b/http/miscellaneous/oauth-authorization-server-exposure.yaml index 0b95f26b8bb..97f35b74672 100644 --- a/http/miscellaneous/oauth-authorization-server-exposure.yaml +++ b/http/miscellaneous/oauth-authorization-server-exposure.yaml @@ -2,7 +2,7 @@ id: oauth-authorization-server-exposure info: name: Well-Known OAuth Authorization Server Metadata - author: rxeriums + author: rxerium severity: info description: | Detects OAuth 2.0 Authorization Server metadata (RFC 8414). diff --git a/http/osint/phishing/affirm-phish.yaml b/http/osint/phishing/affirm-phish.yaml new file mode 100644 index 00000000000..e6e54541ecc --- /dev/null +++ b/http/osint/phishing/affirm-phish.yaml @@ -0,0 +1,34 @@ +id: affirm-phish + +info: + name: Affirm phishing Detection + author: rxerium + severity: info + description: | + A Affirm phishing website was detected + reference: + - https://affirm.com + metadata: + max-request: 1 + tags: phishing,affirm,payment,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Affirm | Pay over time with flexible payment plans and no fees' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"affirm.com")' diff --git a/http/osint/phishing/afterpay-phish.yaml b/http/osint/phishing/afterpay-phish.yaml new file mode 100644 index 00000000000..7624b6b7085 --- /dev/null +++ b/http/osint/phishing/afterpay-phish.yaml @@ -0,0 +1,34 @@ +id: afterpay-phish + +info: + name: Afterpay phishing Detection + author: rxerium + severity: info + description: | + A Afterpay phishing website was detected + reference: + - https://afterpay.com + metadata: + max-request: 1 + tags: phishing,afterpay,payment,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Buy Now Pay Later with Afterpay' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"afterpay.com")' diff --git a/http/osint/phishing/amplitude-phish.yaml b/http/osint/phishing/amplitude-phish.yaml new file mode 100644 index 00000000000..7c52046f4be --- /dev/null +++ b/http/osint/phishing/amplitude-phish.yaml @@ -0,0 +1,34 @@ +id: amplitude-phish + +info: + name: Amplitude phishing Detection + author: rxerium + severity: info + description: | + A Amplitude phishing website was detected + reference: + - https://amplitude.com + metadata: + max-request: 1 + tags: phishing,amplitude,analytics,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>AI Analytics Platform for Modern Digital Analytics | Amplitude' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"amplitude.com")' diff --git a/http/osint/phishing/anydo-phish.yaml b/http/osint/phishing/anydo-phish.yaml new file mode 100644 index 00000000000..47f947a96fa --- /dev/null +++ b/http/osint/phishing/anydo-phish.yaml @@ -0,0 +1,34 @@ +id: anydo-phish + +info: + name: Any.do phishing Detection + author: rxerium + severity: info + description: | + A Any.do phishing website was detected + reference: + - https://any.do + metadata: + max-request: 1 + tags: phishing,anydo,productivity,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>A simple to do list for you and your team' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"any.do")' diff --git a/http/osint/phishing/bigcommerce-phish.yaml b/http/osint/phishing/bigcommerce-phish.yaml new file mode 100644 index 00000000000..b4483a6e001 --- /dev/null +++ b/http/osint/phishing/bigcommerce-phish.yaml @@ -0,0 +1,34 @@ +id: bigcommerce-phish + +info: + name: BigCommerce phishing Detection + author: rxerium + severity: info + description: | + A BigCommerce phishing website was detected + reference: + - https://bigcommerce.com + metadata: + max-request: 1 + tags: phishing,bigcommerce,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Shape Your Future On Your Terms | BigCommerce' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"bigcommerce.com")' diff --git a/http/osint/phishing/codesandbox-phish.yaml b/http/osint/phishing/codesandbox-phish.yaml new file mode 100644 index 00000000000..20bc100b1c7 --- /dev/null +++ b/http/osint/phishing/codesandbox-phish.yaml @@ -0,0 +1,34 @@ +id: codesandbox-phish + +info: + name: CodeSandbox phishing Detection + author: rxerium + severity: info + description: | + A CodeSandbox phishing website was detected + reference: + - https://codesandbox.io + metadata: + max-request: 1 + tags: phishing,codesandbox,developer,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>CodeSandbox: Instant Cloud Development Environments' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"codesandbox.io")' diff --git a/http/osint/phishing/cyberghost-phish.yaml b/http/osint/phishing/cyberghost-phish.yaml new file mode 100644 index 00000000000..78c9f6a1d20 --- /dev/null +++ b/http/osint/phishing/cyberghost-phish.yaml @@ -0,0 +1,34 @@ +id: cyberghost-phish + +info: + name: CyberGhost phishing Detection + author: rxerium + severity: info + description: | + A CyberGhost phishing website was detected + reference: + - https://cyberghostvpn.com + metadata: + max-request: 1 + tags: phishing,cyberghost,vpn,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Fast, Secure, & Private VPN Service | CyberGhost VPN' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"cyberghostvpn.com")' diff --git a/http/osint/phishing/dribbble-phish.yaml b/http/osint/phishing/dribbble-phish.yaml new file mode 100644 index 00000000000..2c2a7a2d94d --- /dev/null +++ b/http/osint/phishing/dribbble-phish.yaml @@ -0,0 +1,34 @@ +id: dribbble-phish + +info: + name: Dribbble phishing Detection + author: rxerium + severity: info + description: | + A Dribbble phishing website was detected + reference: + - https://dribbble.com + metadata: + max-request: 1 + tags: phishing,dribbble,design,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Dribbble - Discover the World's Top Designers & Creative Professionals' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"dribbble.com")' diff --git a/http/osint/phishing/fastmail-phish.yaml b/http/osint/phishing/fastmail-phish.yaml new file mode 100644 index 00000000000..f37c6c745b3 --- /dev/null +++ b/http/osint/phishing/fastmail-phish.yaml @@ -0,0 +1,34 @@ +id: fastmail-phish + +info: + name: Fastmail phishing Detection + author: rxerium + severity: info + description: | + A Fastmail phishing website was detected + reference: + - https://fastmail.com + metadata: + max-request: 1 + tags: phishing,fastmail,email,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Email and calendar made better | Fastmail' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"fastmail.com")' diff --git a/http/osint/phishing/framer-phish.yaml b/http/osint/phishing/framer-phish.yaml new file mode 100644 index 00000000000..111263f1647 --- /dev/null +++ b/http/osint/phishing/framer-phish.yaml @@ -0,0 +1,34 @@ +id: framer-phish + +info: + name: Framer phishing Detection + author: rxerium + severity: info + description: | + A Framer phishing website was detected + reference: + - https://framer.com + metadata: + max-request: 1 + tags: phishing,framer,design,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Framer: Create a professional website, free. No code website builder loved by designers.' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"framer.com")' diff --git a/http/osint/phishing/fullstory-phish.yaml b/http/osint/phishing/fullstory-phish.yaml new file mode 100644 index 00000000000..181916fa535 --- /dev/null +++ b/http/osint/phishing/fullstory-phish.yaml @@ -0,0 +1,34 @@ +id: fullstory-phish + +info: + name: FullStory phishing Detection + author: rxerium + severity: info + description: | + A FullStory phishing website was detected + reference: + - https://fullstory.com + metadata: + max-request: 1 + tags: phishing,fullstory,analytics,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>FullStory | Digital Experience Intelligence Platform' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"fullstory.com")' diff --git a/http/osint/phishing/gitlab-phish.yaml b/http/osint/phishing/gitlab-phish.yaml new file mode 100644 index 00000000000..ddf38b8d66d --- /dev/null +++ b/http/osint/phishing/gitlab-phish.yaml @@ -0,0 +1,34 @@ +id: gitlab-phish + +info: + name: GitLab phishing Detection + author: rxerium + severity: info + description: | + A GitLab phishing website was detected + reference: + - https://gitlab.com + metadata: + max-request: 1 + tags: phishing,gitlab,developer,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>The most-comprehensive AI-powered DevSecOps platform' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"gitlab.com")' diff --git a/http/osint/phishing/gitpod-phish.yaml b/http/osint/phishing/gitpod-phish.yaml new file mode 100644 index 00000000000..550f1627b21 --- /dev/null +++ b/http/osint/phishing/gitpod-phish.yaml @@ -0,0 +1,34 @@ +id: gitpod-phish + +info: + name: Gitpod phishing Detection + author: rxerium + severity: info + description: | + A Gitpod phishing website was detected + reference: + - https://gitpod.io + metadata: + max-request: 1 + tags: phishing,gitpod,developer,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Gitpod - Always Ready to Code' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"gitpod.io")' diff --git a/http/osint/phishing/hetzner-phish.yaml b/http/osint/phishing/hetzner-phish.yaml new file mode 100644 index 00000000000..6a9696f4da1 --- /dev/null +++ b/http/osint/phishing/hetzner-phish.yaml @@ -0,0 +1,34 @@ +id: hetzner-phish + +info: + name: Hetzner phishing Detection + author: rxerium + severity: info + description: | + A Hetzner phishing website was detected + reference: + - https://hetzner.com + metadata: + max-request: 1 + tags: phishing,hetzner,cloud,hosting,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Affordable dedicated servers, cloud & hosting from Germany' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"hetzner.com")' diff --git a/http/osint/phishing/hotjar-phish.yaml b/http/osint/phishing/hotjar-phish.yaml new file mode 100644 index 00000000000..1a6e230f9c0 --- /dev/null +++ b/http/osint/phishing/hotjar-phish.yaml @@ -0,0 +1,34 @@ +id: hotjar-phish + +info: + name: Hotjar phishing Detection + author: rxerium + severity: info + description: | + A Hotjar phishing website was detected + reference: + - https://hotjar.com + metadata: + max-request: 1 + tags: phishing,hotjar,analytics,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Hotjar: Website Heatmaps & Behavior Analytics Tools' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"hotjar.com")' diff --git a/http/osint/phishing/jitsi-phish.yaml b/http/osint/phishing/jitsi-phish.yaml new file mode 100644 index 00000000000..ffb3891cf8a --- /dev/null +++ b/http/osint/phishing/jitsi-phish.yaml @@ -0,0 +1,35 @@ +id: jitsi-phish + +info: + name: Jitsi phishing Detection + author: rxerium + severity: info + description: | + A Jitsi phishing website was detected + reference: + - https://jitsi.org + metadata: + max-request: 1 + tags: phishing,jitsi,video,communication,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Free Video Conferencing Software for Web & Mobile | Jitsi' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"jitsi.org")' + - '!contains(host,"meet.jit.si")' diff --git a/http/osint/phishing/klarna-phish.yaml b/http/osint/phishing/klarna-phish.yaml new file mode 100644 index 00000000000..18b0af59a42 --- /dev/null +++ b/http/osint/phishing/klarna-phish.yaml @@ -0,0 +1,34 @@ +id: klarna-phish + +info: + name: Klarna phishing Detection + author: rxerium + severity: info + description: | + A Klarna phishing website was detected + reference: + - https://klarna.com + metadata: + max-request: 1 + tags: phishing,klarna,payment,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Klarna | Buy now, pay later | Online shopping made simple' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"klarna.com")' diff --git a/http/osint/phishing/magento-phish.yaml b/http/osint/phishing/magento-phish.yaml new file mode 100644 index 00000000000..4ef87a66e23 --- /dev/null +++ b/http/osint/phishing/magento-phish.yaml @@ -0,0 +1,35 @@ +id: magento-phish + +info: + name: Magento phishing Detection + author: rxerium + severity: info + description: | + A Magento phishing website was detected + reference: + - https://magento.com + metadata: + max-request: 1 + tags: phishing,magento,ecommerce,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Adobe Commerce (Magento) | Ecommerce Platform' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"magento.com")' + - '!contains(host,"adobe.com")' diff --git a/http/osint/phishing/mattermost-phish.yaml b/http/osint/phishing/mattermost-phish.yaml new file mode 100644 index 00000000000..67c496a1648 --- /dev/null +++ b/http/osint/phishing/mattermost-phish.yaml @@ -0,0 +1,34 @@ +id: mattermost-phish + +info: + name: Mattermost phishing Detection + author: rxerium + severity: info + description: | + A Mattermost phishing website was detected + reference: + - https://mattermost.com + metadata: + max-request: 1 + tags: phishing,mattermost,communication,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Mattermost | Collaboration Platform for Mission Critical Work' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"mattermost.com")' diff --git a/http/osint/phishing/mixpanel-phish.yaml b/http/osint/phishing/mixpanel-phish.yaml new file mode 100644 index 00000000000..a6b142c7d50 --- /dev/null +++ b/http/osint/phishing/mixpanel-phish.yaml @@ -0,0 +1,34 @@ +id: mixpanel-phish + +info: + name: Mixpanel phishing Detection + author: rxerium + severity: info + description: | + A Mixpanel phishing website was detected + reference: + - https://mixpanel.com + metadata: + max-request: 1 + tags: phishing,mixpanel,analytics,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Product Analytics & Robust Event Tracking | Mixpanel' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"mixpanel.com")' diff --git a/http/osint/phishing/mullvad-phish.yaml b/http/osint/phishing/mullvad-phish.yaml new file mode 100644 index 00000000000..6bdd695f5dc --- /dev/null +++ b/http/osint/phishing/mullvad-phish.yaml @@ -0,0 +1,34 @@ +id: mullvad-phish + +info: + name: Mullvad VPN phishing Detection + author: rxerium + severity: info + description: | + A Mullvad VPN phishing website was detected + reference: + - https://mullvad.net + metadata: + max-request: 1 + tags: phishing,mullvad,vpn,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Mullvad VPN - Privacy is for the people' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"mullvad.net")' diff --git a/http/osint/phishing/ovh-phish.yaml b/http/osint/phishing/ovh-phish.yaml new file mode 100644 index 00000000000..479add1f246 --- /dev/null +++ b/http/osint/phishing/ovh-phish.yaml @@ -0,0 +1,35 @@ +id: ovh-phish + +info: + name: OVHcloud phishing Detection + author: rxerium + severity: info + description: | + A OVHcloud phishing website was detected + reference: + - https://ovhcloud.com + metadata: + max-request: 1 + tags: phishing,ovh,cloud,hosting,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Global Cloud Service Provider' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"ovhcloud.com")' + - '!contains(host,"ovh.com")' diff --git a/http/osint/phishing/pia-phish.yaml b/http/osint/phishing/pia-phish.yaml new file mode 100644 index 00000000000..e340c075753 --- /dev/null +++ b/http/osint/phishing/pia-phish.yaml @@ -0,0 +1,34 @@ +id: pia-phish + +info: + name: Private Internet Access phishing Detection + author: rxerium + severity: info + description: | + A Private Internet Access phishing website was detected + reference: + - https://privateinternetaccess.com + metadata: + max-request: 1 + tags: phishing,pia,vpn,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Private Internet Access: The Best VPN Service For 10+ Years' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"privateinternetaccess.com")' diff --git a/http/osint/phishing/protonvpn-phish.yaml b/http/osint/phishing/protonvpn-phish.yaml new file mode 100644 index 00000000000..14272cb5815 --- /dev/null +++ b/http/osint/phishing/protonvpn-phish.yaml @@ -0,0 +1,35 @@ +id: protonvpn-phish + +info: + name: ProtonVPN phishing Detection + author: rxerium + severity: info + description: | + A ProtonVPN phishing website was detected + reference: + - https://protonvpn.com + metadata: + max-request: 1 + tags: phishing,protonvpn,vpn,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>The best VPN for speed and security' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"protonvpn.com")' + - '!contains(host,"proton.me")' diff --git a/http/osint/phishing/roam-research-phish.yaml b/http/osint/phishing/roam-research-phish.yaml new file mode 100644 index 00000000000..88823078dea --- /dev/null +++ b/http/osint/phishing/roam-research-phish.yaml @@ -0,0 +1,34 @@ +id: roam-research-phish + +info: + name: Roam Research phishing Detection + author: rxerium + severity: info + description: | + A Roam Research phishing website was detected + reference: + - https://roamresearch.com + metadata: + max-request: 1 + tags: phishing,roam-research,notes,productivity,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Roam Research – A note taking tool for networked thought.' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"roamresearch.com")' diff --git a/http/osint/phishing/rocketchat-phish.yaml b/http/osint/phishing/rocketchat-phish.yaml new file mode 100644 index 00000000000..05de63af724 --- /dev/null +++ b/http/osint/phishing/rocketchat-phish.yaml @@ -0,0 +1,34 @@ +id: rocketchat-phish + +info: + name: Rocket.Chat phishing Detection + author: rxerium + severity: info + description: | + A Rocket.Chat phishing website was detected + reference: + - https://rocket.chat + metadata: + max-request: 1 + tags: phishing,rocketchat,communication,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Rocket.Chat | Secure CommsOS™ for Mission-Critical Operations' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"rocket.chat")' diff --git a/http/osint/phishing/scaleway-phish.yaml b/http/osint/phishing/scaleway-phish.yaml new file mode 100644 index 00000000000..526ecb5ccbe --- /dev/null +++ b/http/osint/phishing/scaleway-phish.yaml @@ -0,0 +1,34 @@ +id: scaleway-phish + +info: + name: Scaleway phishing Detection + author: rxerium + severity: info + description: | + A Scaleway phishing website was detected + reference: + - https://scaleway.com + metadata: + max-request: 1 + tags: phishing,scaleway,cloud,hosting,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>European. Cloud. AI. | Scaleway' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"scaleway.com")' diff --git a/http/osint/phishing/segment-phish.yaml b/http/osint/phishing/segment-phish.yaml new file mode 100644 index 00000000000..b17f1c43108 --- /dev/null +++ b/http/osint/phishing/segment-phish.yaml @@ -0,0 +1,34 @@ +id: segment-phish + +info: + name: Segment phishing Detection + author: rxerium + severity: info + description: | + A Segment phishing website was detected + reference: + - https://segment.com + metadata: + max-request: 1 + tags: phishing,segment,analytics,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Twilio Segment - Customer Data Platform | Twilio Segment' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"segment.com")' diff --git a/http/osint/phishing/sketch-phish.yaml b/http/osint/phishing/sketch-phish.yaml new file mode 100644 index 00000000000..429f7823a0b --- /dev/null +++ b/http/osint/phishing/sketch-phish.yaml @@ -0,0 +1,34 @@ +id: sketch-phish + +info: + name: Sketch phishing Detection + author: rxerium + severity: info + description: | + A Sketch phishing website was detected + reference: + - https://sketch.com + metadata: + max-request: 1 + tags: phishing,sketch,design,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Sketch · Design, prototype, collaborate and handoff' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"sketch.com")' diff --git a/http/osint/phishing/todoist-phish.yaml b/http/osint/phishing/todoist-phish.yaml new file mode 100644 index 00000000000..0100471c296 --- /dev/null +++ b/http/osint/phishing/todoist-phish.yaml @@ -0,0 +1,34 @@ +id: todoist-phish + +info: + name: Todoist phishing Detection + author: rxerium + severity: info + description: | + A Todoist phishing website was detected + reference: + - https://todoist.com + metadata: + max-request: 1 + tags: phishing,todoist,productivity,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Todoist | A To-Do List to Organize Your Work & Life' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"todoist.com")' diff --git a/http/osint/phishing/tutanota-phish.yaml b/http/osint/phishing/tutanota-phish.yaml new file mode 100644 index 00000000000..343c8601d45 --- /dev/null +++ b/http/osint/phishing/tutanota-phish.yaml @@ -0,0 +1,34 @@ +id: tutanota-phish + +info: + name: Tutanota phishing Detection + author: rxerium + severity: info + description: | + A Tutanota phishing website was detected + reference: + - https://tutanota.com + metadata: + max-request: 1 + tags: phishing,tutanota,email,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Tuta: Turn ON privacy for free with secure emails, calendars & contacts | Tuta' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"tutanota.com")' diff --git a/http/osint/phishing/whereby-phish.yaml b/http/osint/phishing/whereby-phish.yaml new file mode 100644 index 00000000000..a97de474d03 --- /dev/null +++ b/http/osint/phishing/whereby-phish.yaml @@ -0,0 +1,34 @@ +id: whereby-phish + +info: + name: Whereby phishing Detection + author: rxerium + severity: info + description: | + A Whereby phishing website was detected + reference: + - https://whereby.com + metadata: + max-request: 1 + tags: phishing,whereby,video,communication,osint,discovery +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Secure, customizable & reliable WebRTC Video Calls| Whereby' + + - type: status + status: + - 200 + + - type: dsl + dsl: + - '!contains(host,"whereby.com")' From 634c601b89758b1af070248edd25b19a7c538c84 Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 17:39:57 +0000 Subject: [PATCH 11/16] revert --- http/osint/phishing/google-phish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/osint/phishing/google-phish.yaml b/http/osint/phishing/google-phish.yaml index 59034ddbfb0..d967caeb5bf 100644 --- a/http/osint/phishing/google-phish.yaml +++ b/http/osint/phishing/google-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Google" + - 'Sign in - Google Accounts' - type: status status: From bc79aabf45103a0dbc80f6557372d6c663a809ff Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 17:41:07 +0000 Subject: [PATCH 12/16] final fixes --- http/osint/phishing/steam-phish.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/http/osint/phishing/steam-phish.yaml b/http/osint/phishing/steam-phish.yaml index 42639b7d48e..64cd25b16af 100644 --- a/http/osint/phishing/steam-phish.yaml +++ b/http/osint/phishing/steam-phish.yaml @@ -23,7 +23,8 @@ http: matchers: - type: word words: - - "The Steam Winter Sale is on now — find great deals on thousands of games! Plus cast your votes in the 2025 Steam Awards." + - 'Welcome to Steam' + - 'Steam is the ultimate destination for playing, discussing, and creating games.' - type: status From 3f770270be4584e3df722d2e3cbb34e6c72d3d4b Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 17:43:42 +0000 Subject: [PATCH 13/16] lint fixing --- http/osint/phishing/dribbble-phish.yaml | 2 +- http/osint/phishing/shopify-phish.yaml | 2 +- http/osint/phishing/snapchat-phish.yaml | 2 +- http/osint/phishing/square-phish.yaml | 2 +- http/osint/phishing/stripe-phish.yaml | 2 +- http/osint/phishing/zelle-phish.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/http/osint/phishing/dribbble-phish.yaml b/http/osint/phishing/dribbble-phish.yaml index 2c2a7a2d94d..0294e90201e 100644 --- a/http/osint/phishing/dribbble-phish.yaml +++ b/http/osint/phishing/dribbble-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - '<title>Dribbble - Discover the World's Top Designers & Creative Professionals' + - "<title>Dribbble - Discover the World's Top Designers & Creative Professionals" - type: status status: diff --git a/http/osint/phishing/shopify-phish.yaml b/http/osint/phishing/shopify-phish.yaml index 6ae9edf1a35..a2ca15e5192 100644 --- a/http/osint/phishing/shopify-phish.yaml +++ b/http/osint/phishing/shopify-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Try Shopify free and start a business or grow an existing one. Get more than ecommerce software with tools to manage every part of your business." + - "Try Shopify free and start a business or grow an existing one. Get more than ecommerce software with tools to manage every part of your business." - 'Start your free trial' condition: or diff --git a/http/osint/phishing/snapchat-phish.yaml b/http/osint/phishing/snapchat-phish.yaml index 7dbf4a64643..4ca9a94409a 100644 --- a/http/osint/phishing/snapchat-phish.yaml +++ b/http/osint/phishing/snapchat-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Snapchat - Say It In A Snap" + - "Snapchat - Say It In A Snap" - 'Snapchat' condition: or diff --git a/http/osint/phishing/square-phish.yaml b/http/osint/phishing/square-phish.yaml index bf50122b656..8d7287b3860 100644 --- a/http/osint/phishing/square-phish.yaml +++ b/http/osint/phishing/square-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Sell anywhere. Diversify revenue streams. Streamline operations. Manage your staff. Get paid faster. Sign up for Square today." + - "Sell anywhere. Diversify revenue streams. Streamline operations. Manage your staff. Get paid faster. Sign up for Square today." - 'Square Dashboard' condition: or diff --git a/http/osint/phishing/stripe-phish.yaml b/http/osint/phishing/stripe-phish.yaml index eb964c4eed2..e54297cebbb 100644 --- a/http/osint/phishing/stripe-phish.yaml +++ b/http/osint/phishing/stripe-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Stripe is a suite of APIs powering online payment processing and commerce solutions for internet businesses of all sizes. Accept payments and scale faster with AI." + - "Stripe is a suite of APIs powering online payment processing and commerce solutions for internet businesses of all sizes. Accept payments and scale faster with AI." - 'Stripe Dashboard' condition: or diff --git a/http/osint/phishing/zelle-phish.yaml b/http/osint/phishing/zelle-phish.yaml index c5b4789c002..de1aab86aa4 100644 --- a/http/osint/phishing/zelle-phish.yaml +++ b/http/osint/phishing/zelle-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Zelle® is a direct and fast way to send and receive money with enrolled friends, family and others you trust. Look for Zelle® in your banking app to get started." + - "Zelle® is a direct and fast way to send and receive money with enrolled friends, family and others you trust. Look for Zelle® in your banking app to get started." - 'Send money with Zelle' condition: or From 7d6ab79ed82473f787c4e89f5b9220686e2a9e8a Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 17:47:51 +0000 Subject: [PATCH 14/16] final fix --- http/osint/phishing/amazon-phish.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/http/osint/phishing/amazon-phish.yaml b/http/osint/phishing/amazon-phish.yaml index 1c5083cc39b..fabb0c2cc84 100644 --- a/http/osint/phishing/amazon-phish.yaml +++ b/http/osint/phishing/amazon-phish.yaml @@ -25,7 +25,6 @@ http: words: - 'Amazon Sign In' - 'Amazon Sign-In' - - 'Amazon Login' condition: or - type: status From 63badecf4def9bb4edd9e27c2b6b61728f9ae8d1 Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 21:33:34 +0000 Subject: [PATCH 15/16] lint fixes --- http/osint/phishing/dota2-phish.yaml | 2 +- http/osint/phishing/ea-phish.yaml | 2 +- http/osint/phishing/fubo-phish.yaml | 2 +- http/osint/phishing/gcp-phish.yaml | 2 +- http/osint/phishing/green-man-gaming-phish.yaml | 2 +- http/osint/phishing/grubhub-phish.yaml | 2 +- http/osint/phishing/gumroad-phish.yaml | 2 +- http/osint/phishing/hbo-max-phish.yaml | 2 +- http/osint/phishing/heroku-phish.yaml | 2 +- http/osint/phishing/hsbc-phish.yaml | 2 +- http/osint/phishing/humble-bundle-phish.yaml | 2 +- http/osint/phishing/icbc-phish.yaml | 2 +- http/osint/phishing/ing-phish.yaml | 2 +- http/osint/phishing/instacart-phish.yaml | 2 +- http/osint/phishing/irs-phish.yaml | 2 +- http/osint/phishing/itch-io-phish.yaml | 2 +- http/osint/phishing/latemodel-restoration-phish.yaml | 2 +- http/osint/phishing/league-of-legends-phish.yaml | 2 +- http/osint/phishing/line-phish.yaml | 2 +- http/osint/phishing/lloyds-phish.yaml | 2 +- http/osint/phishing/loaded-phish.yaml | 2 +- http/osint/phishing/monzo-phish.yaml | 2 +- http/osint/phishing/mt-bank-phish.yaml | 2 +- http/osint/phishing/n26-phish.yaml | 2 +- http/osint/phishing/nab-phish.yaml | 2 +- http/osint/phishing/natwest-phish.yaml | 2 +- http/osint/phishing/newegg-phish.yaml | 2 +- http/osint/phishing/nintendo-phish.yaml | 2 +- http/osint/phishing/ocbc-phish.yaml | 2 +- http/osint/phishing/okta-phish.yaml | 2 +- http/osint/phishing/oracle-cloud-phish.yaml | 2 +- http/osint/phishing/origin-phish.yaml | 2 +- http/osint/phishing/pandora-phish.yaml | 2 +- http/osint/phishing/patreon-phish.yaml | 2 +- http/osint/phishing/pepboys-phish.yaml | 2 +- http/osint/phishing/philo-phish.yaml | 2 +- http/osint/phishing/playstation-phish.yaml | 2 +- http/osint/phishing/pnc-bank-phish.yaml | 2 +- http/osint/phishing/puma-phish.yaml | 2 +- http/osint/phishing/rabobank-phish.yaml | 2 +- http/osint/phishing/riot-games-phish.yaml | 2 +- http/osint/phishing/rite-aid-phish.yaml | 2 +- http/osint/phishing/robinhood-phish.yaml | 2 +- http/osint/phishing/rockauto-phish.yaml | 2 +- http/osint/phishing/rockstar-phish.yaml | 2 +- http/osint/phishing/rockstar-social-club-phish.yaml | 2 +- http/osint/phishing/salesforce-phish.yaml | 2 +- http/osint/phishing/sams-club-phish.yaml | 2 +- http/osint/phishing/santander-phish.yaml | 2 +- http/osint/phishing/scotiabank-phish.yaml | 2 +- http/osint/phishing/seamless-phish.yaml | 2 +- http/osint/phishing/shutterfly-phish.yaml | 2 +- http/osint/phishing/sling-phish.yaml | 2 +- http/osint/phishing/snapfish-phish.yaml | 2 +- http/osint/phishing/societe-generale-phish.yaml | 2 +- http/osint/phishing/spreadshirt-phish.yaml | 2 +- http/osint/phishing/standard-chartered-phish.yaml | 2 +- http/osint/phishing/td-bank-phish.yaml | 2 +- http/osint/phishing/teepublic-phish.yaml | 2 +- http/osint/phishing/tidal-phish.yaml | 2 +- http/osint/phishing/trello-phish.yaml | 2 +- http/osint/phishing/tripadvisor-phish.yaml | 2 +- http/osint/phishing/truist-phish.yaml | 2 +- http/osint/phishing/ubs-phish.yaml | 2 +- http/osint/phishing/under-armour-phish.yaml | 2 +- http/osint/phishing/uob-phish.yaml | 2 +- http/osint/phishing/uplay-phish.yaml | 2 +- http/osint/phishing/us-bank-phish.yaml | 2 +- http/osint/phishing/usps-phish.yaml | 2 +- http/osint/phishing/valorant-phish.yaml | 2 +- http/osint/phishing/varo-phish.yaml | 2 +- http/osint/phishing/venmo-phish.yaml | 2 +- http/osint/phishing/viber-phish.yaml | 2 +- http/osint/phishing/visa-phish.yaml | 2 +- http/osint/phishing/walgreens-phish.yaml | 2 +- http/osint/phishing/wayfair-phish.yaml | 2 +- http/osint/phishing/wechat-phish.yaml | 2 +- http/osint/phishing/wells-fargo-phish.yaml | 2 +- http/osint/phishing/westpac-phish.yaml | 2 +- http/osint/phishing/wise-phish.yaml | 2 +- http/osint/phishing/xbox-phish.yaml | 2 +- http/osint/phishing/youtube-music-phish.yaml | 2 +- http/osint/phishing/zazzle-phish.yaml | 2 +- 83 files changed, 83 insertions(+), 83 deletions(-) diff --git a/http/osint/phishing/dota2-phish.yaml b/http/osint/phishing/dota2-phish.yaml index 4f4ee77b957..cde49b204ec 100644 --- a/http/osint/phishing/dota2-phish.yaml +++ b/http/osint/phishing/dota2-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Every day, millions of players worldwide enter battle as one of over a hundred Dota heroes. And no matter if it's their 10th hour of play or 1,000th, there's always something new to discover. With regular updates that ensure a constant evolution of gameplay, features, and heroes, Dota 2 has taken on a life of its own." + - "Every day, millions of players worldwide enter battle as one of over a hundred Dota heroes. And no matter if it's their 10th hour of play or 1,000th, there's always something new to discover. With regular updates that ensure a constant evolution of gameplay, features, and heroes, Dota 2 has taken on a life of its own." - type: status status: diff --git a/http/osint/phishing/ea-phish.yaml b/http/osint/phishing/ea-phish.yaml index 1be09c12689..ef983b75c9f 100644 --- a/http/osint/phishing/ea-phish.yaml +++ b/http/osint/phishing/ea-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "We exist to inspire the world through Play. Electronic Arts is a leading publisher of games on Console, PC and Mobile." + - "We exist to inspire the world through Play. Electronic Arts is a leading publisher of games on Console, PC and Mobile." - type: status status: diff --git a/http/osint/phishing/fubo-phish.yaml b/http/osint/phishing/fubo-phish.yaml index b0281df94bd..e6efd8d6cf7 100644 --- a/http/osint/phishing/fubo-phish.yaml +++ b/http/osint/phishing/fubo-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Watch ABC, CBS, FOX, ESPN and other top channels live - without cable TV. On your phone, TV and more. No contract. DVR included." + - "Watch ABC, CBS, FOX, ESPN and other top channels live - without cable TV. On your phone, TV and more. No contract. DVR included." - type: status status: diff --git a/http/osint/phishing/gcp-phish.yaml b/http/osint/phishing/gcp-phish.yaml index 720beecff54..1570a4bbddd 100644 --- a/http/osint/phishing/gcp-phish.yaml +++ b/http/osint/phishing/gcp-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Meet your business challenges head on with cloud computing services from Google, including data management, hybrid & multi-cloud, and AI & ML." + - "Meet your business challenges head on with cloud computing services from Google, including data management, hybrid & multi-cloud, and AI & ML." - type: status status: diff --git a/http/osint/phishing/green-man-gaming-phish.yaml b/http/osint/phishing/green-man-gaming-phish.yaml index b19ec724851..e4a22943c25 100644 --- a/http/osint/phishing/green-man-gaming-phish.yaml +++ b/http/osint/phishing/green-man-gaming-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Buy games & game keys with Green Man Gaming - get the best prices, awesome bundles & exclusive game deals daily! Visit to explore Green Man Gaming now!" + - "Buy games & game keys with Green Man Gaming - get the best prices, awesome bundles & exclusive game deals daily! Visit to explore Green Man Gaming now!" - type: status status: diff --git a/http/osint/phishing/grubhub-phish.yaml b/http/osint/phishing/grubhub-phish.yaml index 2cd9af15bc4..8fd025ca9da 100644 --- a/http/osint/phishing/grubhub-phish.yaml +++ b/http/osint/phishing/grubhub-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Prepare your taste buds..." + - "Prepare your taste buds..." - type: status status: diff --git a/http/osint/phishing/gumroad-phish.yaml b/http/osint/phishing/gumroad-phish.yaml index 4479ed2b9af..b75de845c02 100644 --- a/http/osint/phishing/gumroad-phish.yaml +++ b/http/osint/phishing/gumroad-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Start selling what you know, see what sticks, and get paid. Simple and effective." + - "Start selling what you know, see what sticks, and get paid. Simple and effective." - type: status status: diff --git a/http/osint/phishing/hbo-max-phish.yaml b/http/osint/phishing/hbo-max-phish.yaml index ba213147321..77e513b1ae7 100644 --- a/http/osint/phishing/hbo-max-phish.yaml +++ b/http/osint/phishing/hbo-max-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Stream must-see series, hit movies, exclusive originals, family favorites, and live sports." + - "Stream must-see series, hit movies, exclusive originals, family favorites, and live sports." - type: status status: diff --git a/http/osint/phishing/heroku-phish.yaml b/http/osint/phishing/heroku-phish.yaml index f28877de7c7..e87086748fe 100644 --- a/http/osint/phishing/heroku-phish.yaml +++ b/http/osint/phishing/heroku-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Heroku is an AI platform as a service (AI PaaS) that enables developers to build, run, and scale applications entirely in the cloud." + - "Heroku is an AI platform as a service (AI PaaS) that enables developers to build, run, and scale applications entirely in the cloud." - type: status status: diff --git a/http/osint/phishing/hsbc-phish.yaml b/http/osint/phishing/hsbc-phish.yaml index 524c8a85243..fec1528ac23 100644 --- a/http/osint/phishing/hsbc-phish.yaml +++ b/http/osint/phishing/hsbc-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "HSBC, one of the largest banking and financial services institutions in the world, serves millions of customers through its four global businesses." + - "HSBC, one of the largest banking and financial services institutions in the world, serves millions of customers through its four global businesses." - type: status status: diff --git a/http/osint/phishing/humble-bundle-phish.yaml b/http/osint/phishing/humble-bundle-phish.yaml index 9c3e214af6b..58a17d98a8b 100644 --- a/http/osint/phishing/humble-bundle-phish.yaml +++ b/http/osint/phishing/humble-bundle-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Humble Bundle sells games, books, software, and more. Our mission is to support charity while providing awesome content to customers at great prices. Since 2010, Humble Bundle customers have given over $275,000,000 to charity." + - "Humble Bundle sells games, books, software, and more. Our mission is to support charity while providing awesome content to customers at great prices. Since 2010, Humble Bundle customers have given over $275,000,000 to charity." - type: status status: diff --git a/http/osint/phishing/icbc-phish.yaml b/http/osint/phishing/icbc-phish.yaml index 752d64c1cea..3adc5cfe1b2 100644 --- a/http/osint/phishing/icbc-phish.yaml +++ b/http/osint/phishing/icbc-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "工商银行金融服务全面介绍,投资理财信息丰富全面,在线交易方便快捷,满足客户专业化、多元化、人性化的金融服务需求,打造集业务、信息、交易、购物、互动于一体综合性金融服务平台。" + - "工商银行金融服务全面介绍,投资理财信息丰富全面,在线交易方便快捷,满足客户专业化、多元化、人性化的金融服务需求,打造集业务、信息、交易、购物、互动于一体综合性金融服务平台。" - type: status status: diff --git a/http/osint/phishing/ing-phish.yaml b/http/osint/phishing/ing-phish.yaml index 68e32716a3c..6ac76dd5207 100644 --- a/http/osint/phishing/ing-phish.yaml +++ b/http/osint/phishing/ing-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Corporate site of ING, a global financial institution of Dutch origin, providing news, investor relations and general information" + - "Corporate site of ING, a global financial institution of Dutch origin, providing news, investor relations and general information" - type: status status: diff --git a/http/osint/phishing/instacart-phish.yaml b/http/osint/phishing/instacart-phish.yaml index 58dcd95f409..2375150f860 100644 --- a/http/osint/phishing/instacart-phish.yaml +++ b/http/osint/phishing/instacart-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Instacart | Grocery Delivery or Pickup from Local Stores Near You" + - "Instacart | Grocery Delivery or Pickup from Local Stores Near You" - type: status status: diff --git a/http/osint/phishing/irs-phish.yaml b/http/osint/phishing/irs-phish.yaml index 12fbc0d726e..7040cac9a51 100644 --- a/http/osint/phishing/irs-phish.yaml +++ b/http/osint/phishing/irs-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Pay your taxes. Get your refund status. Find IRS forms and answers to tax questions. We help you understand and meet your federal tax responsibilities." + - "Pay your taxes. Get your refund status. Find IRS forms and answers to tax questions. We help you understand and meet your federal tax responsibilities." - type: status status: diff --git a/http/osint/phishing/itch-io-phish.yaml b/http/osint/phishing/itch-io-phish.yaml index 6dc71a7d701..f1182f57b1a 100644 --- a/http/osint/phishing/itch-io-phish.yaml +++ b/http/osint/phishing/itch-io-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "itch.io is a simple way to find, download and distribute indie games online. Whether you're a developer looking to upload your game or just someone looking for something new to play itch.io has you covered." + - "itch.io is a simple way to find, download and distribute indie games online. Whether you're a developer looking to upload your game or just someone looking for something new to play itch.io has you covered." - type: status status: diff --git a/http/osint/phishing/latemodel-restoration-phish.yaml b/http/osint/phishing/latemodel-restoration-phish.yaml index 8f23afefc4c..74d67d5a87d 100644 --- a/http/osint/phishing/latemodel-restoration-phish.yaml +++ b/http/osint/phishing/latemodel-restoration-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "lmr.com" + - "lmr.com" - '<title>Ford Mustang Parts & Accessories | Late Model Restoration' condition: and diff --git a/http/osint/phishing/league-of-legends-phish.yaml b/http/osint/phishing/league-of-legends-phish.yaml index e051361d83b..5e573005c19 100644 --- a/http/osint/phishing/league-of-legends-phish.yaml +++ b/http/osint/phishing/league-of-legends-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "League of Legends is a team-based game with over 140 champions to make epic plays with. Play now for free." + - "League of Legends is a team-based game with over 140 champions to make epic plays with. Play now for free." - type: status status: diff --git a/http/osint/phishing/line-phish.yaml b/http/osint/phishing/line-phish.yaml index fda462c3eff..29b6bc068b2 100644 --- a/http/osint/phishing/line-phish.yaml +++ b/http/osint/phishing/line-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "メッセンジャーアプリを超え、新しいコミュニケーションの形を目指して、新時代のインフラ体験をLINEはひとりひとりに届けていきます。" + - "メッセンジャーアプリを超え、新しいコミュニケーションの形を目指して、新時代のインフラ体験をLINEはひとりひとりに届けていきます。" - type: status status: diff --git a/http/osint/phishing/lloyds-phish.yaml b/http/osint/phishing/lloyds-phish.yaml index 9e23b954f54..c679114184f 100644 --- a/http/osint/phishing/lloyds-phish.yaml +++ b/http/osint/phishing/lloyds-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "<title>Lloyds Bank - Personal Banking, Personal Finances & Bank Accounts" + - "<title>Lloyds Bank - Personal Banking, Personal Finances & Bank Accounts" - type: status status: diff --git a/http/osint/phishing/loaded-phish.yaml b/http/osint/phishing/loaded-phish.yaml index 6b79a9ea8af..2cd9aa20f7a 100644 --- a/http/osint/phishing/loaded-phish.yaml +++ b/http/osint/phishing/loaded-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Enjoy instant delivery, exclusive discounts, and the same unbeatable prices on PC, Xbox, PlayStation & Nintendo." + - "Enjoy instant delivery, exclusive discounts, and the same unbeatable prices on PC, Xbox, PlayStation & Nintendo." - type: status status: diff --git a/http/osint/phishing/monzo-phish.yaml b/http/osint/phishing/monzo-phish.yaml index dee284194c6..3adcf49e534 100644 --- a/http/osint/phishing/monzo-phish.yaml +++ b/http/osint/phishing/monzo-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Organise, save & invest with a free UK current account, joint account or business account. Make your money more Monzo." + - "Organise, save & invest with a free UK current account, joint account or business account. Make your money more Monzo." - type: status status: diff --git a/http/osint/phishing/mt-bank-phish.yaml b/http/osint/phishing/mt-bank-phish.yaml index 4549c5b2b56..b95b5341319 100644 --- a/http/osint/phishing/mt-bank-phish.yaml +++ b/http/osint/phishing/mt-bank-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "With a community bank approach, M&T Bank helps people reach their personal and business goals with banking, mortgage, loan and investment services." + - "With a community bank approach, M&T Bank helps people reach their personal and business goals with banking, mortgage, loan and investment services." - type: status status: diff --git a/http/osint/phishing/n26-phish.yaml b/http/osint/phishing/n26-phish.yaml index 5fb461dfb45..034aa838c04 100644 --- a/http/osint/phishing/n26-phish.yaml +++ b/http/osint/phishing/n26-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "It is with sincere gratitude and appreciation of everything we built together, that we made the tough decision to sharpen our focus on our European business." + - "It is with sincere gratitude and appreciation of everything we built together, that we made the tough decision to sharpen our focus on our European business." - type: status status: diff --git a/http/osint/phishing/nab-phish.yaml b/http/osint/phishing/nab-phish.yaml index c7660745aea..dadf9ab7dff 100644 --- a/http/osint/phishing/nab-phish.yaml +++ b/http/osint/phishing/nab-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "NAB personal banking services include online banking, bank accounts, credit cards, home loans and personal loans. We’re here to help you with more than money." + - "NAB personal banking services include online banking, bank accounts, credit cards, home loans and personal loans. We’re here to help you with more than money." - type: status status: diff --git a/http/osint/phishing/natwest-phish.yaml b/http/osint/phishing/natwest-phish.yaml index bc088c9a5cd..eae4bd17e89 100644 --- a/http/osint/phishing/natwest-phish.yaml +++ b/http/osint/phishing/natwest-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Welcome to NatWest. Our extensive personal banking products include bank accounts, mortgages, credit cards, loans and more. Visit today to see how we can serve you." + - "Welcome to NatWest. Our extensive personal banking products include bank accounts, mortgages, credit cards, loans and more. Visit today to see how we can serve you." - type: status status: diff --git a/http/osint/phishing/newegg-phish.yaml b/http/osint/phishing/newegg-phish.yaml index 38dd64052d1..026df58f7de 100644 --- a/http/osint/phishing/newegg-phish.yaml +++ b/http/osint/phishing/newegg-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Shop Newegg today for all of your gaming, PC & technology needs. Don’t miss today’s best electronics deals with fast shipping & great customer service!" + - "Shop Newegg today for all of your gaming, PC & technology needs. Don’t miss today’s best electronics deals with fast shipping & great customer service!" - type: status status: diff --git a/http/osint/phishing/nintendo-phish.yaml b/http/osint/phishing/nintendo-phish.yaml index 1c00358a237..40e479cefcc 100644 --- a/http/osint/phishing/nintendo-phish.yaml +++ b/http/osint/phishing/nintendo-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Visit the official Nintendo site to shop for Nintendo Switch™ systems and video games, read the latest news, find fun gear and gifts with a Nintendo twist, and much more." + - "Visit the official Nintendo site to shop for Nintendo Switch™ systems and video games, read the latest news, find fun gear and gifts with a Nintendo twist, and much more." - type: status status: diff --git a/http/osint/phishing/ocbc-phish.yaml b/http/osint/phishing/ocbc-phish.yaml index fa6209612d5..4d1974d8368 100644 --- a/http/osint/phishing/ocbc-phish.yaml +++ b/http/osint/phishing/ocbc-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Discover a world of financial services with OCBC, the best trusted and established Singapore bank. Explore our range of banking solutions today." + - "Discover a world of financial services with OCBC, the best trusted and established Singapore bank. Explore our range of banking solutions today." - type: status status: diff --git a/http/osint/phishing/okta-phish.yaml b/http/osint/phishing/okta-phish.yaml index 61b4adea6cd..67a8dcdad0b 100644 --- a/http/osint/phishing/okta-phish.yaml +++ b/http/osint/phishing/okta-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "The Okta and Auth0 Platforms enable secure access, authentication, and automation — putting Identity at the heart of business security and growth." + - "The Okta and Auth0 Platforms enable secure access, authentication, and automation — putting Identity at the heart of business security and growth." - type: status status: diff --git a/http/osint/phishing/oracle-cloud-phish.yaml b/http/osint/phishing/oracle-cloud-phish.yaml index a5161883a22..9d8cb0cfd4d 100644 --- a/http/osint/phishing/oracle-cloud-phish.yaml +++ b/http/osint/phishing/oracle-cloud-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "fw_error_www" + - "fw_error_www" - type: status status: diff --git a/http/osint/phishing/origin-phish.yaml b/http/osint/phishing/origin-phish.yaml index 489b6d19102..1aafa7d42cc 100644 --- a/http/osint/phishing/origin-phish.yaml +++ b/http/osint/phishing/origin-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Explore PC video games available for download right now. Electronic Arts is a leading publisher of games for the PC, consoles, and mobile." + - "Explore PC video games available for download right now. Electronic Arts is a leading publisher of games for the PC, consoles, and mobile." - type: status status: diff --git a/http/osint/phishing/pandora-phish.yaml b/http/osint/phishing/pandora-phish.yaml index 7c0b81d38ec..89c6c9dc11b 100644 --- a/http/osint/phishing/pandora-phish.yaml +++ b/http/osint/phishing/pandora-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Play the songs, albums, playlists and podcasts you love on the all-new Pandora. Sign up for a subscription plan to stream ad-free and on-demand. Listen on your mobile phone, desktop, TV, smart speakers or in the car." + - "Play the songs, albums, playlists and podcasts you love on the all-new Pandora. Sign up for a subscription plan to stream ad-free and on-demand. Listen on your mobile phone, desktop, TV, smart speakers or in the car." - type: status status: diff --git a/http/osint/phishing/patreon-phish.yaml b/http/osint/phishing/patreon-phish.yaml index 7f1c7ee46d5..72831fbbc80 100644 --- a/http/osint/phishing/patreon-phish.yaml +++ b/http/osint/phishing/patreon-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Patreon is the best place to build community with your biggest fans, share exclusive work, and turn your passion into a lasting creative business." + - "Patreon is the best place to build community with your biggest fans, share exclusive work, and turn your passion into a lasting creative business." - type: status status: diff --git a/http/osint/phishing/pepboys-phish.yaml b/http/osint/phishing/pepboys-phish.yaml index 99e94ee396f..0dbc222a050 100644 --- a/http/osint/phishing/pepboys-phish.yaml +++ b/http/osint/phishing/pepboys-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "px-captcha" + - "px-captcha" - type: status status: diff --git a/http/osint/phishing/philo-phish.yaml b/http/osint/phishing/philo-phish.yaml index 3ac451fe02d..5b0a9cc1147 100644 --- a/http/osint/phishing/philo-phish.yaml +++ b/http/osint/phishing/philo-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Why pay more for TV? Philo offers live TV and on-demand content for just $33/month. Stream your favorite shows, movies, and more across all your devices." + - "Why pay more for TV? Philo offers live TV and on-demand content for just $33/month. Stream your favorite shows, movies, and more across all your devices." - type: status status: diff --git a/http/osint/phishing/playstation-phish.yaml b/http/osint/phishing/playstation-phish.yaml index 76d8f1330e8..1eca9a702fe 100644 --- a/http/osint/phishing/playstation-phish.yaml +++ b/http/osint/phishing/playstation-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Explore the new generation PlayStation 4 and PS5 consoles - experience immersive gaming with thousands of hit games in every genre to rewrite the rules for what a PlayStation console can do." + - "Explore the new generation PlayStation 4 and PS5 consoles - experience immersive gaming with thousands of hit games in every genre to rewrite the rules for what a PlayStation console can do." - type: status status: diff --git a/http/osint/phishing/pnc-bank-phish.yaml b/http/osint/phishing/pnc-bank-phish.yaml index 31e0e4bfebc..534bd83eae0 100644 --- a/http/osint/phishing/pnc-bank-phish.yaml +++ b/http/osint/phishing/pnc-bank-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "PNC Bank offers a wide range of personal banking services including checking and savings accounts, credit cards, mortgage loans, auto loans and much more." + - "PNC Bank offers a wide range of personal banking services including checking and savings accounts, credit cards, mortgage loans, auto loans and much more." - type: status status: diff --git a/http/osint/phishing/puma-phish.yaml b/http/osint/phishing/puma-phish.yaml index d63b4193916..01e20c63003 100644 --- a/http/osint/phishing/puma-phish.yaml +++ b/http/osint/phishing/puma-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Run The Streets. Do You. Research and shop all the latest gear from the world of Fashion, Sport, and everywhere in between." + - "Run The Streets. Do You. Research and shop all the latest gear from the world of Fashion, Sport, and everywhere in between." - type: status status: diff --git a/http/osint/phishing/rabobank-phish.yaml b/http/osint/phishing/rabobank-phish.yaml index 4891ca50eb7..9ac1f655ab3 100644 --- a/http/osint/phishing/rabobank-phish.yaml +++ b/http/osint/phishing/rabobank-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Looks like something went wrong…" + - "Looks like something went wrong…" - type: status status: diff --git a/http/osint/phishing/riot-games-phish.yaml b/http/osint/phishing/riot-games-phish.yaml index 9243a956bf1..30a64501fbe 100644 --- a/http/osint/phishing/riot-games-phish.yaml +++ b/http/osint/phishing/riot-games-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Riot Games. Developer of League of Legends, VALORANT, Teamfight Tactics, Legends of Runeterra, and Wild Rift. Creators of Arcane. Home of LOL and VALORANT Esports." + - "Riot Games. Developer of League of Legends, VALORANT, Teamfight Tactics, Legends of Runeterra, and Wild Rift. Creators of Arcane. Home of LOL and VALORANT Esports." - type: status status: diff --git a/http/osint/phishing/rite-aid-phish.yaml b/http/osint/phishing/rite-aid-phish.yaml index 0e867db6863..73aa14c720f 100644 --- a/http/osint/phishing/rite-aid-phish.yaml +++ b/http/osint/phishing/rite-aid-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Rite Aid pharmacy offers products and services to help you lead a healthy, happy life. Visit our online pharmacy, shop now, or find a store near you." + - "Rite Aid pharmacy offers products and services to help you lead a healthy, happy life. Visit our online pharmacy, shop now, or find a store near you." - type: status status: diff --git a/http/osint/phishing/robinhood-phish.yaml b/http/osint/phishing/robinhood-phish.yaml index 8bcaf5e7c94..cc57e8e7106 100644 --- a/http/osint/phishing/robinhood-phish.yaml +++ b/http/osint/phishing/robinhood-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Robinhood: 24/5 Commission-Free Stock Trading & Investing" + - "Robinhood: 24/5 Commission-Free Stock Trading & Investing" - type: status status: diff --git a/http/osint/phishing/rockauto-phish.yaml b/http/osint/phishing/rockauto-phish.yaml index b2b1e70b02c..2ff142a59f5 100644 --- a/http/osint/phishing/rockauto-phish.yaml +++ b/http/osint/phishing/rockauto-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Auto Parts for Your Vehicle at Reliably Low Prices. Fast Online Catalog. DIY-Easy. Your Choice of Quality. Full Manufacturer Warranty." + - "Auto Parts for Your Vehicle at Reliably Low Prices. Fast Online Catalog. DIY-Easy. Your Choice of Quality. Full Manufacturer Warranty." - type: status status: diff --git a/http/osint/phishing/rockstar-phish.yaml b/http/osint/phishing/rockstar-phish.yaml index 6f10022155e..421a40c29a5 100644 --- a/http/osint/phishing/rockstar-phish.yaml +++ b/http/osint/phishing/rockstar-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "The official home of Rockstar Games" + - "The official home of Rockstar Games" - type: status status: diff --git a/http/osint/phishing/rockstar-social-club-phish.yaml b/http/osint/phishing/rockstar-social-club-phish.yaml index f1f8e8d1987..e3053b1d892 100644 --- a/http/osint/phishing/rockstar-social-club-phish.yaml +++ b/http/osint/phishing/rockstar-social-club-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "The official home of Rockstar Games" + - "The official home of Rockstar Games" - type: status status: diff --git a/http/osint/phishing/salesforce-phish.yaml b/http/osint/phishing/salesforce-phish.yaml index 7bafdfa163b..3433e0a96be 100644 --- a/http/osint/phishing/salesforce-phish.yaml +++ b/http/osint/phishing/salesforce-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Salesforce is the #1 AI CRM, helping companies become Agentic Enterprises where humans and agents drive success together through a unified AI, data, and Customer 360 platform." + - "Salesforce is the #1 AI CRM, helping companies become Agentic Enterprises where humans and agents drive success together through a unified AI, data, and Customer 360 platform." - type: status status: diff --git a/http/osint/phishing/sams-club-phish.yaml b/http/osint/phishing/sams-club-phish.yaml index 3b4d256385e..181be3d2f97 100644 --- a/http/osint/phishing/sams-club-phish.yaml +++ b/http/osint/phishing/sams-club-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Shop Samsclub.com today for Every Day Low Prices. Join Sam's Club as a Plus Member and get free same-day or next-day delivery from your club & free shipping on eligible items totaling $50 or more." + - "Shop Samsclub.com today for Every Day Low Prices. Join Sam's Club as a Plus Member and get free same-day or next-day delivery from your club & free shipping on eligible items totaling $50 or more." - type: status status: diff --git a/http/osint/phishing/santander-phish.yaml b/http/osint/phishing/santander-phish.yaml index e3a4b737fdf..44f5f558907 100644 --- a/http/osint/phishing/santander-phish.yaml +++ b/http/osint/phishing/santander-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Our purpose is to help people and businesses prosper. We strive to make all we do Simple, Personal and Fair." + - "Our purpose is to help people and businesses prosper. We strive to make all we do Simple, Personal and Fair." - type: status status: diff --git a/http/osint/phishing/scotiabank-phish.yaml b/http/osint/phishing/scotiabank-phish.yaml index 440be203b86..9877941ed62 100644 --- a/http/osint/phishing/scotiabank-phish.yaml +++ b/http/osint/phishing/scotiabank-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Scotiabank Global Site" + - "Scotiabank Global Site" - type: status status: diff --git a/http/osint/phishing/seamless-phish.yaml b/http/osint/phishing/seamless-phish.yaml index d5112d415c1..5d8e1354be4 100644 --- a/http/osint/phishing/seamless-phish.yaml +++ b/http/osint/phishing/seamless-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Prepare your taste buds..." + - "Prepare your taste buds..." - type: status status: diff --git a/http/osint/phishing/shutterfly-phish.yaml b/http/osint/phishing/shutterfly-phish.yaml index 9148e8beb4c..5d22ccb76c4 100644 --- a/http/osint/phishing/shutterfly-phish.yaml +++ b/http/osint/phishing/shutterfly-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Create photo books, personalize photo cards & stationery, and share photos with family and friends at Shutterfly.com." + - "Create photo books, personalize photo cards & stationery, and share photos with family and friends at Shutterfly.com." - type: status status: diff --git a/http/osint/phishing/sling-phish.yaml b/http/osint/phishing/sling-phish.yaml index b85ce7e334d..1a33dc80544 100644 --- a/http/osint/phishing/sling-phish.yaml +++ b/http/osint/phishing/sling-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Ditch cable & stream live TV for the best price with Sling. Watch live news, sports, movies, and entertainment + top channels like ESPN, TNT, TBS and more." + - "Ditch cable & stream live TV for the best price with Sling. Watch live news, sports, movies, and entertainment + top channels like ESPN, TNT, TBS and more." - type: status status: diff --git a/http/osint/phishing/snapfish-phish.yaml b/http/osint/phishing/snapfish-phish.yaml index f2a53edc3b7..0ba484af578 100644 --- a/http/osint/phishing/snapfish-phish.yaml +++ b/http/osint/phishing/snapfish-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Design and send the best personalized gifts, cards, home decor, photo books, and prints with Snapfish." + - "Design and send the best personalized gifts, cards, home decor, photo books, and prints with Snapfish." - type: status status: diff --git a/http/osint/phishing/societe-generale-phish.yaml b/http/osint/phishing/societe-generale-phish.yaml index 14808a1a8cd..222df11772c 100644 --- a/http/osint/phishing/societe-generale-phish.yaml +++ b/http/osint/phishing/societe-generale-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Un leader européen des services financiers depuis plus de 150 ans, Société Générale s’appuie sur trois métiers complémentaires, la Banque de détail en France, la Banque de détail et Services Financiers Internationaux et la Banque de Grande Clientèle et Solutions Investisseurs." + - "Un leader européen des services financiers depuis plus de 150 ans, Société Générale s’appuie sur trois métiers complémentaires, la Banque de détail en France, la Banque de détail et Services Financiers Internationaux et la Banque de Grande Clientèle et Solutions Investisseurs." - type: status status: diff --git a/http/osint/phishing/spreadshirt-phish.yaml b/http/osint/phishing/spreadshirt-phish.yaml index 5b701459d26..6313dfd9fd9 100644 --- a/http/osint/phishing/spreadshirt-phish.yaml +++ b/http/osint/phishing/spreadshirt-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Spreadshirt Print on Demand Platform | Spreadshirt" + - "Spreadshirt Print on Demand Platform | Spreadshirt" - type: status status: diff --git a/http/osint/phishing/standard-chartered-phish.yaml b/http/osint/phishing/standard-chartered-phish.yaml index b9874391353..33620786885 100644 --- a/http/osint/phishing/standard-chartered-phish.yaml +++ b/http/osint/phishing/standard-chartered-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Standard Chartered Bank" + - "Standard Chartered Bank" - type: status status: diff --git a/http/osint/phishing/td-bank-phish.yaml b/http/osint/phishing/td-bank-phish.yaml index c192a1e7f42..dffa32b3c40 100644 --- a/http/osint/phishing/td-bank-phish.yaml +++ b/http/osint/phishing/td-bank-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Explore TD's online banking services, credit cards, checking accounts, savings accounts, loans and more financial products for you and your business." + - "Explore TD's online banking services, credit cards, checking accounts, savings accounts, loans and more financial products for you and your business." - type: status status: diff --git a/http/osint/phishing/teepublic-phish.yaml b/http/osint/phishing/teepublic-phish.yaml index 04840066733..c7b5ff15bc2 100644 --- a/http/osint/phishing/teepublic-phish.yaml +++ b/http/osint/phishing/teepublic-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Artist-Made Apparel and Other Gift Ideas. BFCM Deals Up to 40% Off! | TeePublic" + - "Artist-Made Apparel and Other Gift Ideas. BFCM Deals Up to 40% Off! | TeePublic" - type: status status: diff --git a/http/osint/phishing/tidal-phish.yaml b/http/osint/phishing/tidal-phish.yaml index ef33daff0a2..6883b10bcd5 100644 --- a/http/osint/phishing/tidal-phish.yaml +++ b/http/osint/phishing/tidal-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "tidal.com" + - "tidal.com" - type: status status: diff --git a/http/osint/phishing/trello-phish.yaml b/http/osint/phishing/trello-phish.yaml index c2d778725c5..be514448932 100644 --- a/http/osint/phishing/trello-phish.yaml +++ b/http/osint/phishing/trello-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Make the impossible, possible with Trello. The ultimate tool to boost your productivity. Escape the clutter and chaos—stay efficient with Inbox, Boards, and Planner from anywhere, even on mobile." + - "Make the impossible, possible with Trello. The ultimate tool to boost your productivity. Escape the clutter and chaos—stay efficient with Inbox, Boards, and Planner from anywhere, even on mobile." - type: status status: diff --git a/http/osint/phishing/tripadvisor-phish.yaml b/http/osint/phishing/tripadvisor-phish.yaml index 5c188256647..2ad4bcb0765 100644 --- a/http/osint/phishing/tripadvisor-phish.yaml +++ b/http/osint/phishing/tripadvisor-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "tripadvisor.com" + - "tripadvisor.com" - type: status status: diff --git a/http/osint/phishing/truist-phish.yaml b/http/osint/phishing/truist-phish.yaml index d6c229c3c9b..2e4df6e9e49 100644 --- a/http/osint/phishing/truist-phish.yaml +++ b/http/osint/phishing/truist-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Your journey to better banking starts with Truist. Checking and savings accounts, credit cards, mortgages, small business, commercial banking, and more." + - "Your journey to better banking starts with Truist. Checking and savings accounts, credit cards, mortgages, small business, commercial banking, and more." - type: status status: diff --git a/http/osint/phishing/ubs-phish.yaml b/http/osint/phishing/ubs-phish.yaml index 755cc49e314..7b1ca134324 100644 --- a/http/osint/phishing/ubs-phish.yaml +++ b/http/osint/phishing/ubs-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "UBS is a global firm providing financial services in over 50 countries. Visit our site to find out what we offer." + - "UBS is a global firm providing financial services in over 50 countries. Visit our site to find out what we offer." - type: status status: diff --git a/http/osint/phishing/under-armour-phish.yaml b/http/osint/phishing/under-armour-phish.yaml index 6d4d3f5e5fc..e4d3fae97e6 100644 --- a/http/osint/phishing/under-armour-phish.yaml +++ b/http/osint/phishing/under-armour-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Under Armour builds game-changing sportswear, athletic shirts, shoes and more. FREE SHIPPING available and FREE returns on workout clothes, shoes, and gear." + - "Under Armour builds game-changing sportswear, athletic shirts, shoes and more. FREE SHIPPING available and FREE returns on workout clothes, shoes, and gear." - type: status status: diff --git a/http/osint/phishing/uob-phish.yaml b/http/osint/phishing/uob-phish.yaml index 00b3ee4fff0..578b4ccb419 100644 --- a/http/osint/phishing/uob-phish.yaml +++ b/http/osint/phishing/uob-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "United Overseas Bank" + - "United Overseas Bank" - type: status status: diff --git a/http/osint/phishing/uplay-phish.yaml b/http/osint/phishing/uplay-phish.yaml index 9eb296d35b1..d2a9b61c2fe 100644 --- a/http/osint/phishing/uplay-phish.yaml +++ b/http/osint/phishing/uplay-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Welcome to the official website for Ubisoft, creator of Assassin's Creed, Just Dance, Tom Clancy's video game series, Rayman, Far Cry, Watch Dogs and many others. Learn more about our breathtaking games here!" + - "Welcome to the official website for Ubisoft, creator of Assassin's Creed, Just Dance, Tom Clancy's video game series, Rayman, Far Cry, Watch Dogs and many others. Learn more about our breathtaking games here!" - type: status status: diff --git a/http/osint/phishing/us-bank-phish.yaml b/http/osint/phishing/us-bank-phish.yaml index 1007f2365d8..6066b2760b9 100644 --- a/http/osint/phishing/us-bank-phish.yaml +++ b/http/osint/phishing/us-bank-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Experience personalized banking services for your unique needs with U.S. Bank - Checking, credit cards, home loans & convenient online banking. Member FDIC." + - "Experience personalized banking services for your unique needs with U.S. Bank - Checking, credit cards, home loans & convenient online banking. Member FDIC." - type: status status: diff --git a/http/osint/phishing/usps-phish.yaml b/http/osint/phishing/usps-phish.yaml index c5c191d50c0..a082955da34 100644 --- a/http/osint/phishing/usps-phish.yaml +++ b/http/osint/phishing/usps-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Welcome to USPS.com. Track packages, pay and print postage with Click-N-Ship, schedule free package pickups, look up ZIP Codes, calculate postage prices, and find everything you need for sending mail and shipping packages." + - "Welcome to USPS.com. Track packages, pay and print postage with Click-N-Ship, schedule free package pickups, look up ZIP Codes, calculate postage prices, and find everything you need for sending mail and shipping packages." - type: status status: diff --git a/http/osint/phishing/valorant-phish.yaml b/http/osint/phishing/valorant-phish.yaml index 6d096ded6ce..6b1a135ff91 100644 --- a/http/osint/phishing/valorant-phish.yaml +++ b/http/osint/phishing/valorant-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Riot Games presents VALORANT: a 5v5 character-based tactical FPS where precise gunplay meets unique agent abilities. Learn about VALORANT and its stylish cast" + - "Riot Games presents VALORANT: a 5v5 character-based tactical FPS where precise gunplay meets unique agent abilities. Learn about VALORANT and its stylish cast" - type: status status: diff --git a/http/osint/phishing/varo-phish.yaml b/http/osint/phishing/varo-phish.yaml index 3cab7b7154a..7271a513a81 100644 --- a/http/osint/phishing/varo-phish.yaml +++ b/http/osint/phishing/varo-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Home - Varo" + - "Home - Varo" - type: status status: diff --git a/http/osint/phishing/venmo-phish.yaml b/http/osint/phishing/venmo-phish.yaml index e72724040fb..acc2b00c639 100644 --- a/http/osint/phishing/venmo-phish.yaml +++ b/http/osint/phishing/venmo-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Pay Friends | Payments App | Venmo" + - "Pay Friends | Payments App | Venmo" - 'Pay. Get paid. Shop. Share.' condition: and diff --git a/http/osint/phishing/viber-phish.yaml b/http/osint/phishing/viber-phish.yaml index 47852028958..191a69528d8 100644 --- a/http/osint/phishing/viber-phish.yaml +++ b/http/osint/phishing/viber-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Home | Viber" + - "Home | Viber" - type: status status: diff --git a/http/osint/phishing/visa-phish.yaml b/http/osint/phishing/visa-phish.yaml index 889b438af36..bb3078a459d 100644 --- a/http/osint/phishing/visa-phish.yaml +++ b/http/osint/phishing/visa-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Discover Visa personal payment solutions, secure transactions, travel support, cards and rewards designed to bring more value to your everyday experiences." + - "Discover Visa personal payment solutions, secure transactions, travel support, cards and rewards designed to bring more value to your everyday experiences." - type: status status: diff --git a/http/osint/phishing/walgreens-phish.yaml b/http/osint/phishing/walgreens-phish.yaml index 509ce484d0f..285e78e33ae 100644 --- a/http/osint/phishing/walgreens-phish.yaml +++ b/http/osint/phishing/walgreens-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Your go-to for Pharmacy, Health & Wellness and Photo products. Refill prescriptions online, order items for delivery or store pickup, and create Photo Gifts." + - "Your go-to for Pharmacy, Health & Wellness and Photo products. Refill prescriptions online, order items for delivery or store pickup, and create Photo Gifts." - type: status status: diff --git a/http/osint/phishing/wayfair-phish.yaml b/http/osint/phishing/wayfair-phish.yaml index c4afb7a3c86..d5958135904 100644 --- a/http/osint/phishing/wayfair-phish.yaml +++ b/http/osint/phishing/wayfair-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "px-captcha" + - "px-captcha" - type: status status: diff --git a/http/osint/phishing/wechat-phish.yaml b/http/osint/phishing/wechat-phish.yaml index eca73707a1b..19a1bf3b7ee 100644 --- a/http/osint/phishing/wechat-phish.yaml +++ b/http/osint/phishing/wechat-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "WeChat - Free messaging and calling app" + - "WeChat - Free messaging and calling app" - type: status status: diff --git a/http/osint/phishing/wells-fargo-phish.yaml b/http/osint/phishing/wells-fargo-phish.yaml index 4bb43fe0d5a..cdff481bfd7 100644 --- a/http/osint/phishing/wells-fargo-phish.yaml +++ b/http/osint/phishing/wells-fargo-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Committed to the financial health of our customers and communities. Explore bank accounts, loans, mortgages, investing, credit cards & banking services»" + - "Committed to the financial health of our customers and communities. Explore bank accounts, loans, mortgages, investing, credit cards & banking services»" - type: status status: diff --git a/http/osint/phishing/westpac-phish.yaml b/http/osint/phishing/westpac-phish.yaml index d44ca474c9a..cc6a7d5ca5e 100644 --- a/http/osint/phishing/westpac-phish.yaml +++ b/http/osint/phishing/westpac-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "From to-do to done, it takes a little Westpac. Westpac offers a range of smart solutions to support your personal, business and corporate banking needs." + - "From to-do to done, it takes a little Westpac. Westpac offers a range of smart solutions to support your personal, business and corporate banking needs." - type: status status: diff --git a/http/osint/phishing/wise-phish.yaml b/http/osint/phishing/wise-phish.yaml index 6be9ac9dc23..573142d3988 100644 --- a/http/osint/phishing/wise-phish.yaml +++ b/http/osint/phishing/wise-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "160+ countries, 40 currencies, one account. Save when you send, spend and manage your money internationally." + - "160+ countries, 40 currencies, one account. Save when you send, spend and manage your money internationally." - type: status status: diff --git a/http/osint/phishing/xbox-phish.yaml b/http/osint/phishing/xbox-phish.yaml index d08ebe92e26..56056e951bc 100644 --- a/http/osint/phishing/xbox-phish.yaml +++ b/http/osint/phishing/xbox-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Xbox Official Site: Play Games Anywhere | Xbox" + - "Xbox Official Site: Play Games Anywhere | Xbox" - type: status status: diff --git a/http/osint/phishing/youtube-music-phish.yaml b/http/osint/phishing/youtube-music-phish.yaml index a888254b270..44fc7843cbe 100644 --- a/http/osint/phishing/youtube-music-phish.yaml +++ b/http/osint/phishing/youtube-music-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Your browser is deprecated. Please upgrade." + - "Your browser is deprecated. Please upgrade." - type: status status: diff --git a/http/osint/phishing/zazzle-phish.yaml b/http/osint/phishing/zazzle-phish.yaml index 449f93bc910..3ee85a082af 100644 --- a/http/osint/phishing/zazzle-phish.yaml +++ b/http/osint/phishing/zazzle-phish.yaml @@ -23,7 +23,7 @@ http: matchers: - type: word words: - - "Celebrate life’s moments with custom invitations, announcements, photo cards, and more. Discover unique gifts crafted by our community of Independent Creators." + - "Celebrate life’s moments with custom invitations, announcements, photo cards, and more. Discover unique gifts crafted by our community of Independent Creators." - type: status status: From 578b9ddb08f3117d647e4e908600c595c62eb2f9 Mon Sep 17 00:00:00 2001 From: rxerium <rishi@rxerium.com> Date: Mon, 5 Jan 2026 21:51:24 +0000 Subject: [PATCH 16/16] lint fixes x2 --- http/osint/phishing/latemodel-restoration-phish.yaml | 2 +- http/osint/phishing/venmo-phish.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/http/osint/phishing/latemodel-restoration-phish.yaml b/http/osint/phishing/latemodel-restoration-phish.yaml index 74d67d5a87d..c4a3634bc27 100644 --- a/http/osint/phishing/latemodel-restoration-phish.yaml +++ b/http/osint/phishing/latemodel-restoration-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - "lmr.com" - - '<title>Ford Mustang Parts & Accessories | Late Model Restoration' + - '<title>Ford Mustang Parts & Accessories | Late Model Restoration' condition: and - type: status diff --git a/http/osint/phishing/venmo-phish.yaml b/http/osint/phishing/venmo-phish.yaml index acc2b00c639..82b828cfe1b 100644 --- a/http/osint/phishing/venmo-phish.yaml +++ b/http/osint/phishing/venmo-phish.yaml @@ -24,7 +24,7 @@ http: - type: word words: - "Pay Friends | Payments App | Venmo" - - 'Pay. Get paid. Shop. Share.' + - 'Pay. Get paid. Shop. Share.' condition: and - type: status