Service Abuse: Payoneer Callback Scam

calendar Nov 5, 2024  ยท
Share on: linkedin copy

A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

  1name: "Service Abuse: Payoneer Callback Scam"
  2description: "A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and length(attachments) == 0
  8  and sender.email.domain.root_domain in ("payoneer.com")
  9  
 10  and (
 11    (
 12      // icontains a phone number
 13      (
 14        regex.icontains(strings.replace_confusables(body.current_thread.text),
 15                        '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*\n'
 16        )
 17        or regex.icontains(strings.replace_confusables(body.current_thread.text),
 18                           '.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n'
 19        )
 20        or // +12028001238
 21       regex.icontains(strings.replace_confusables(body.current_thread.text),
 22                   '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n'
 23        )
 24        or // 202-800-1238
 25       regex.icontains(strings.replace_confusables(body.current_thread.text),
 26                   '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n'
 27        )
 28        or // (202) 800-1238
 29       regex.icontains(strings.replace_confusables(body.current_thread.text),
 30                   '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n'
 31        )
 32        or // (202)-800-1238
 33       regex.icontains(strings.replace_confusables(body.current_thread.text),
 34                   '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n'
 35        )
 36        or ( // 8123456789
 37          regex.icontains(strings.replace_confusables(body.current_thread.text),
 38                          '.*8[lo0-9]{9}.*\n'
 39          )
 40          and regex.icontains(strings.replace_confusables(body.current_thread.text
 41                              ),
 42                              '\+[1l]'
 43          )
 44        )
 45      )
 46      and (
 47        (
 48          // list of keywords taken from
 49          // https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/paypal_invoice_abuse.yml
 50          4 of (
 51            strings.ilike(body.html.inner_text, '*you did not*'),
 52            strings.ilike(body.html.inner_text, '*is not for*'),
 53            strings.ilike(body.html.inner_text, '*done by you*'),
 54            regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
 55            strings.ilike(body.html.inner_text, "*Fruad Alert*"),
 56            strings.ilike(body.html.inner_text, "*Fraud Alert*"),
 57            strings.ilike(body.html.inner_text, '*using your PayPal*'),
 58            strings.ilike(body.html.inner_text, '*subscription*'),
 59            strings.ilike(body.html.inner_text, '*antivirus*'),
 60            strings.ilike(body.html.inner_text, '*order*'),
 61            strings.ilike(body.html.inner_text, '*support*'),
 62            strings.ilike(body.html.inner_text, '*receipt*'),
 63            strings.ilike(body.html.inner_text, '*invoice*'),
 64            strings.ilike(body.html.inner_text, '*Purchase*'),
 65            strings.ilike(body.html.inner_text, '*transaction*'),
 66            strings.ilike(body.html.inner_text, '*Market*Value*'),
 67            strings.ilike(body.html.inner_text, '*BTC*'),
 68            strings.ilike(body.html.inner_text, '*call*'),
 69            strings.ilike(body.html.inner_text, '*get in touch with our*'),
 70            strings.ilike(body.html.inner_text, '*quickly inform*'),
 71            strings.ilike(body.html.inner_text, '*quickly reach *'),
 72            strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
 73            strings.ilike(body.html.inner_text, '*cancel*'),
 74            strings.ilike(body.html.inner_text, '*renew*'),
 75            strings.ilike(body.html.inner_text, '*refund*'),
 76            strings.ilike(body.html.inner_text, '*+1*'),
 77            regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
 78          )
 79        )
 80      )
 81    )
 82    or (
 83      // Unicode confusables words obfuscated in note
 84      regex.icontains(body.html.inner_text,
 85                      '\+๐Ÿญ|๐—ฝ๐—ฎ๐˜†๐—บ๐—ฒ๐—ป๐˜|๐—›๐—ฒ๐—น๐—ฝ ๐——๐—ฒ๐˜€๐—ธ|๐—ฟ๐—ฒ๐—ณ๐˜‚๐—ป๐—ฑ|๐—ฎ๐—ป๐˜๐—ถ๐˜ƒ๐—ถ๐—ฟ๐˜‚๐˜€|๐—ฐ๐—ฎ๐—น๐—น|๐—ฐ๐—ฎ๐—ป๐—ฐ๐—ฒ๐—น'
 86      )
 87    )
 88    or strings.ilike(body.html.inner_text, '*kindly*')
 89  )
 90    
 91
 92attack_types:
 93  - "Callback Phishing"
 94  - "BEC/Fraud"
 95tactics_and_techniques:
 96  - "Evasion"
 97  - "Social engineering"
 98detection_methods:
 99  - "Sender analysis"
100  - "Header analysis"
101  - "Content analysis"
102id: "b7fb174c-c5a0-567a-8090-6ca142d94562"
to-top