Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender

calendar Oct 10, 2024  ·
Share on: linkedin copy

Detects sextortion attempts leveraging breach data, including names, addresses, phone numbers and frequently using Google Maps/Bing Maps streetview images to bolster confidence and fear.

Sublime rule (View on GitHub)

 1name: "Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender"
 2description: "Detects sextortion attempts leveraging breach data, including names, addresses, phone numbers and frequently using Google Maps/Bing Maps streetview images to bolster confidence and fear."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // sender is a freemail domain
 9  and sender.email.domain.root_domain in $free_email_providers
10  
11  // attachment filename is the same as the subject
12  and any(attachments,
13          strings.ilevenshtein(strings.concat(subject.subject,
14                                              ".",
15                                              .file_extension
16                               ),
17                               .file_name
18          ) <= 1
19  )
20  
21  // body contains a US address, or the body is the subject
22  and (
23    regex.icontains(body.current_thread.text,
24                    '\d+\s[\w\s.]+(?:\n)?[\w\s]+\s[A-Z]{2}\s\d{5}(?:-\d{4})?(?:\n)?',
25                    // a Canadian address
26                    '\d+\s[\w\s.]+(?:\n)?[\w\s]+\s((?:Ontario|ON)|(?:Quebec|QC)|(?:Nova Scotia|NS)|(?:New Brunswick|NB)|(?:Manitoba|MB)|(?:British Columbia|BC)|(?:Prince Edward Island|PEI?)|(?:Saskatchewan|SK)|(?:Alberta|AB)|(?:Newfoundland and Labrador|NL)|(?:Yukon|YT)|(?:Northwest Territories|NT)|(?:Nunavut|NU))\s*[ABCEGHJ-NPRSTVXY]\d[ABCEGHJ-NPRSTV-Z][ -]?\d[ABCEGHJ-NPRSTV-Z]\d'
27    )
28    or subject.subject == body.current_thread.text
29  )
30  
31  // there's a PDF attachment with an image at a depth of one, measuring 148x148 and containing a QR code that is a BTC address
32  and any(attachments,
33          .file_type == "pdf"
34          and any(file.explode(.),
35                  (
36                    (.depth == 1 and .flavors.mime == "image/jpeg")
37                    and (
38                      .scan.exiftool.image_height == 148
39                      and .scan.exiftool.image_width == 148
40                      and regex.match(.scan.qr.data,
41                                      '(1[a-km-zA-HJ-NP-Z1-9]{25,34}|3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[qp-z0-9]{39,59})'
42                      )
43                    )
44                  )
45                  or (
46                    any(.scan.strings.strings,
47                        regex.icontains(., 'Amount(?:\s*\w+){0,3}\s*:?\s*(?:USD\s*)?(?:\$\s?\d+|\d+\s?\$?)')
48                    )
49                    and any(.scan.strings.strings,
50                            regex.icontains(., '(\bBITCOIN\b|\bBTC\b|\bLTC\b|Wallet)')
51                    )
52                  )
53          )
54  )  
55attack_types:
56  - "BEC/Fraud"
57tactics_and_techniques:
58  - "Free email provider"
59  - "PDF"
60  - "Social engineering"
61  - "QR code"
62detection_methods:
63  - "Content analysis"
64  - "File analysis"
65  - "QR code analysis"
66id: "efb5a213-df55-5ddc-a300-ad3a6da8e74e"
to-top