Callback scam: Impersonation via TimeTrade infrastructure
Detects callback scam messages that abuse legitimate TimeTrade sending infrastructure to impersonate well-known brands like McAfee, Norton, Geek Squad, PayPal, eBay, Symantec, Best Buy, or LifeLock. The message contains purchase, payment, or subscription-related terms along with a phone number, soliciting victims to call for fraudulent support.
Sublime rule (View on GitHub)
1name: "Callback scam: Impersonation via TimeTrade infrastructure"
2description: "Detects callback scam messages that abuse legitimate TimeTrade sending infrastructure to impersonate well-known brands like McAfee, Norton, Geek Squad, PayPal, eBay, Symantec, Best Buy, or LifeLock. The message contains purchase, payment, or subscription-related terms along with a phone number, soliciting victims to call for fraudulent support."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // Legitimate TimeTrade sending infratructure
9 and sender.email.domain.root_domain == 'timetrade.com'
10
11 // Callback Phishing
12 and regex.icontains(body.current_thread.text,
13 (
14 "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
15 )
16 )
17 and 3 of (
18 strings.ilike(body.current_thread.text, '*purchase*'),
19 strings.ilike(body.current_thread.text, '*payment*'),
20 strings.ilike(body.current_thread.text, '*transaction*'),
21 strings.ilike(body.current_thread.text, '*subscription*'),
22 strings.ilike(body.current_thread.text, '*antivirus*'),
23 strings.ilike(body.current_thread.text, '*order*'),
24 strings.ilike(body.current_thread.text, '*support*'),
25 strings.ilike(body.current_thread.text, '*help line*'),
26 strings.ilike(body.current_thread.text, '*receipt*'),
27 strings.ilike(body.current_thread.text, '*invoice*'),
28 strings.ilike(body.current_thread.text, '*call*'),
29 strings.ilike(body.current_thread.text, '*cancel*'),
30 strings.ilike(body.current_thread.text, '*renew*'),
31 strings.ilike(body.current_thread.text, '*refund*')
32 )
33 // phone number regex
34 and any([body.current_thread.text, subject.subject],
35 regex.icontains(.,
36 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
37 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
38 )
39 )
40
41
42attack_types:
43 - "Callback Phishing"
44tactics_and_techniques:
45 - "Impersonation: Brand"
46 - "Out of band pivot"
47 - "Social engineering"
48detection_methods:
49 - "Content analysis"
50 - "Sender analysis"
51 - "Header analysis"
52id: "0c0b3664-fbad-5d29-82f4-40c702549857"