PayPal Invoice Abuse

Dec 19, 2024 ·
A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)

  1name: "PayPal Invoice Abuse"
  2description: |
  3  A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service.
  4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
  6type: "rule"
  7references:
  8  - "https://anderegg.ca/2023/02/01/a-novel-paypal-scam"
  9severity: "medium"
 10source: |
 11  type.inbound
 12  and length(attachments) == 0
 13  and sender.email.domain.root_domain in (
 14    "paypal.com",
 15    "paypal.com.mx",
 16    "paypal.com.br",
 17    "paypal.com.ar",
 18    "paypal.co.uk"
 19  )
 20  and (
 21    strings.ilike(body.html.display_text, "*seller note*")
 22    or strings.ilike(body.html.display_text, "*Note from *")
 23    // phone number in subject
 24    // the subject contains the seller's "name", attacks have been seen with the entire callback text in the seller's name
 25    or     (
 26        regex.icontains(strings.replace_confusables(subject.subject),
 27                        '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*'
 28        )
 29        or regex.icontains(strings.replace_confusables(subject.subject),
 30                           '.*\+[lo0-9]{1,3}[lo0-9]{10}.*'
 31        )
 32        or // +12028001238
 33   regex.icontains(strings.replace_confusables(subject.subject),
 34                   '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*'
 35        )
 36        or // 202-800-1238
 37   regex.icontains(strings.replace_confusables(subject.subject),
 38                   '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*'
 39        )
 40        or // (202) 800-1238
 41   regex.icontains(strings.replace_confusables(subject.subject),
 42                   '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*'
 43        )
 44        or // (202)-800-1238
 45   regex.icontains(strings.replace_confusables(subject.subject),
 46                   '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*'
 47        )
 48        or ( // 8123456789
 49          regex.icontains(strings.replace_confusables(subject.subject),
 50                          '.*8[lo0-9]{9}.*'
 51          )
 52          and regex.icontains(strings.replace_confusables(subject.subject
 53                              ),
 54                              '\+[1l]'
 55          )
 56        )
 57      )
 58  )
 59  and (
 60    (
 61      // icontains a phone number
 62      (
 63        regex.icontains(strings.replace_confusables(body.current_thread.text),
 64                        '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*\n'
 65        )
 66        or regex.icontains(strings.replace_confusables(body.current_thread.text),
 67                           '.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n'
 68        )
 69        or // +12028001238
 70   regex.icontains(strings.replace_confusables(body.current_thread.text),
 71                   '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n'
 72        )
 73        or // 202-800-1238
 74   regex.icontains(strings.replace_confusables(body.current_thread.text),
 75                   '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n'
 76        )
 77        or // (202) 800-1238
 78   regex.icontains(strings.replace_confusables(body.current_thread.text),
 79                   '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n'
 80        )
 81        or // (202)-800-1238
 82   regex.icontains(strings.replace_confusables(body.current_thread.text),
 83                   '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n'
 84        )
 85        or ( // 8123456789
 86          regex.icontains(strings.replace_confusables(body.current_thread.text),
 87                          '.*8[lo0-9]{9}.*\n'
 88          )
 89          and regex.icontains(strings.replace_confusables(body.current_thread.text
 90                              ),
 91                              '\+[1l]'
 92          )
 93        )
 94      )
 95      and (
 96        (
 97          4 of (
 98            strings.ilike(body.html.inner_text, '*you did not*'),
 99            strings.ilike(body.html.inner_text, '*is not for*'),
100            strings.ilike(body.html.inner_text, '*done by you*'),
101            regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
102            strings.ilike(body.html.inner_text, '*Fruad Alert*'),
103            strings.ilike(body.html.inner_text, '*Fraud Alert*'),
104            strings.ilike(body.html.inner_text, '*fraudulent*'),
105            strings.ilike(body.html.inner_text, '*using your PayPal*'),
106            strings.ilike(body.html.inner_text, '*subscription*'),
107            strings.ilike(body.html.inner_text, '*antivirus*'),
108            strings.ilike(body.html.inner_text, '*order*'),
109            strings.ilike(body.html.inner_text, '*support*'),
110            strings.ilike(body.html.inner_text, '*sincerely apologize*'),
111            strings.ilike(body.html.inner_text, '*receipt*'),
112            strings.ilike(body.html.inner_text, '*invoice*'),
113            strings.ilike(body.html.inner_text, '*Purchase*'),
114            strings.ilike(body.html.inner_text, '*transaction*'),
115            strings.ilike(body.html.inner_text, '*Market*Value*'),
116            strings.ilike(body.html.inner_text, '*BTC*'),
117            strings.ilike(body.html.inner_text, '*call*'),
118            strings.ilike(body.html.inner_text, '*get in touch with our*'),
119            strings.ilike(body.html.inner_text, '*quickly inform*'),
120            strings.ilike(body.html.inner_text, '*quickly reach *'),
121            strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
122            strings.ilike(body.html.inner_text, '*without your authorization*'),
123            strings.ilike(body.html.inner_text, '*cancel*'),
124            strings.ilike(body.html.inner_text, '*renew*'),
125            strings.ilike(body.html.inner_text, '*refund*'),
126            strings.ilike(body.html.inner_text, '*+1*'),
127            regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
128          )
129        )
130        or regex.icontains(body.current_thread.text,
131                           'note from.{0,50}(?:call|reach|contact|paypal)'
132        )
133        or any(ml.nlu_classifier(body.current_thread.text).intents,
134               .name == "callback_scam"
135        )
136        or (
137          // Unicode confusables words obfuscated in note
138          regex.icontains(body.html.inner_text,
139                          '\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'
140          )
141        )
142        or strings.ilike(body.html.inner_text, '*kindly*')
143      )
144    )
145  )  
146attack_types:
147  - "BEC/Fraud"
148  - "Callback Phishing"
149tactics_and_techniques:
150  - "Evasion"
151  - "Social engineering"
152detection_methods:
153  - "Content analysis"
154  - "Header analysis"
155  - "Sender analysis"
156id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f"