PayPal Invoice Abuse

calendar Nov 4, 2024  ยท
Share on: linkedin copy

A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

  1name: "PayPal Invoice Abuse"
  2description: |
  3  A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service.
  4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
  6type: "rule"
  7references:
  8  - "https://anderegg.ca/2023/02/01/a-novel-paypal-scam"
  9severity: "medium"
 10source: |
 11  type.inbound
 12  and length(attachments) == 0
 13  and sender.email.domain.root_domain in ("paypal.com", "paypal.com.mx", "paypal.com.br", "paypal.com.ar", "paypal.co.uk")
 14  and (
 15    strings.ilike(body.html.display_text, "*seller note*")
 16    or strings.ilike(body.html.display_text, "*Note from *")
 17  )
 18  and (
 19    (
 20      // icontains a phone number
 21      (
 22        regex.icontains(strings.replace_confusables(body.current_thread.text),
 23                        '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*\n'
 24        )
 25        or regex.icontains(strings.replace_confusables(body.current_thread.text),
 26                           '.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n'
 27        )
 28        or // +12028001238
 29       regex.icontains(strings.replace_confusables(body.current_thread.text),
 30                   '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n'
 31        )
 32        or // 202-800-1238
 33       regex.icontains(strings.replace_confusables(body.current_thread.text),
 34                   '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n'
 35        )
 36        or // (202) 800-1238
 37       regex.icontains(strings.replace_confusables(body.current_thread.text),
 38                   '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n'
 39        )
 40        or // (202)-800-1238
 41       regex.icontains(strings.replace_confusables(body.current_thread.text),
 42                   '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n'
 43        )
 44        or ( // 8123456789
 45          regex.icontains(strings.replace_confusables(body.current_thread.text),
 46                          '.*8[lo0-9]{9}.*\n'
 47          )
 48          and regex.icontains(strings.replace_confusables(body.current_thread.text
 49                              ),
 50                              '\+[1l]'
 51          )
 52        )
 53      )
 54      and (
 55        (
 56          4 of (
 57            strings.ilike(body.html.inner_text, '*you did not*'),
 58            strings.ilike(body.html.inner_text, '*is not for*'),
 59            strings.ilike(body.html.inner_text, '*done by you*'),
 60            regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
 61            strings.ilike(body.html.inner_text, "*Fruad Alert*"),
 62            strings.ilike(body.html.inner_text, "*Fraud Alert*"),
 63            strings.ilike(body.html.inner_text, '*using your PayPal*'),
 64            strings.ilike(body.html.inner_text, '*subscription*'),
 65            strings.ilike(body.html.inner_text, '*antivirus*'),
 66            strings.ilike(body.html.inner_text, '*order*'),
 67            strings.ilike(body.html.inner_text, '*support*'),
 68            strings.ilike(body.html.inner_text, '*receipt*'),
 69            strings.ilike(body.html.inner_text, '*invoice*'),
 70            strings.ilike(body.html.inner_text, '*Purchase*'),
 71            strings.ilike(body.html.inner_text, '*transaction*'),
 72            strings.ilike(body.html.inner_text, '*Market*Value*'),
 73            strings.ilike(body.html.inner_text, '*BTC*'),
 74            strings.ilike(body.html.inner_text, '*call*'),
 75            strings.ilike(body.html.inner_text, '*get in touch with our*'),
 76            strings.ilike(body.html.inner_text, '*quickly inform*'),
 77            strings.ilike(body.html.inner_text, '*quickly reach *'),
 78            strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
 79            strings.ilike(body.html.inner_text, '*cancel*'),
 80            strings.ilike(body.html.inner_text, '*renew*'),
 81            strings.ilike(body.html.inner_text, '*refund*'),
 82            strings.ilike(body.html.inner_text, '*+1*'),
 83            regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
 84          )
 85        )
 86        or regex.icontains(body.current_thread.text,
 87                           'note from.{0,50}(?:call|reach|contact|paypal)'
 88        )
 89      )
 90    )
 91    or (
 92      // Unicode confusables words obfuscated in note
 93      regex.icontains(body.html.inner_text,
 94                      '\+๐Ÿญ|๐—ฝ๐—ฎ๐˜†๐—บ๐—ฒ๐—ป๐˜|๐—›๐—ฒ๐—น๐—ฝ ๐——๐—ฒ๐˜€๐—ธ|๐—ฟ๐—ฒ๐—ณ๐˜‚๐—ป๐—ฑ|๐—ฎ๐—ป๐˜๐—ถ๐˜ƒ๐—ถ๐—ฟ๐˜‚๐˜€|๐—ฐ๐—ฎ๐—น๐—น|๐—ฐ๐—ฎ๐—ป๐—ฐ๐—ฒ๐—น'
 95      )
 96    )
 97    or strings.ilike(body.html.inner_text, '*kindly*')
 98  )  
 99attack_types:
100  - "BEC/Fraud"
101  - "Callback Phishing"
102tactics_and_techniques:
103  - "Evasion"
104  - "Social engineering"
105detection_methods:
106  - "Content analysis"
107  - "Header analysis"
108  - "Sender analysis"
109id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f"
to-top