PayPal invoice abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "PayPal invoice abuse"
2description: |
3 A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7references:
8 - "https://anderegg.ca/2023/02/01/a-novel-paypal-scam"
9severity: "medium"
10source: |
11 type.inbound
12 and length(attachments) == 0
13 and sender.email.domain.root_domain in (
14 "paypal.com",
15 "paypal.com.mx",
16 "paypal.com.br",
17 "paypal.com.ar",
18 "paypal.co.uk"
19 )
20 and any(filter(html.xpath(body.html,
21 // all the tables, which don't have descendant tables, after the first image and before a hr with a footerDivider class that appears after the current table.
22 // using //text()[normalize-space()] allows us to split each table up by line breaks, so each line can be inspected uniquely
23 '//img[@alt="PayPal"]/following::table[not(descendant::table) and count(following::hr[@class="footerDivider"]) > 0]//text()[normalize-space()]'
24 ).nodes,
25 (
26 // icontains a phone number
27 (
28 regex.icontains(strings.replace_confusables(.display_text),
29 '\b\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}\b'
30 )
31 or regex.icontains(strings.replace_confusables(.display_text),
32 '\+[ilo0-9]{1,3}[ilo0-9]{10}'
33 )
34 or // +12028001238
35 regex.icontains(strings.replace_confusables(.display_text),
36 '[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}'
37 )
38 or // 202-800-1238
39 regex.icontains(strings.replace_confusables(.display_text),
40 '[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}'
41 )
42 // (202) 800-1238
43 // (202) -800 -1238
44 // (202) 800 1238
45 // (202)-800-1238
46 or regex.icontains(strings.replace_confusables(.display_text),
47 '\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}'
48 )
49 or // (202)-800-1238
50 regex.icontains(strings.replace_confusables(.display_text),
51 '\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}'
52 )
53 or ( // 8123456789
54 regex.icontains(strings.replace_confusables(.display_text),
55 '8[ilo0-9]{9}'
56 )
57 and regex.icontains(strings.replace_confusables(.display_text
58 ),
59 '\+[1l]'
60 )
61 )
62 )
63 )
64 // filter out elements which contain non actor controlled details
65 // this often wording from paypal templates that might contain phone numbers
66 // but are not elements that are actor controlled.
67
68 // main customer service number
69 and not strings.icontains(.display_text, '888-221-1161')
70 // credit services number
71 and not strings.icontains(.display_text, '844-896-4937')
72 // pay in 4 number
73 and not strings.icontains(.display_text, '(800) 504-7534')
74 // debt collection for pay later
75 and not strings.icontains(.display_text, '877-589-5171')
76 // debt collections for PayPal
77 and not strings.icontains(.display_text, '866-380-1798')
78 // card activation
79 and not strings.icontains(.display_text, '800-314-8298')
80 // often the transcation id looks like a phone number and matches the regex
81 and not regex.icontains(.display_text, "Transaction (date|ID)\n")
82 // this segment can include phone numbers, but the wording is not actor controlled and shows up "under the fold" in the templates
83 and not strings.istarts_with(.display_text,
84 "If you have any questions about this payment, you can"
85 )
86 ),
87 strings.icontains(.display_text, "you did not")
88 or strings.icontains(.display_text, "Critical Alert")
89 or strings.icontains(.display_text, "is not for")
90 or strings.icontains(.display_text, "done by you")
91 or regex.icontains(.display_text, "don['’]t recognize")
92 or regex.icontains(.display_text, "didn['’]t (?:ma[kd]e|place) this")
93 or regex.icontains(.display_text, "[wh]as.*placed by you")
94 or strings.icontains(.display_text, "issue with")
95 or regex.icontains(.display_text, "was.*made by you")
96 or (
97 strings.icontains(.display_text, "Fraud")
98 and strings.icontains(.display_text, "Alert")
99 )
100 or strings.icontains(.display_text, "fraudulent")
101 or strings.icontains(.display_text, "using your PayPal")
102 or strings.icontains(.display_text, "subscription")
103 or strings.icontains(.display_text, "antivirus")
104 or strings.icontains(.display_text, "support")
105 or strings.icontains(.display_text, "sincerely apologize")
106 or strings.icontains(.display_text, "receipt")
107 // pull in common wording from transaction types from paypal
108 // this wording should be part of the template and not actor controlled
109 // but is generally prepended or appended with actor controlled elements
110 // such as using the business name to deliver callback details
111 // when a phone number is present
112 or strings.icontains(.display_text, "sent you an invoice")
113 or strings.icontains(.display_text, "a money request")
114 or strings.icontains(.display_text, "invited you as a developer")
115
116 //
117 or strings.icontains(.display_text, "Purchase")
118 or strings.icontains(.display_text, "Market*Value")
119 or strings.icontains(.display_text, "BTC")
120 or strings.icontains(.display_text, "Etherium (ETH)")
121 or strings.icontains(.display_text, "get in touch with our")
122 or strings.icontains(.display_text, "quickly inform")
123 or strings.icontains(.display_text, "quickly reach ")
124 or strings.icontains(.display_text, "detected unusual transactions")
125 or strings.icontains(.display_text, "without your authorization")
126 or strings.icontains(.display_text, "unauthorized activitiy")
127 or strings.icontains(.display_text, "unauthorized transaction")
128 or strings.icontains(.display_text, "cancel")
129 or strings.icontains(.display_text, "renew")
130 or strings.icontains(.display_text, "refund")
131 or regex.icontains(.display_text, 'help.{0,3}desk')
132 or strings.icontains(.display_text, " your funds")
133 or strings.icontains(.display_text, " your checking")
134 or strings.icontains(.display_text, " your saving")
135 or strings.icontains(.display_text, "secure your account")
136 or strings.icontains(.display_text, "recover your")
137 or strings.icontains(.display_text, "unusual activity")
138 or strings.icontains(.display_text, "suspicious transaction")
139 or strings.icontains(.display_text, "transaction history")
140 or strings.icontains(.display_text, "please ignore this")
141 or strings.icontains(.display_text, "will be approved")
142 or strings.icontains(.display_text, "report activity")
143
144 // Unicode confusables words obfuscated in note
145 or regex.icontains(.display_text,
146 '\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹|𝗰𝗼𝗻𝘁𝗮𝗰𝘁|cᴀʟʟ'
147 )
148 or strings.icontains(.display_text, "kindly")
149 or regex.icontains(strings.replace_confusables(.display_text),
150 '(?:call|cᴀʟʟ|reach|contact|get in touch|\binform\b|let us know)'
151 )
152
153 )
154 // Handle emails for class action settlement refunds. Not official PayPal communications but a common-enough thing where a small refund is sent from a court-appointed settlement administrator
155 and not (
156 strings.icontains(body.html.display_text, "settlement")
157 and (
158 strings.icontains(body.html.display_text, "court")
159 or strings.icontains(body.html.display_text, "FTC")
160 or strings.icontains(body.html.display_text, "administrator")
161 )
162 )
163attack_types:
164 - "BEC/Fraud"
165 - "Callback Phishing"
166tactics_and_techniques:
167 - "Evasion"
168 - "Social engineering"
169detection_methods:
170 - "Content analysis"
171 - "Header analysis"
172 - "Sender analysis"
173id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f"