PayPal Invoice Abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "PayPal Invoice Abuse"
2description: |
3 A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7references:
8 - "https://anderegg.ca/2023/02/01/a-novel-paypal-scam"
9severity: "medium"
10source: |
11 type.inbound
12 and length(attachments) == 0
13 and sender.email.domain.root_domain in (
14 "paypal.com",
15 "paypal.com.mx",
16 "paypal.com.br",
17 "paypal.com.ar",
18 "paypal.co.uk"
19 )
20 and (
21 strings.ilike(body.html.display_text, "*seller note*")
22 or strings.ilike(body.html.display_text, "*Note from *")
23 )
24 and (
25 (
26 // icontains a phone number
27 (
28 regex.icontains(strings.replace_confusables(body.current_thread.text),
29 '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*\n'
30 )
31 or regex.icontains(strings.replace_confusables(body.current_thread.text),
32 '.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n'
33 )
34 or // +12028001238
35 regex.icontains(strings.replace_confusables(body.current_thread.text),
36 '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n'
37 )
38 or // 202-800-1238
39 regex.icontains(strings.replace_confusables(body.current_thread.text),
40 '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n'
41 )
42 or // (202) 800-1238
43 regex.icontains(strings.replace_confusables(body.current_thread.text),
44 '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n'
45 )
46 or // (202)-800-1238
47 regex.icontains(strings.replace_confusables(body.current_thread.text),
48 '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n'
49 )
50 or ( // 8123456789
51 regex.icontains(strings.replace_confusables(body.current_thread.text),
52 '.*8[lo0-9]{9}.*\n'
53 )
54 and regex.icontains(strings.replace_confusables(body.current_thread.text
55 ),
56 '\+[1l]'
57 )
58 )
59 )
60 and (
61 (
62 4 of (
63 strings.ilike(body.html.inner_text, '*you did not*'),
64 strings.ilike(body.html.inner_text, '*is not for*'),
65 strings.ilike(body.html.inner_text, '*done by you*'),
66 regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
67 strings.ilike(body.html.inner_text, '*Fruad Alert*'),
68 strings.ilike(body.html.inner_text, '*Fraud Alert*'),
69 strings.ilike(body.html.inner_text, '*fraudulent*'),
70 strings.ilike(body.html.inner_text, '*using your PayPal*'),
71 strings.ilike(body.html.inner_text, '*subscription*'),
72 strings.ilike(body.html.inner_text, '*antivirus*'),
73 strings.ilike(body.html.inner_text, '*order*'),
74 strings.ilike(body.html.inner_text, '*support*'),
75 strings.ilike(body.html.inner_text, '*sincerely apologize*'),
76 strings.ilike(body.html.inner_text, '*receipt*'),
77 strings.ilike(body.html.inner_text, '*invoice*'),
78 strings.ilike(body.html.inner_text, '*Purchase*'),
79 strings.ilike(body.html.inner_text, '*transaction*'),
80 strings.ilike(body.html.inner_text, '*Market*Value*'),
81 strings.ilike(body.html.inner_text, '*BTC*'),
82 strings.ilike(body.html.inner_text, '*call*'),
83 strings.ilike(body.html.inner_text, '*get in touch with our*'),
84 strings.ilike(body.html.inner_text, '*quickly inform*'),
85 strings.ilike(body.html.inner_text, '*quickly reach *'),
86 strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
87 strings.ilike(body.html.inner_text, '*without your authorization*'),
88 strings.ilike(body.html.inner_text, '*cancel*'),
89 strings.ilike(body.html.inner_text, '*renew*'),
90 strings.ilike(body.html.inner_text, '*refund*'),
91 strings.ilike(body.html.inner_text, '*+1*'),
92 regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
93 )
94 )
95 or regex.icontains(body.current_thread.text,
96 'note from.{0,50}(?:call|reach|contact|paypal)'
97 )
98 or any(ml.nlu_classifier(body.current_thread.text).intents,
99 .name == "callback_scam"
100 )
101 or (
102 // Unicode confusables words obfuscated in note
103 regex.icontains(body.html.inner_text,
104 '\+๐ญ|๐ฝ๐ฎ๐๐บ๐ฒ๐ป๐|๐๐ฒ๐น๐ฝ ๐๐ฒ๐๐ธ|๐ฟ๐ฒ๐ณ๐๐ป๐ฑ|๐ฎ๐ป๐๐ถ๐๐ถ๐ฟ๐๐|๐ฐ๐ฎ๐น๐น|๐ฐ๐ฎ๐ป๐ฐ๐ฒ๐น'
105 )
106 )
107 or strings.ilike(body.html.inner_text, '*kindly*')
108 )
109 )
110 )
111attack_types:
112 - "BEC/Fraud"
113 - "Callback Phishing"
114tactics_and_techniques:
115 - "Evasion"
116 - "Social engineering"
117detection_methods:
118 - "Content analysis"
119 - "Header analysis"
120 - "Sender analysis"
121id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f"