Venmo Payment Request Abuse
A fraudulent payment request found in the body of the message sent by exploiting Venmo's platform. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Venmo Payment Request Abuse"
2description: "A fraudulent payment request found in the body of the message sent by exploiting Venmo's platform. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) == 0
8 and sender.email.domain.root_domain in ("venmo.com")
9 and strings.ilike(body.html.display_text, "*requests $*")
10 and (
11 (
12 // icontains a phone number
13 (
14 regex.icontains(strings.replace_confusables(body.current_thread.text),
15 '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*\n'
16 )
17 or regex.icontains(strings.replace_confusables(body.current_thread.text),
18 '.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n'
19 )
20 or // +12028001238
21 regex.icontains(strings.replace_confusables(body.current_thread.text),
22 '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n'
23 )
24 or // 202-800-1238
25 regex.icontains(strings.replace_confusables(body.current_thread.text),
26 '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n'
27 )
28 or // (202) 800-1238
29 regex.icontains(strings.replace_confusables(body.current_thread.text),
30 '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n'
31 )
32 or // (202)-800-1238
33 regex.icontains(strings.replace_confusables(body.current_thread.text),
34 '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n'
35 )
36 or ( // 8123456789
37 regex.icontains(strings.replace_confusables(body.current_thread.text),
38 '.*8[lo0-9]{9}.*\n'
39 )
40 and regex.icontains(strings.replace_confusables(body.current_thread.text
41 ),
42 '\+[1l]'
43 )
44 )
45 )
46 and (
47 (
48 4 of (
49 strings.ilike(body.html.inner_text, '*you did not*'),
50 strings.ilike(body.html.inner_text, '*is not for*'),
51 strings.ilike(body.html.inner_text, '*done by you*'),
52 regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
53 strings.ilike(body.html.inner_text, '*Fruad Alert*'),
54 strings.ilike(body.html.inner_text, '*Fraud Alert*'),
55 strings.ilike(body.html.inner_text, '*fraudulent*'),
56 strings.ilike(body.html.inner_text, '*using your PayPal*'),
57 strings.ilike(body.html.inner_text, '*subscription*'),
58 strings.ilike(body.html.inner_text, '*antivirus*'),
59 strings.ilike(body.html.inner_text, '*order*'),
60 strings.ilike(body.html.inner_text, '*support*'),
61 strings.ilike(body.html.inner_text, '*sincerely apologize*'),
62 strings.ilike(body.html.inner_text, '*receipt*'),
63 strings.ilike(body.html.inner_text, '*invoice*'),
64 strings.ilike(body.html.inner_text, '*Purchase*'),
65 strings.ilike(body.html.inner_text, '*transaction*'),
66 strings.ilike(body.html.inner_text, '*Market*Value*'),
67 strings.ilike(body.html.inner_text, '*BTC*'),
68 strings.ilike(body.html.inner_text, '*call*'),
69 strings.ilike(body.html.inner_text, '*get in touch with our*'),
70 strings.ilike(body.html.inner_text, '*quickly inform*'),
71 strings.ilike(body.html.inner_text, '*quickly reach *'),
72 strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
73 strings.ilike(body.html.inner_text, '*without your authorization*'),
74 strings.ilike(body.html.inner_text, '*cancel*'),
75 strings.ilike(body.html.inner_text, '*renew*'),
76 strings.ilike(body.html.inner_text, '*refund*'),
77 strings.ilike(body.html.inner_text, '*+1*'),
78 regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
79 )
80 )
81 or regex.icontains(body.current_thread.text,
82 'note from.{0,50}(?:call|reach|contact|paypal)'
83 )
84 or any(ml.nlu_classifier(body.current_thread.text).intents,
85 .name == "callback_scam"
86 )
87 or (
88 // Unicode confusables words obfuscated in note
89 regex.icontains(body.html.inner_text,
90 '\+๐ญ|๐ฝ๐ฎ๐๐บ๐ฒ๐ป๐|๐๐ฒ๐น๐ฝ ๐๐ฒ๐๐ธ|๐ฟ๐ฒ๐ณ๐๐ป๐ฑ|๐ฎ๐ป๐๐ถ๐๐ถ๐ฟ๐๐|๐ฐ๐ฎ๐น๐น|๐ฐ๐ฎ๐ป๐ฐ๐ฒ๐น'
91 )
92 )
93 or strings.ilike(body.html.inner_text, '*kindly*')
94 )
95 )
96 )
97
98attack_types:
99 - "Callback Phishing"
100 - "BEC/Fraud"
101tactics_and_techniques:
102 - "Social engineering"
103 - "Impersonation: Brand"
104 - "Evasion"
105detection_methods:
106 - "Natural Language Understanding"
107 - "Content analysis"
108 - "Sender analysis"
109 - "HTML analysis"
110id: "4450639a-04ec-5348-9697-feb7664ca2dd"