Venmo Payment Request Abuse

A fraudulent payment request found in the body of the message sent by exploiting Venmo's platform. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

  1name: "Venmo Payment Request Abuse"
  2description: "A fraudulent payment request found in the body of the message sent by exploiting Venmo's platform. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and length(attachments) == 0
  8  and sender.email.domain.root_domain in ("venmo.com")
  9  and strings.ilike(body.html.display_text, "*requests $*")
 10  and (
 11    (
 12      // icontains a phone number
 13      (
 14        regex.icontains(strings.replace_confusables(body.current_thread.text),
 15                        '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*\n'
 16        )
 17        or regex.icontains(strings.replace_confusables(body.current_thread.text),
 18                           '.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n'
 19        )
 20        or // +12028001238
 21   regex.icontains(strings.replace_confusables(body.current_thread.text),
 22                   '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n'
 23        )
 24        or // 202-800-1238
 25   regex.icontains(strings.replace_confusables(body.current_thread.text),
 26                   '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n'
 27        )
 28        or // (202) 800-1238
 29   regex.icontains(strings.replace_confusables(body.current_thread.text),
 30                   '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n'
 31        )
 32        or // (202)-800-1238
 33   regex.icontains(strings.replace_confusables(body.current_thread.text),
 34                   '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n'
 35        )
 36        or ( // 8123456789
 37          regex.icontains(strings.replace_confusables(body.current_thread.text),
 38                          '.*8[lo0-9]{9}.*\n'
 39          )
 40          and regex.icontains(strings.replace_confusables(body.current_thread.text
 41                              ),
 42                              '\+[1l]'
 43          )
 44        )
 45      )
 46      and (
 47        (
 48          4 of (
 49            strings.ilike(body.html.inner_text, '*you did not*'),
 50            strings.ilike(body.html.inner_text, '*is not for*'),
 51            strings.ilike(body.html.inner_text, '*done by you*'),
 52            regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
 53            strings.ilike(body.html.inner_text, '*Fruad Alert*'),
 54            strings.ilike(body.html.inner_text, '*Fraud Alert*'),
 55            strings.ilike(body.html.inner_text, '*fraudulent*'),
 56            strings.ilike(body.html.inner_text, '*using your PayPal*'),
 57            strings.ilike(body.html.inner_text, '*subscription*'),
 58            strings.ilike(body.html.inner_text, '*antivirus*'),
 59            strings.ilike(body.html.inner_text, '*order*'),
 60            strings.ilike(body.html.inner_text, '*support*'),
 61            strings.ilike(body.html.inner_text, '*sincerely apologize*'),
 62            strings.ilike(body.html.inner_text, '*receipt*'),
 63            strings.ilike(body.html.inner_text, '*invoice*'),
 64            strings.ilike(body.html.inner_text, '*Purchase*'),
 65            strings.ilike(body.html.inner_text, '*transaction*'),
 66            strings.ilike(body.html.inner_text, '*Market*Value*'),
 67            strings.ilike(body.html.inner_text, '*BTC*'),
 68            strings.ilike(body.html.inner_text, '*call*'),
 69            strings.ilike(body.html.inner_text, '*get in touch with our*'),
 70            strings.ilike(body.html.inner_text, '*quickly inform*'),
 71            strings.ilike(body.html.inner_text, '*quickly reach *'),
 72            strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
 73            strings.ilike(body.html.inner_text, '*without your authorization*'),
 74            strings.ilike(body.html.inner_text, '*cancel*'),
 75            strings.ilike(body.html.inner_text, '*renew*'),
 76            strings.ilike(body.html.inner_text, '*refund*'),
 77            strings.ilike(body.html.inner_text, '*+1*'),
 78            regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
 79          )
 80        )
 81        or regex.icontains(body.current_thread.text,
 82                           'note from.{0,50}(?:call|reach|contact|paypal)'
 83        )
 84        or any(ml.nlu_classifier(body.current_thread.text).intents,
 85               .name == "callback_scam"
 86        )
 87        or (
 88          // Unicode confusables words obfuscated in note
 89          regex.icontains(body.html.inner_text,
 90                          '\+๐Ÿญ|๐—ฝ๐—ฎ๐˜†๐—บ๐—ฒ๐—ป๐˜|๐—›๐—ฒ๐—น๐—ฝ ๐——๐—ฒ๐˜€๐—ธ|๐—ฟ๐—ฒ๐—ณ๐˜‚๐—ป๐—ฑ|๐—ฎ๐—ป๐˜๐—ถ๐˜ƒ๐—ถ๐—ฟ๐˜‚๐˜€|๐—ฐ๐—ฎ๐—น๐—น|๐—ฐ๐—ฎ๐—ป๐—ฐ๐—ฒ๐—น'
 91          )
 92        )
 93        or strings.ilike(body.html.inner_text, '*kindly*')
 94      )
 95    )
 96  )  
 97
 98attack_types:
 99  - "Callback Phishing"
100  - "BEC/Fraud"
101tactics_and_techniques:
102  - "Social engineering"
103  - "Impersonation: Brand"
104  - "Evasion"
105detection_methods:
106  - "Natural Language Understanding"
107  - "Content analysis"
108  - "Sender analysis"
109  - "HTML analysis"
110id: "4450639a-04ec-5348-9697-feb7664ca2dd"
to-top