From c244b761468e68e6638b0676efe9310d18d1caf9 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 25 Oct 2024 19:01:02 -0500 Subject: [PATCH 1/4] Create abused_payoneer_callback.yml --- detection-rules/abused_payoneer_callback.yml | 98 ++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 detection-rules/abused_payoneer_callback.yml diff --git a/detection-rules/abused_payoneer_callback.yml b/detection-rules/abused_payoneer_callback.yml new file mode 100644 index 00000000000..713b15325dd --- /dev/null +++ b/detection-rules/abused_payoneer_callback.yml @@ -0,0 +1,98 @@ +name: "Service Abuse: Payoneer Callback Scam" +description: "A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment." +type: "rule" +severity: "medium" +source: | + type.inbound + and length(attachments) == 0 + and sender.email.domain.root_domain in ("payoneer.com") + + and ( + ( + // icontains a phone number + ( + regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*\n' + ) + or regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n' + ) + or // +12028001238 + regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n' + ) + or // 202-800-1238 + regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n' + ) + or // (202) 800-1238 + regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n' + ) + or // (202)-800-1238 + regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n' + ) + or ( // 8123456789 + regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*8[lo0-9]{9}.*\n' + ) + and regex.icontains(strings.replace_confusables(body.current_thread.text + ), + '\+[1l]' + ) + ) + ) + and ( + ( + 4 of ( + strings.ilike(body.html.inner_text, '*you did not*'), + strings.ilike(body.html.inner_text, '*is not for*'), + strings.ilike(body.html.inner_text, '*done by you*'), + regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"), + strings.ilike(body.html.inner_text, "*Fruad Alert*"), + strings.ilike(body.html.inner_text, '*using your PayPal*'), + strings.ilike(body.html.inner_text, '*subscription*'), + strings.ilike(body.html.inner_text, '*antivirus*'), + strings.ilike(body.html.inner_text, '*order*'), + strings.ilike(body.html.inner_text, '*support*'), + strings.ilike(body.html.inner_text, '*receipt*'), + strings.ilike(body.html.inner_text, '*invoice*'), + strings.ilike(body.html.inner_text, '*Purchase*'), + strings.ilike(body.html.inner_text, '*transaction*'), + strings.ilike(body.html.inner_text, '*Market*Value*'), + strings.ilike(body.html.inner_text, '*BTC*'), + strings.ilike(body.html.inner_text, '*call*'), + strings.ilike(body.html.inner_text, '*get in touch with our*'), + strings.ilike(body.html.inner_text, '*quickly inform*'), + strings.ilike(body.html.inner_text, '*quickly reach *'), + strings.ilike(body.html.inner_text, '*detected unusual transactions*'), + strings.ilike(body.html.inner_text, '*cancel*'), + strings.ilike(body.html.inner_text, '*renew*'), + strings.ilike(body.html.inner_text, '*refund*'), + strings.ilike(body.html.inner_text, '*+1*'), + strings.ilike(body.html.inner_text, '*help*desk*'), + ) + ) + ) + ) + or ( + // Unicode confusables words obfuscated in note + regex.icontains(body.html.inner_text, + '\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹' + ) + ) + or strings.ilike(body.html.inner_text, '*kindly*') + ) + + +attack_types: + - "Callback Phishing" + - "BEC/Fraud" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Sender analysis" + - "Header analysis" + - "Content analysis" From 5fd7bd134123561c6eff61b29cf46f38512be7bf Mon Sep 17 00:00:00 2001 From: ID Generator Date: Sat, 26 Oct 2024 00:06:23 +0000 Subject: [PATCH 2/4] Auto add rule ID --- detection-rules/abused_payoneer_callback.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/abused_payoneer_callback.yml b/detection-rules/abused_payoneer_callback.yml index 713b15325dd..7df786a885f 100644 --- a/detection-rules/abused_payoneer_callback.yml +++ b/detection-rules/abused_payoneer_callback.yml @@ -96,3 +96,4 @@ detection_methods: - "Sender analysis" - "Header analysis" - "Content analysis" +id: "b7fb174c-c5a0-567a-8090-6ca142d94562" From 10380fcaf4d2b245fc0267fc8da87977339afdeb Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Sat, 26 Oct 2024 08:21:21 -0500 Subject: [PATCH 3/4] match keywords with paypal_invoice_abuse --- detection-rules/abused_payoneer_callback.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection-rules/abused_payoneer_callback.yml b/detection-rules/abused_payoneer_callback.yml index 7df786a885f..9bdd58e90d1 100644 --- a/detection-rules/abused_payoneer_callback.yml +++ b/detection-rules/abused_payoneer_callback.yml @@ -51,6 +51,7 @@ source: | strings.ilike(body.html.inner_text, '*done by you*'), regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"), strings.ilike(body.html.inner_text, "*Fruad Alert*"), + strings.ilike(body.html.inner_text, "*Fraud Alert*"), strings.ilike(body.html.inner_text, '*using your PayPal*'), strings.ilike(body.html.inner_text, '*subscription*'), strings.ilike(body.html.inner_text, '*antivirus*'), @@ -71,7 +72,7 @@ source: | strings.ilike(body.html.inner_text, '*renew*'), strings.ilike(body.html.inner_text, '*refund*'), strings.ilike(body.html.inner_text, '*+1*'), - strings.ilike(body.html.inner_text, '*help*desk*'), + regex.icontains(body.html.inner_text, 'help.{0,3}desk'), ) ) ) From d0b7faee2b910a2fbce04df9fb349e17afc43e4f Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:42:26 -0500 Subject: [PATCH 4/4] Update abused_payoneer_callback.yml --- detection-rules/abused_payoneer_callback.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/detection-rules/abused_payoneer_callback.yml b/detection-rules/abused_payoneer_callback.yml index 9bdd58e90d1..a65ec818b53 100644 --- a/detection-rules/abused_payoneer_callback.yml +++ b/detection-rules/abused_payoneer_callback.yml @@ -45,6 +45,8 @@ source: | ) and ( ( + // list of keywords taken from + // https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/paypal_invoice_abuse.yml 4 of ( strings.ilike(body.html.inner_text, '*you did not*'), strings.ilike(body.html.inner_text, '*is not for*'),