Re: Paypal phishing?

Thu, 21 Nov 2024 08:50:11 -0800

These look useful, and I'll likely put them on my server, but the one I just received is an "Invoice Request".  It doesn't have the traditional, "we've detected unusual activity" kind of language.
I started scanning through the plain text (not wanting to trigger any of the http links) and the requestor is from a "store" that just registered their domain last month via cheapdomains and country-code for the registration (which is "private") is Iceland. 


Most of the relays are through outlook.com.  Here's some of the 
somewhat-relevant header info:


Authentication-Results: spf=pass (sender IP is 66.211.170.93)
 smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
 header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates
 66.211.170.93 as permitted sender) receiver=protection.outlook.com;
 client-ip=66.211.170.93; helo=mx9.phx.paypal.com; pr=C
Received: from mx9.phx.paypal.com (66.211.170.93) by

 SN1PEPF0002636A.mail.protection.outlook.com (10.167.241.135) with 
Microsoft
 SMTP Server (version=TLS1_2, 
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

 15.20.8182.16 via Frontend Transport; Wed, 20 Nov 2024 16:46:55 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1;
 c=relaxed/relaxed;
    q=dns/txt; i=@paypal.com; t=1732121214;
    h=From:From:Subject:Date:To:MIME-Version:Content-Type;
    bh=sjZqBd/pJ48V/boeNBoBSYq6r8uaGQRwW9DNRqL+x8w=;
 b=Wazi7D82oQ/jdMmMasCKUIGWazMGAqIDHH0P0Sz4OcZ6DBxffiBKMKykCHyQkbrd
 vUK8lPk2FLoxpf/D4dGW1zzjkC1VgOQNCegjRpamCjW4bcdmF4C42IYxBM78didc
 dHnqWDJEJeguPJOwd3IyVIGODs2poFMLti5Ubiki9QYBrqCss742iRmJ7ImGhfmC
 /h1aO1ZHWszXnopEtLEPy6wnLe2wprHCUabIF/gmNPzWDx+PtZLwcfFfPBHkB7xy
 PtMhBfdumOsVDzhnKKfBZEilwm3Rgox04Tys+wBc4N7XGo5iDcCV/6y4U0qE/k/5
    xo+c0pFwGXU6dPNAyPiAuQ==;



I also double-checked my PP account and there are no actual invoices in 
there waiting for me.


Nuts.


On 11/21/2024 10:30 AM, Jared Hall wrote:


#
##############
### PAYPAL ###
##############
header  __JR_PHISH_PPAL1A               From:name =~ 
/(^(PayPal\s?|.*\@paypal\.com)|Via\sPayPal)/i
header  __JR_PHISH_PPAL1B               From:addr !~ 
/.*\@(.*\.)?(paypal|paypal\-communication)\.com$/i
header  __JR_PHISH_PPAL1C               Reply-To:addr !~ 
/.*\@(.*\.)?(paypal)\.com$/i
header  __JR_PHISH_PPAL1G               From:addr =~ 
/.*\@(.*\.)?(paypal|paypal\-communication)\.com$/i
meta    JR_PHISH_PPAL1                  (__JR_PHISH_PPAL1A && __JR_PHISH_PPAL1B)
describe        JR_PHISH_PPAL1  Name Spoof/Phish Detected
score   JR_PHISH_PPAL1                  15.0

meta    JR_PHISH_PPAL2                  (__JR_HDR_SUBJ__PPAL1 && (__JR_PHISH_PPAL1B || 
(__JR_PHISH_REPLY && __JR_PHISH_PPAL1C)))
describe        JR_PHISH_PPAL2  Name Spoof/Phish Detected
score   JR_PHISH_PPAL2                  15.0

body    __JR_PHISH_PPAL3A               
/(go\sto\sthe\sPayPal\swebsite|We\snoticed\sunusual\sactivity\sin\syour\sPayPal\saccount\.|you\'ve\sto\scheck\syour\sinformation|PayPal\.\sAll\srights\sreserved\.|You\sreceived\sthis\se\-mail\sas\sa\smember\sof\spaypal\.|PayPal\sSupport\sAll\srights\sare\sreserved|Copyright\s1999\-2019\sPayPal|This\sis\sthe\sLast\sreminder\sto\slog\sin\sto\sPayPal|PayPal\ssecure|We\'ve\salso\simposed\stemporary\slimits\son\scertain\sfeatures\son\syour\sPayPal\saccount|Copyright\s\xC2\xA9\s1999\-2021\sPayPal\.\sCopyright\sis\sprotected\sby\slaw\.)/m
tflags  __JR_PHISH_PPAL3A               nosubject
header  __JR_PHISH_PPAL3B               Subject =~ 
/(Your\saccount\sPayPal\swill\sbe\slimited|Unusual\sActivity\sOn\sYour\sPaypal\sAccount|K\xC3\xBCrzlich\shaben\swir\sIhr\sKonto\svor\xC3\xBCbergehend\seingeschr\xC3\xA4nkt)/i

# meta  JR_PHISH_PPAL3                  ((__JR_PHISH_PPAL3A || __JR_PHISH_PPAL3B) 
&& (JR_PUBLIC_SHORTURL || JR_BODY_GREETINGS || JR_BODY_ADV_SCAM_META))
# describe      JR_PHISH_PPAL3  Name Spoof/Phish Detected
# score   JR_PHISH_PPAL3          15.0

# meta    JR_PHISH_PPAL4                        ((__JR_PHISH_PPAL1A || 
__JR_PHISH_PPAL1G) && (JR_PUBLIC_SHORTURL || JR_PHISH_DOC))
# describe      JR_PHISH_PPAL4  Name Spoof/Phish Detected
# score JR_PHISH_PPAL4              15.0

header  __JR_PHISH_PPAL5A       ALL:raw !~ 
/Received:\sfrom\s(.*\.)?(paypal\.com|epsl1\.com)\s/m
meta    JR_PHISH_PPAL5          ((__JR_PHISH_PPAL1A || __JR_PHISH_PPAL1G) && 
__JR_PHISH_PPAL5A)
describe        JR_PHISH_PPAL5  Name Spoof/Phish Detected
score   JR_PHISH_PPAL5          15.0

meta    JR_PHISH_PPAL6                  ((__JR_PHISH_PPAL3A || __JR_PHISH_PPAL3B) 
&& __JR_PHISH_PPAL1B)
describe        JR_PHISH_PPAL5  Name Spoof/Phish Detected
score   JR_PHISH_PPAL5                  2.5

Let me know how this works for you.

-- Jared Hall
ja...@jaredsec.com
Available for hire.
On 11/21/2024 7:57 AM, AJ Weber wrote:

I saw a "conversation" a few weeks ago regarding paypal phishing 
emails that were not being caught.


I can't recall if anyone found a reasonable solution (or new rules).


I just received one and it seems very well crafted.  Is anyone still 
collecting samples and wants this one too?


Thanks for any recap anyone can provide.

-AJ























					Reply via email to