For months now, scammers have been able to exploit the PayPal invoice system to "request money" or invoice potential victims via email.
These emails come from service@paypal.com and therefore look legitimate at first glance. If the particular email user has a PayPal account, they will also see the money deducted in their account and a button to view said request or invoice.
For more information regarding these types of scams follow kitboga on youtube or twitter.
An example invoice email looks like this:
- Context links
- The "easy" way
- The regular expressions way
- The "how suspicious is this text" way
- The obfuscated way
- The Java Way
- The RUSTy way
- Want to help?
Don't allow your users to include phone numbers in the "message" of an invoice.
But if that somehow causes irreputable harm to your business, explore the other options below:
Credit: @codecat
([0-9]{3,}|call|contact|\+1)Run test: $ python3 python/the_regex_way.py
Credit @kitbogashow
# various phrases to match against, and their "weight" of how bad they are.
sus_words = {
'cancel': 1,
'refund': 1,
'help desk': 0.5,
'authorized': 0.5,
'24 hours': 0.25,
'USD': 0.1
}
for index, line in enumerate(lines):
line_total_score = 0
for word, score in sus_words.items():
if word.lower() in line.lower():
line_total_score += score
# decide what to do if the score is too high
Run test: $ python python/score_text.py
Credit: @codecat
char l[512];int c(char f[]){int i=0,m=0,c;while(c=tolower(l[i++])){char
e=tolower(f[m]);if(!e)return 1;else if(c==e){if(f[m+++1]=='\0')return 1
;}else m=0;}return 0;}int main(){int s=0,t=0;FILE*fh=fopen("../invoice"
"s.txt","rb");while(fgets(l,512,fh))++t&&(c("suspicious")||c("unauthor"
"ized")||c("+1")||c("geek squad")||c(" call"))&&s++;printf("%d / %d\n",
s,t);}Credit: @Nomnivore
import("fs").then((fs) => fs.readFileSync("./invoices.txt").toString().trim().split("\n").forEach((l, n) => l.search(/([0-9]{3,}|call|contact|\\+1)/) >= 0 ? console.log(`line ${n} is likely a scam`) : console.log(`line ${n} is likely not a scam`)))
see javascript/scamGoBye.js
Credit: @Gamer1120 / @datatags
private static final Pattern PATTERN = Pattern.compile("[0-9]{3,}|call|contact|\\\\+1");
public static void main(String[] args) {
try (BufferedReader reader = new BufferedReader(new FileReader("invoices.txt"))) {
reader.lines().forEach(line -> {
if (PATTERN.matcher(line).find()){
System.out.println("ඞ sus thing found: " + line);
}
});
} catch (IOException e) {
e.printStackTrace();
}
}
see java/src/main/java/FixPaypalRegex.java
Credit: @jasonverbeek
fn rate_lines() -> Result<()> {
let file = File::open("../../invoices.txt")
.or_else(|_| ErrorType::IOError.as_error("Could not open invoices.txt"))?;
let lines = std::io::BufReader::new(file).lines();
for (i, line) in lines.enumerate() {
let mut score = 0;
if let Ok(line_str) = line {
for sussy in SUSSY_WUSSY {
if line_str.to_lowercase().contains(sussy) {
score += 1;
}
}
}
println!("line {} has a sussy wussy score of {}", i, score);
}
Ok(())
}
see rust/sussy-wussy-meter
Credit: @McChronicle
regex := regexp.MustCompile(`([0-9]{3,}|call|contact|\+1)`)
for _, message := range messages {
if regex.MatchString(message) {
matches++
}
}
see go/the_regex_way.go
Credit: @not-optikk
for word in text:gmatch('%w+') do
if flagged_words[word] then
sus_score = sus_score + flagged_words[word]
elseif word:match('%d+') == word and not whitelisted_numbers[word] then
table.insert(numbers, word)
end
end
see lua/main.lua
Credit: @emp500
#!/bin/bash
count=0
while IFS= read -r line
do
if echo $line | grep -Piq "([0-9]{3,}|call|contact|\+1)"; then
echo "sus line found"
let count++
fi
done < "../invoices.txt"
echo "sus lines: $count"
see bash/run.sh
There are currently (12/22/22) 12 sample invoices in text form in invoices.txt.
If you have some code that could solve this task, please let me know and I will try to keep this up to date.