All you can do is add filters on the the embedded text that can be
modified by a legitimate paypal user.. Still haven't got feedback from
Paypal on whether these are scam signups, or compromised legitimate
paypal accounts yet..
A bit of a whack a mole, but telephone scam needs a telephone number, so
our targeted rules use those, and some phrasology, but that only helps
for known samples, and cannot predict future ones..
Trying to add a high scoring rule safely on only a single short bit of
text is pretty difficult, especially when the legitimate notices are so
close in context..
Not sure this should be something that SA tackles, it is a source
problem at PayPal.. sure people appreciate your efforts though.
On 2024-12-06 11:06, John Hardin wrote:
Folks:
Re the recent surge of paypal frauds apparently sent via the legit
paypal infrastructure...
I've started getting these too so I have some samples to work with, and
I'm adding some rules to try to detect them based on those, but I don't
regularly use paypal so my ham corpus for paypal messaging is somewhat
thin.
As they are abusing the legit paypal infrastructure the distinction
between legit and fraud as far as analysis goes will potentially be
difficult.
If possible, we should be ensuring that there is a good amount of
*legit* paypal messaging in our ham corpora so that the rule evaluations
are less FP-prone.
If you can do anything to increase the number of legit paypal messages
in your ham corpus, please do so...
Thanks!
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
