Merge pull request #376 from milannshrestha/patch-2

Create extortion_email.yar

email/extortion_email.yar

+rule extortion_email
+{
+  meta:
+    author = "milann shrestha <Twitter - @x0verhaul>"
+		description = "Detects the possible extortion scam on the basis of subjects and keywords"
+		data = "12th May 2020"
+
+	strings:
+	  $eml1="From:"
+    $eml2="To:"
+    $eml3="Subject:"
+		
+		// Common Subjects scammer keep for luring the targets 
+    $sub1 = "Hackers know password from your account."
+    $sub2 = "Security Alert. Your accounts were hacked by a criminal group."
+    $sub3 = "Your account was under attack! Change your credentials!"
+    $sub4 = "The decision to suspend your account. Waiting for payment"
+    $sub5 = "Fraudsters know your old passwords. Access data must be changed."
+    $sub6 = "Your account has been hacked! You need to unlock it."
+    $sub7 = "Be sure to read this message! Your personal data is threatened!"
+    $sub8 = "Password must be changed now."
+
+		// Keywords used for extortion
+    $key1 = "BTC" nocase
+    $key2 = "Wallet" nocase
+    $key3 = "Bitcoin" nocase
+    $key4 = "hours" nocase
+    $key5 = "payment" nocase
+    $key6 = "malware" nocase
+    $key = "bitcoin address" nocase
+    $key7 = "access" nocase
+    $key8 = "virus" nocase
+
+	condition: 
+    all of ($eml*) and
+    any of ($sub*) and
+    any of ($key*)
+}