Prevent Bitcoin scams with Email Security.cloud

book

Article ID: 171973

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

You would like to monitor any inbound emails containing Bitcoin wallet addresses or Bitcoin related scams.

Resolution

Introduction

Bitcoin was the first decentralized cryptocurrency (see What is Bitcoin?). While Bitcoin transactions are well documented, there is no name attached to the wallet. This helps in making the currency ideal for scammers and is often seen in ransom emails. These ransom emails can also use foreign or rarely used character sets that make detection based on wording very difficult. Utilizing Symantec Email Security.cloud along with Data Protection, these emails can be detected.

Before you start

It is important to note that Bitcoin on its own, just like any other currency, is not malicious and used for many legitimate means. Take this into consideration when setting a Data Protection action below.

Policy logic

Rule 1:
Control Body Content
Condition 1:

  Content Regular Expression List
   - Mixed Charsets
OR
Condition 2:

  Keyword List
   - Cryptocurrency Keywords
OR
Condition 3:

  Content Regular Expression List
   - Zero Length Spaces

AND

Rule 2:
Wallet Detection
Condition 1:

  Content Regular Expression List
   - Cryptocurrency Wallet

(Optional) AND

Rule 3:
Exceptions
  Condition 1:
   Sender Domain List
    - Valid Cryptocurrency sources


  • Rule 1 will be true if the condition is satisfied
    • Condition 1 will be true if a mix of character sets is detected within the email
    • Condition 2 will be true if it finds a match to one (1) keyword in Cryptocurrency Keywords.
    • Condition 3 will be true if it finds a match to 10 or more (10+) zero length spaces in Zero Length Spaces.
  • Rule 2 will be true if the condition is satisfied
    • Condition 1 will be true if it finds a match to a Bitcoin or Ethereum wallet ID.
  • Rule 3 will be true if the condition is satisfied
    • Condition 1 will be true if it does not find the sender's domain in the Valid Cryptocurrency  Sources list.

The policy will look for a Bitcoin wallet address inside the body of the inbound email. If a Bitcoin wallet identifier is found, it will then check if the sender's domain is listed as a valid source. If the sending domain does not appear in the exceptions list, the rule will trigger.

Policy implementation

  1. Log in to the Symantec.cloud Management Console (ClientNet).
  2. Navigate to Services > Data Protection.
  3. Create a new Data Protection policy, and define the following options:
    • Name: Bitcoin Detection
    • Apply to: Inbound email only
    • Execute if: ALL rules are met
    • Action: Log Only
    • Administrator email: Enter a non-production administrator email address; do not use a personal email address. Data Protection policy administrators are automatically whitelisted from all Data Protection policies to avoid mail loops.
    • Notification: None

      Note: The Action and the Notification settings can be adjusted to suit your needs. Log Only is good for testing an monitoring but will not prevent the emails from coming through.
       
  4. Add a new rule. Click Add Rule, and define the following options:
    • Name: Mixed Charsets
    • Execute if: Any conditions are met
       
    • Add a new condition. Under Content - Regular Expression Lists, click Create a new Regular Expression List.
      • Name: Cyrillic CharSet Detection
      • Add the following entry to the list:

        (?:\p{L}+)?(?:\p{IsLatin}(?:\p{S}|\p{P})?\p{IsCyrillic}|\p{IsCyrillic}(?:\p{S}|\p{P})?\p{IsLatin})(?:\p{L}+)?

        Note: This expression will match any string of characters matching a mixed-used of character sets.
      • Define the conditions for the rule as follows.
        • Email contains: a number of matches for the regular expressions in the selected lists
        • At least: 1
        • Count only unique matches: No
        • Case sensitive: No
        • Look in: Body, Subject Line
        • Matched text: Log Matched text
           
    • Add a new condition. Under Content - Keyword List, click Create a new Keyword List.
      • Name: Cryptocurrency Keywords
      • Add the following entry to the list.

        beutel
        Bezahlung
        bitcoin
        bitcoins
        criptovaluta
        crypto
        cryptocurrency
        cryptowaluta
        digitale geldbeutel
        masturbi
        pay
        payment
        płacić
        płatność
        porn
        porno
        portafoglio bitcoin
        portfel
        transfer
        video
        wallet
        zahlen
        биткоин
        биткоинс
        видео
        кошелек
        крипто
        криптовалюта
        оплата
        платить
        трансфер
        BTC
        BTC address

         
      • Define the conditions for the rule as follows.
        • Email contains: a number of matches for the keywords in the selected lists
        • At least: 2
        • Count only unique matches: No
        • Case sensitive: No
        • Look in: Body
        • Matched text: Log Matched text
           
    • Add a new condition. Under Content - Regular Expression Lists, click Create a new Regular Expression List.
      • Name: Zero Length Spaces
      • Add the following entry to the list.

        (?:\u200b{1,3})
        (?:\u200c{1,3})
        (?:\u200d{1,3})
        (?:\u200e{1,3})
        (?:\u200f{1,3})
        (?:\u2060{1,3})
        (?:\ufeff{1,3})
        (?:\u00AD{1,3})
        (?:\u00A0{1,3})

         
      • Define the conditions for the rule as follows.
        • Email contains: a number of matches for the regular expressions in the selected lists
        • At least: 10
        • Count only unique matches: No
        • Case sensitive: No
        • Look in: Body
        • Matched text: Log Matched text
           
  5. Add a new rule. Click Add Rule, and define the following options:
    • Name: Cryptocurrency Wallet Detection
    • Execute if: ALL conditions are met
       
    • Add a new condition. Under Content - Regular Expression Lists, click Create a new Regular Expression List.
      • Name: Cryptocurrency Wallet
      • Add the following entry to the list:

        (?:^[\t ]*?|[\t\v ]{1,}[-:.]|[-:.]?[\t ]{1,5})(?<!(?i)fingerprint: |checksum: |security code: (?-i))((?:[13])[a-km-zA-HJ-NP-Z1-9]{25,35}(?=$|[-:.]?[\t ]{1,}|[-:.]$))
        (?:^[\t ]*?|[\t\v ]{1,}[-:.]|[-:.]?[\t ]{1,5})(?<!(?i)fingerprint: |checksum: |security code: (?-i))((?:bc|tb)(?:0([a-zA-HJ-NP-Z0-9]{39}|[a-zA-HJ-NP-Z0-9]{59})|1[a-zA-HJ-NP-Z0-9]{8,87}))(?=$|[-:.]?[\t ]{1,}|[-:.]$)
        (?:^[\t ]*?|[\t\v ]{1,}[-:.]|[-:.]?[\t ]{1,5})(?<!(?i)fingerprint: |checksum: |security code: (?-i))(0x[a-fA-F0-9]{40})(?=$|[-:.]?[\t ]{1,}|[-:.]$)


        Note: This expression will match any string of characters matching the Bitcoin base58 wallet syntax of 26-34 characters beginning in either a 1 or 3.
         
      • Define the conditions for the rule as follows.
        • Email contains: a number of matches for the regular expressions in the selected lists
        • At least: 1
        • Count only unique matches: No
        • Case sensitive: Yes
        • Look in: Body
        • Matched text: Log Matched text 

Note: The next rule is optional and is only needed if you have a need for specific domains to send you bitcoin.

  1. Add a new rule. Click Add Rule, and define the following options:
    • Name: Exceptions
    • Execute if: ALL conditions are met
       
  2. Add a new condition. Under Content - Sender Domain List, click Create a new Sender Domain List. ( Note: You may already have a list of safe senders or domains created for another Data Protection policy. If this is the case, feel free to use that list and skip creating a new one. )
    • Populate the list with your trusted domains.
    • Define the condition as follows:
      • Name: Valid Bitcoin sources
      • Add any domains to the list who are allowed to send you emails containing a Bitcoin wallet address.
      • Domain of the sender: is in none of the selected lists
  • Review your choices and save the policy.

     

Note:  Don't forget to Activate ( New Policy ) the policy.

 

Reports

Report requirements

Before you create the report, ensure that you are using the local main account or a secondary user with the role or permission of "View Sensitive statistics" assigned to it. Secondly, ensure that the following Data Protection options are activated.

Note: If you have a partner, or if you are a partner creating policies or reports on behalf of your clients, your partner account will not work to create this report.

Enable Sensitive Data

  1. Log in to the Symantec.cloud Management Console.
  2. Navigate to Services Data Protection > Settings.
  3. Check the following options:
    • Show matched content on reports.
    • Show surrounding text on reports. (Optional, depends on your needs)
  4. Click Save.

Create a bitcoin detection policy report

Report example

This example shows how a report looks in Microsoft Excel (with non-relevant columns hidden).

  A B C D E F G H I
1 Time Period Email Subject Email To Email From Matched Content
2 28/07/2018 22:48 Subject Line [email protected] [email protected] 1Djduu4yaSmbyNBEgKfYMn4SySkjLx1dHC
3 28/07/2018 21:31 Some Subject [email protected] [email protected] 1CDdmD49ufFqrGMxCTEvEXxZWsUFoE4ZUn

 

  1. Log in to the Symantec.cloud Management Console.
  2. Navigate to Reports > Report Requests.
  3. Start a new report. Enter a name such as Bitcoin Detection Report.
  4. In the left pane, select the data to include:
    • Check Email Detailed Report (CSV).
    • Check Data Protection.
    • Click advanced settings.
  5. In the floating pane (right in the image below), under Policy Name, ensure that the policy name matches the exact name of the policy. For example, earlier we defined the policy name as "Bitcoin Detection".
  6. Set the reporting period:
    • Time zone: GMT (select your time zone)
    • Report period: last 3 day(s) (this is good value to start with)
    • Check Schedule.
    • Set Run the report request as follows:
      • Daily at 8:00 AM (choose a time that suits you)
      • every: 3 Days
      • Until: forever
  7. Set the delivery preferences:
     

    New Policy

    • Report available: as an email attachment
    • Recipient(s): you can add up to 5 recipients

      Note: You can leave the other options as is.
       
  8. Review your choices and save the policy.

Final steps

With everything in place, begin analyzing the report every couple of days, work out the valid sources, and approve them in the Exceptions condition.

This process may take several weeks depending on the email flow and the number of individual, valid sources. Symantec recommends that you change the action of the Bitcoin Detection policy only after you can accept the reduced risk of false positives. This risk should be minimal after several weeks of approvals.

After Log Only, the next action we suggest is Redirect to Administrator, where the emails get sent to the specified admin email used in this policy. You should create this admin email specifically for this purpose, with the goal of keeping emails in the event a false positive occurs. This enables you to retrieve the email if necessary.

Attachments