Topic: SCAM ALERT: Bug/Vulnerability Bounty Blackmail (Beg Bounty)

[kat]

There's another relatively new fear marketing ^[1]/blackmail email scam doing that rounds in which someone claiming to be an *cough*ethical white-hat hacker*cough* sends an unsolicited report, from an anonymous email account, stating they've found "critical" website or email service bug(s) or vulnerability(ies) and wants a reward for bringing them to the victim's attention (essentially exploiting legitimate 'bug bounty' schemes with what is euphemistically referred to as a 'beg bounty').

Initially reports tend to relate to common website iframe (x-frame bypass), or email (DNS service, DMARC, SPF or DKIM) issues that can be discovered using tools freely available online ^[2], potential misconfigurations that might make it easier to spoof an email or gain unauthorised third-party ^[3] use of, or access to, services or content they wouldn't ordinarily be able to; malicious users (re)hosting webpage content within an iframe plastered with adverts from which they earn click-revenue (click-jacking) for example, or email spammers able to access mail servers to send unsolicited junk or mass-mailings from an address they don't actually control, often without the service owner's knowledge.

While these can be legitimate concerns they can thankfully be dealt with in any number of more fruitful ways than the type of unsolicited Bug Bounty Blackmail (beg bounty) that typically escalates in severity once the scammer knows they have a responsive target or victim; over time the scammer reports more bugs alleged to be increasingly severe, that only they can fix or provide information for, while demanding greater and larger rewards, or else ^[4].

Messages like this are a 'crap-shoot' for their authors however, as they are often little more than edited copy/paste boiler-plate texts or templates downloaded from internet, modified with the victim's details swapped in using a script that pulls the information from a scraped of harvested mailing list.

Needless to say, if there are concerns about the veracity of the bug or vulnerability disclosed, the best course of action is to get in touch with a business or professional that can check what's reported, and advise or action it appropriately.

In other words, a genuine, professional, security consultant wouldn't send a poorly written email, from an anonymous Gmail, Hotmail or other throwaway account, absent contact and/or business information, demanding payment for something, never mind a response.


Footnotes:

1: Fear marketing or fear appeal is a form of manipulative marketing that uses fear as a means of persuading the target into taking action they might not otherwise engage in, the blackmail then being the threat of consequence if a 'reward' or payment for action/disclosure is not paid.

2: For more on x-frame bypass see here https://www.google.com/search?q=X-Frame-Bypass+check, for more on SPF, DKIM, DMARC configurations check here https://www.google.com/search?q=spf+dkim+dmarc+check

3: Spoofing email addresses does not require unauthorised service access; the address emails appear to be from, the 'From' address or identifier displayed in an email's header, is just a text string that can be an email address, a person's name or other label, and can be altered in Outlook or other email client.

4: Unless a server or service is significantly compromised scammers are not 'hacking' services but instead taking advantage of knowledge deficits and 'social engineering' techniques to coerce compliance from the victim.

[kat]

A typical example of a Beg Bounty (bug bounty) scam email;

Hi Team,
I am an independent security researcher and I have found a bug in your website   [website/domain]

The details of it are as follows:-

Description:  
This report is about a misconfigured SPF record flag, which can be used for malicious purposes as it allows for fake mailing on behalf of respected organizations.

About the Issue:
As i seen the SPF and TXT record for 
[website/domain]
which is:

DMARC Policy Not Enabled

As u can see that you Weak SPF record, as valid record should be like:-

DMARC policy enabled

What's the issue:
As u can see in the article below the difference between soft-mail and fail you should be using fail, as Soft-mail allows anyone to send spoofed emails from your domains.
 
Attack Scenario: 
An attacker will send phishing mail or anything malicious mail to the victim via mail: 
[website/domain email]
Even if the victim is aware of a phishing attack , he will check the origin email which came from your genuine mail id 
[website/domain email]
so he will think that it is genuine mail and get trapped by the attacker.
The attack can be done using any PHP mailer tool like this:-

<?php
$to = "VICTIM@example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From: 
[website/domain email]
";mail($to,$subject,$txt,$headers);
?>

U can also check your SPF record form: 

[link to 3rd-party service-checking tool]

Reference:
[link to 3rd-party article lending 'authority' to the report]

Have a look at the digital ocean article for a better understanding!

Waiting for your reply.

Regards,
[bug/beg bounty scammer].


[images included below captured from above linked tool, referencing the parent domain name, to lend 'authority' to the report]



[image of 'fake' email using locally changed "From" address]

[kat]

Another bug bounty scam/scammer.

Hey Team,

I'm a penetration tester and bug bounty hunter. I have discovered multiple vulnerabilities on your site. I've reported one of my findings so that you can review it, as well as fix this issue.

Please review the report below.

Vulnerability: Broken Authentication & Session Management
We have observed that when we change "password" from one browser in place of session expiration from another browser it just updates the password from another browser and the old session gets updated without being logged out. The flows goes like this:
Broken Authentication and Session Management > Failure to Invalidate Session > On Password Change
Steps:
1- Login from two browsers at a time [From Chrome browser and from Mozilla Firefox].
2- Change password in settings from chrome browser.
3- Now Check Mozilla Firefox.
4- Your Session got "updated" in place of expiration.

Same goes with when using two different computer systems.
1- Login from two computers at a time
2- Change password in settings from computer A.
3- Now Check computer B.
4- Your Session got "updated" in place of expiration.

Recommendations: If Session is Updating from one Browser/Computer so other should expire first to renew session after login.

If you require any additional information, please let me know. I'll be waiting to hear from your side regarding the report and bounty. I'll share my other findings as well, once I've heard back from you.

Regards,
[fake name]