Topic: SCAM ALERT: Bug/Vulnerability Bounty Blackmail (Beg Bounty)

[kat]

There's another relatively new fear marketing ^[1]/blackmail email scam doing that rounds in which someone claiming to be an *cough*ethical white-hat hacker*cough* sends an unsolicited report, from an anonymous email account, stating they've found "critical" website or email service bug(s) or vulnerability(ies) and wants a reward for bringing them to the victim's attention (essentially exploiting legitimate 'bug bounty' schemes with what is euphemistically referred to as a 'beg bounty').

Initially reports tend to relate to common website iframe (x-frame bypass), or email (DNS service, DMARC, SPF or DKIM) issues that can be discovered using tools freely available online ^[2], potential misconfigurations that might make it easier to spoof an email or gain unauthorised third-party ^[3] use of, or access to, services or content they wouldn't ordinarily be able to; malicious users (re)hosting webpage content within an iframe plastered with adverts from which they earn click-revenue (click-jacking) for example, or email spammers able to access mail servers to send unsolicited junk or mass-mailings from an address they don't actually control, often without the service owner's knowledge.

While these can be legitimate concerns they can thankfully be dealt with in any number of more fruitful ways than the type of unsolicited Bug Bounty Blackmail (beg bounty) that typically escalates in severity once the scammer knows they have a responsive target or victim; over time the scammer reports more bugs alleged to be increasingly severe, that only they can fix or provide information for, while demanding greater and larger rewards, or else ^[4].

Messages like this are a 'crap-shoot' for their authors however, as they are often little more than edited copy/paste boiler-plate texts or templates downloaded from internet, modified with the victim's details swapped in using a script that pulls the information from a scraped of harvested mailing list.

Needless to say, if there are concerns about the veracity of the bug or vulnerability disclosed, the best course of action is to get in touch with a business or professional that can check what's reported, and advise or action it appropriately.

In other words, a genuine, professional, security consultant wouldn't send a poorly written email, from an anonymous Gmail, Hotmail or other throwaway account, absent contact and/or business information, demanding payment for something, never mind a response.


Footnotes:

1: Fear marketing or fear appeal is a form of manipulative marketing that uses fear as a means of persuading the target into taking action they might not otherwise engage in, the blackmail then being the threat of consequence if a 'reward' or payment for action/disclosure is not paid.

2: For more on x-frame bypass see here https://www.google.com/search?q=X-Frame-Bypass+check, for more on SPF, DKIM, DMARC configurations check here https://www.google.com/search?q=spf+dkim+dmarc+check

3: Spoofing email addresses does not require unauthorised service access; the address emails appear to be from, the 'From' address or identifier displayed in an email's header, is just a text string that can be an email address, a person's name or other label, and can be altered in Outlook or other email client.

4: Unless a server or service is significantly compromised scammers are not 'hacking' services but instead taking advantage of knowledge deficits and 'social engineering' techniques to coerce compliance from the victim.

[kat]

A typical example of a Beg Bounty (bug bounty) scam email;

Hi Team,
I am an independent security researcher and I have found a bug in your website   [website/domain]

The details of it are as follows:-

Description:  
This report is about a misconfigured SPF record flag, which can be used for malicious purposes as it allows for fake mailing on behalf of respected organizations.

About the Issue:
As i seen the SPF and TXT record for 
[website/domain]
which is:

DMARC Policy Not Enabled

As u can see that you Weak SPF record, as valid record should be like:-

DMARC policy enabled

What's the issue:
As u can see in the article below the difference between soft-mail and fail you should be using fail, as Soft-mail allows anyone to send spoofed emails from your domains.
 
Attack Scenario: 
An attacker will send phishing mail or anything malicious mail to the victim via mail: 
[website/domain email]
Even if the victim is aware of a phishing attack , he will check the origin email which came from your genuine mail id 
[website/domain email]
so he will think that it is genuine mail and get trapped by the attacker.
The attack can be done using any PHP mailer tool like this:-

<?php
$to = "VICTIM@example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From: 
[website/domain email]
";mail($to,$subject,$txt,$headers);
?>

U can also check your SPF record form: 

[link to 3rd-party service-checking tool]

Reference:
[link to 3rd-party article lending 'authority' to the report]

Have a look at the digital ocean article for a better understanding!

Waiting for your reply.

Regards,
[bug/beg bounty scammer].


[images included below captured from above linked tool, referencing the parent domain name, to lend 'authority' to the report]



[image of 'fake' email using locally changed "From" address]

[kat]

Another bug bounty scam/scammer.

Hey Team,

I'm a penetration tester and bug bounty hunter. I have discovered multiple vulnerabilities on your site. I've reported one of my findings so that you can review it, as well as fix this issue.

Please review the report below.

Vulnerability: Broken Authentication & Session Management
We have observed that when we change "password" from one browser in place of session expiration from another browser it just updates the password from another browser and the old session gets updated without being logged out. The flows goes like this:
Broken Authentication and Session Management > Failure to Invalidate Session > On Password Change
Steps:
1- Login from two browsers at a time [From Chrome browser and from Mozilla Firefox].
2- Change password in settings from chrome browser.
3- Now Check Mozilla Firefox.
4- Your Session got "updated" in place of expiration.

Same goes with when using two different computer systems.
1- Login from two computers at a time
2- Change password in settings from computer A.
3- Now Check computer B.
4- Your Session got "updated" in place of expiration.

Recommendations: If Session is Updating from one Browser/Computer so other should expire first to renew session after login.

If you require any additional information, please let me know. I'll be waiting to hear from your side regarding the report and bounty. I'll share my other findings as well, once I've heard back from you.

Regards,
[fake name]

[kat]

Another bug bounty scammer, this time with a LinkedIn profile (not shown) claiming to have found a domain vulnerability due to a missing DMARC record. The scam here is claiming a quarantine policy setting (intentionally set the way it is) as a missing DMARC record while including screenshots confirming the scams. In other words, someone knowledgeable of 'IT' and/or 'security' would know the difference, and what the report actually means.

From
Ali Azhar thewhitehat862@gmail.com

Subject
VULNERABILITY REPORT- DMARC RECORD MISSING.

Body
What Is DMARC:

There is an email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. The goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation.

How To Reproduce:
1.GO TO- https :// mxtoolbox.com/
2.ENTER THE WEBSITE ( https://www.katsbits.com/ ).CLICK GO.
3.YOU WILL SEE THE FAULT (No DMARC Record found)
4.In the new page that loads change MXLookup to DMARCLookup
POC-ATTACHED IMAGE

POC





Spammers can forge the "From" address on email messages to make messages appear to come from someone in your domain. If spammers use your domain to send spam or junk email, your domain quality is negatively affected. People who get the forged emails can mark them as spam or junk, which can impact authentic messages sent from your domain.

[signature image]