Bogus Bug Reports as Phishbait, Scams

Bogus Bug Reports as Phishbait, Scams

Posted by HSSL Systems Integrator on Feb 19th 2021

Some bug bounty seekers are using extortionist or fear-mongering tactics in an effort to get paid for reporting trivial flaws, according to Chester Wisniewski at Sophos. He calls them “beg bounty” attempts. Wisniewski explains that, “‘Beg bounty’ queries run the gamut from honest, ethical disclosures that share all the needed information and hint that it might be nice if you were to send them a reward, to borderline extortion demanding payment without even providing enough information to determine the validity of the demand.”

For example, some of these individuals use automated scanners to identify websites that don’t have DMARC enabled, then send a copy-and-pasted notification to each website’s owner.

“They claim to have found a ‘vulnerability in your website’ and then go on to explain that you do not have a DMARC record for protection against email spoofing,” Wisniewski writes. “That is neither a vulnerability nor is it in your website. While publication of DMARC records can help prevent phishing attacks, it is not an easy policy to deploy, nor is it high on the list of security tasks for most organizations.”

While some of these people are probably well-meaning, others are clearly scammers seeking to frighten victims into paying. Even in the cases where real vulnerabilities were identified, the flaws were minor and not worthy of a bounty payout. Additionally, many of the targeted organizations didn’t have bug bounty programs set up in the first place. Wisniewski thinks small businesses are most at risk of falling for these tactics.

“There are reports that paying beg bounties leads to escalating demands for higher payments,” Wisniewski says. “One organization apparently said it started out at $500 and then, as further bugs were reported, the senders quickly demanded $5,000 and were more threatening.”

If you do have a bug bounty program, you’ll know about it. And if you don’t, let your people know that, too, so they don’t fall victim to this...what? Grey hat scam? Not all scams come in black and white.