Bug bounty programs are designed to uncover vulnerabilities and there are rewards for doing so. But more and more free riders are reporting weaknesses in SME websites that are none at all and want to cash in as helpers in an emergency.
Companies are increasingly using bug bounty programs to uncover potential security vulnerabilities. The flourishing business also calls for free-riding motivated by criminals on the scene - the so-called “Beg Bounty Hunter” primarily target small companies.
Bug bounty programs exploited
With increasing digitalization, software manufacturers are increasingly focusing on searching for bugs in their own products and then closing potential doors for cyber attacks. For this purpose, many companies have launched so-called bug bounty programs, with which the serious detection and reporting of significant security gaps are rewarded. But as is so often the case with popular concepts, fraudsters are not far away and often go on a “begging tour” with little understanding of IT security and dubious methods. The cyber thugs, therefore also known as “Beg Bounty Hunter”, report fake bugs and misconfigurations and try to cash in on rather smaller companies with this scam and a pretended high risk potential as a helper in an emergency.
Alleged weak points that are not at all
“The squad of Beg Bounty Hunters is extensive and with very different intentions. From ethical and well-intentioned to borderline or downright criminal,” said Chester Wisniewski, Principal Threat Researcher at Sophos. “Fact is, however, that none of the 'vulnerabilities' that I examined in this context were worth paying for. There are millions of poorly secured websites and many of the domain owners don't know how to improve security. This target group in particular can easily be intimidated and convinced of suspicious services with correspondingly professional-sounding messages about potential security gaps. Recipients of such e-mails should take them seriously, because they can indicate a dangerous security situation, but they should under no circumstances agree to the service offered. In such a case, it makes more sense to ask a trustworthy local IT partner to assess the situation so that any existing dangers can be eliminated."
Beg Bounty Hunter and their tactics
Since last year there have been increasing reports, especially from small companies, that alleged security experts have contacted them about weaknesses in their website. Sophos forensics experts analyzed some of these offers: in each of the examples, the alleged "vulnerability report" or "beg bounty" was sent by the alleged security expert to an email address that was publicly available on the recipient's website. It can therefore be concluded that the messages are a combination of automated scanning for alleged security gaps or misconfigurations, subsequent copying of the scan results into an e-mail template and the use of an undifferentiated e-mail address for sending . All with the aim of receiving a fee for solving the "problem".
Brazen prices for small aids
The price range for the examined beg bounty messages ranged from 150 to 2.000 US dollars per error, depending on the severity. In addition, the research revealed that initial payments for a vulnerability sometimes led to an escalation of claims for other vulnerabilities. The "experts" suddenly asked for 5.000 US dollars to fix further alleged security gaps and communication became more aggressive.
Brazen moves on - an example
One of the examples that Sophos analyzed starts with a wrong statement right from the start. The Beg Bounty Hunter claims to have found a vulnerability on the addressee's website and explains that there is no DMARC data set to protect against email spoofing. However, this is neither a weak point nor does it have anything to do with the website. Publishing DMARC records can help prevent phishing attacks, but it is a complex task that is not high on the list of security tasks for most organizations. And even if the problem actually exists, it is presented in the context of the beg bounty email as larger than it actually is in order to drive the recipient to pay a reward.
More on this at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.