Skip to content
Naked Security Naked Security

Beware of technical “experts” bombarding you with bug reports

Beware pseudo-geeks bearing 'gifts'.

We’re all appalled at scammers who take advantage of people’s fears to sell them products they don’t need, or worse still products that don’t exist and never arrive.

Worst of all, perhaps, are the scammers who offer products and services that do exactly the opposite of what they claim – making their victims pay up simply to make them even easier to defraud in future.

Well-known cyberexamples of this sort of fraud include:

  • Fake technical support incidents. These are the web popups or the phone calls you get out of the blue that report ‘viruses’ on your computer, and persuade you to ‘hire’ the services of an online ‘expert’ to remove them. Often these victims are lonely, vulnerable, and particularly ill-placed to deal with the financial loss. The scammers then target those individuals repeatedly and, in some cases we have heard, with ever-increasing aggression.

    LISTEN NOW – HOW TO AVOID TECH SUPPORT SCAMS

    Note. Podcast originally recorded in 2010. You can also listen directly on Soundcloud.

  • Fake home delivery scams. These are typically emails or SMSes (text messages) that say a delivery has been delayed. Thanks to coronavirus restrictions, many more people are relying on home deliveries than a year ago, so it feels pretty harmless to click the link you’ve been given. However, you end up on a fake web site that goes after your password or credit card details.
  • Fake purchase notifications. Apple is one of the most targeted brands here, along with other household names such as Amazon and Netflix. Given that the amount of the transaction is often quite modest, it feels harmless enough simply to contest it online, using the handy but fraudulent phishing link included.
  • Fake fraud warning calls. Vishing, or phishing via voice, is a variant on the previous fake purchase scams, where a synthetic voice recites an item that you didn’t buy, and then offers you a chance to ‘press 1 to contest this purchase’. You end speaking to a call centre where scammers with the gift of the gab talk you into handing over credit card data to ‘fix’ a mistake that never happened.
  • Fake overdue account warnings. Like fake delivery notices, these are commonly received via SMS so that the crooks only need to come up with a brief note in abbreviated English. The accounts involved are often ones you expect to pay automatically, such as monthly phone and utiliy bills, and the scammers aim to lure you to a fake website to defraud you.

Beware “beg bounties”

Well, there’s a new kid on the technoscammology block: bogus bug reports!

Sophos researcher Chester Wisniewski has dubbed these “beg bounties”, because they’re unsolicited messages that are begging for your attention, and we suggest that you read his excellent writeup to find out what these beggars are up to:

You probably know that many companies these days have a way for bug hunters – some of whom make their living from figuring out out security holes in corporate websites and software – to report problems they’ve found, and potentially to get paid for their work.

As haphazard as this sounds, bug bounty programmes usually follow a well-structured format, and professional bug hunters work carefully within well-defined limits while they’re probing for holes.

The idea of so-called responsible disclosure policies (you can find bug submission instructions for Sophos on our main website) is that they give bug bounty hunters a realistic amount of freedom to explore for holes without getting prosecuted for illegal hacking.

At the same time, bug bounty programmes typically have sufficiently well-defined boundaries that they don’t offer a casual “get out of jail free” excuse that could be abused by criminals whose intention is not to help fix problems but to find and exploit them.

For example, if you want to go bug hunting on behalf of Sophos, you have to agree, amongst other things:

  • That you will not modify or destroy data that does not belong to you, which loosely means that you will try to act online in an environmentally sound way, much like a conscientious bushwalker who follows hiking guidelines to “take only pictures and leave only footprints”.
  • That you will make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of our services, which loosely means that you will do your best to prove your point without harming anyone else.
  • That you will allow [us] an opportunity to correct a vulnerability within a reasonable time frame before publicly disclosing the identified issue, which implies that your motivation, over and above getting a bounty, is to improve security and close holes rather than figuring out exploits in order to abuse them.

Note that the idea of bug hunting is not simply to show that you can break things if you want, like a street vandal who has figured out that you can smash up a bus shelter with a baseball bat, but to find and document real-world flaws with sufficiently scientific rigour that they can be traced down and fixed.

The professional bug hunting community, therefore, has become a largely self-regulating group.

If you don’t have the right level of expertise, you’ll find it hard to come up with work of sufficient quality to to make your evidence repeatable and reliable; if you don’t have the right level of morality, you’ll find it hard to play fair enough to qualify for the bounty anyway, and difficult to get accepted by the commnunity.

Baffle them with technobabble

Chester’s so-called “beg bounty hunters” don’t care about any of this, because their modus operandi goes something like this:

  • Find the technical contact for a company or website.
  • Produce some technobabble text that claims to have found a vulnerability, possibly supported by a scary-sounding description copied and pasted from a security scanning tool (or even just from Wikipedia or a similar community website).
  • Mail the technobabble across, together with some sort of thinly-disguised demand either for a contract gig to ‘fix’ the ‘vulnerability’, or for payment for ‘finding’ the ‘hole’, or both.

The examples in Chester’s article give you a good idea of the nebulous way that these bluffers operate.

Some of these chancers, to be scrupulously fair, may genuinely consider themselves to be bug hunters with sufficient skills to help you secure your network better, and may not actually be charlatans or criminals operating with malice aforethought.

One of the sample “beg bounties” that Chester dissected, for example (we’ve received one of these ourselves), tells you that you have a security hole in your website, but backs up the claim with some copied-and-pasted waffle about a security technology that applies to email servers.

So the most generous interpretation of this “beg bounty” report is that the sender is technically incompetent almost without limit, and ought not to be allowed near your network to do cybersecurity work.

Other beg bounty chancers, it’s fair to say, are unreconstructed scaremongers who are trying it on without going quite as far as saying “pay up or else”, which would be blackmail.

Clearly, they’re not the sort of people you could trust near your network, either.

What to do?

Here’s Chester’s advice:

  • Don’t reply to unsolicited offers to ‘fix’ your network. Treat these charlatans like the fake technical support scammers we mentioned above, who call out of the blue and bully you into accepting and paying for ‘help’ you can’t trust and didn’t need.
  • Contact a local trustworthy firm to assess your security weaknesses. Look for a team that will work with you to help you improve your security situation from first principles.

After all, if there is any truth in an alleged security hole that a self-proclaimed bounty hunter reported to you, a trustworthy security and penetration testing company should find it and help you to fix it properly.

But if the alleged vulnerability is made-up garbage, a trustworthy cybersecurity partner will figure that out too, and stop you wasting money on a ‘precaution’ that does nothing except to give you a false sense of security.


4 Comments

I haven’t had any “beg bounties” come my way, but I’ve certainly sent information to website owners or contacts when I have noticed that they were either hosting malicious content (i.e. someone hacked their site and is using malicious PHP scripts to infect, redirect, scam, etc.), their login page or other sensitive pages were running HTTP instead of HTTPS, or their site was misconfigured in some manner that allowed information leaks of sensitive information. Not once have I asked for payment or acknowledgement.

For my efforts I’ve received threats of a lawsuit, complete lack of response, and sometimes thanks for pointing out the issues. The lawsuit threat amused me, actually, since I knew it was 100% bluff. The threatening company contacted me after they had a fix in place and that was the last I heard from them.

At this point I mostly limit my interactions to sites that I interact with as part of my job. Thankfully these are the ones that give thanks and fix the issues.

Thanks for the article. Never heard of beg bounties occurring before, but it makes sense when looking at the amount of scam attempts these days.

PS: The last two sentences of “beware beg bounties”: quality -> qualiFy (?), commnuity -> commUNity.

This rather reminds me of the professional scammers in the same field.
People running e-commerce websites are required by their banks to have their security verified (PCI).
The banks farm this work out to private companies (no doubt at a very low price) who then find security issues. They give scant details of what they have found, and suggest that the business takes out a support contract so they can help the business fix it.
At this point, the business usually contacts me (I host their websites) and I look at the “vulnerability”.
To date, every hole has been non-existent, or unfixable using current technology. When I point this out to the scammers, they back down and sign off the PCI approval.
This is extortion fraud as far as I can see.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?