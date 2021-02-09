Infosecurity Group Websites
Latest
News

Experts Warn of “Beg Bounty” Extortion Attempts

Sophos has warned businesses to be on the lookout for unsolicited and often generic emails attempting to extract a bug bounty from them with borderline extortion tactics.

So-called “beg bounty” messages typically involve automated scanning for basic misconfigurations or vulnerabilities, followed by a cut-and-paste of the results into a pre-defined email template, explained Sophos principal research scientist, Chester Wisniewski.

Small businesses are typical targets: even though they do not have a bug bounty program, and perhaps because of this fact, the senders often believe they may be more inclined to pay.

“Beg bounty queries run the gamut from honest, ethical disclosures that share all the needed information and hint that it might be nice if you were to send them a reward, to borderline extortion demanding payment without even providing enough information to determine the validity of the demand,” said Wisniewski.

“Knowing these businesses did not have a bug bounty program and in fact probably didn’t even know what code ran their website, it seemed odd for a legitimate researcher to be wasting their time on the smallest fish in the pond.”

The Sophos scientist was able to gather and analyze a few sample beg bounty incidents, which featured varying degrees of professionalism. Some leant more towards extortion and one contained factually inaccurate information, referring to an organization’s lack of DMARC as a “vulnerability in your website.”

Wisniewski warned of reports claiming that engaging with the bounty hunter could lead to a slew of further bug reports and demands for more payment.

He urged small business owners to take the emails and the issues they raise seriously, but to not engage with the sender, and instead seek out a reputable security provider.

“Most of the bugs that were found were not even bugs. They were simply internet scans that discovered the lack of an SPF or DMARC record. Others were genuine vulnerabilities that could be easily found without skill by using freely available tools,” he concluded.

“None of the vulnerabilities I investigated were worthy of a payment. The problem is that there are millions of poorly secured sites owned by small businesses that don’t know any better and are intimidated into paying for services out of fear.”

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Tens of Thousands of Patient Files Leaked in US Hospital Attacks

2
News

Remote Desktop Protocol Attacks Surge by 768%

3
News

Europol Breaks $14m Card Fraud Ring

4
Opinion

SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

5
News

Trump Sex Scandal Video Is a RAT

6
News

Crypto Fund Founder Pleads Guilty to $100m Fraud Scheme

1
Interview

Interview: Nick Percoco, Chief Security Officer, Kraken

2
Interview

#SaferInternetDay Interview: Magnus Falk, CIO Advisor, Zoom

3
News

Tanium Adds Matt Thompson to Board of Directors

4
News

New Council Will Drive UK’s Cyber-Training and Standards

5
News

Cyberpunk 2077 Developer Hit By Cyber-Attack

6
News Feature

#SaferInternetDay: How Online Users Can Detect Misinformation

1
Webinar

PKI in Today's Cybersecurity Landscape: What, Why and How

2
Webinar

The Top Five Security Metrics

3
Webinar

Fulfilling Network Security Requirements and Business Needs

4
Webinar

FTP, FTPS & SFTP: Which Protocol Should You Use, and When?

5
Webinar

Evolution of Ransomware-as-a-Service and Malware Delivery Mechanisms

6
Webinar

Lessons Learned from the Twitter Spear-Phishing Attack

1
News Feature

Should We Be Cautious About Law Enforcement Requests for Digital Data?

2
Podcast

Into Security Podcast - Episode 22: Diversity in Cybersecurity

3
Webinar

Fulfilling Network Security Requirements and Business Needs

4
Interview

#DataPrivacyDay Interview: Robert Waitman, Director of Data Privacy, Cisco

5
Webinar

The Top Five Security Metrics

6
Next-Gen

A Case Against CVSS