Sophos has warned businesses to be on the lookout for unsolicited and often generic emails attempting to extract a bug bounty from them with borderline extortion tactics.
So-called “beg bounty” messages typically involve automated scanning for basic misconfigurations or vulnerabilities, followed by a cut-and-paste of the results into a pre-defined email template, explained Sophos principal research scientist, Chester Wisniewski.
Small businesses are typical targets: even though they do not have a bug bounty program, and perhaps because of this fact, the senders often believe they may be more inclined to pay.
“Beg bounty queries run the gamut from honest, ethical disclosures that share all the needed information and hint that it might be nice if you were to send them a reward, to borderline extortion demanding payment without even providing enough information to determine the validity of the demand,” said Wisniewski.
“Knowing these businesses did not have a bug bounty program and in fact probably didn’t even know what code ran their website, it seemed odd for a legitimate researcher to be wasting their time on the smallest fish in the pond.”
The Sophos scientist was able to gather and analyze a few sample beg bounty incidents, which featured varying degrees of professionalism. Some leant more towards extortion and one contained factually inaccurate information, referring to an organization’s lack of DMARC as a “vulnerability in your website.”
Wisniewski warned of reports claiming that engaging with the bounty hunter could lead to a slew of further bug reports and demands for more payment.
He urged small business owners to take the emails and the issues they raise seriously, but to not engage with the sender, and instead seek out a reputable security provider.
“Most of the bugs that were found were not even bugs. They were simply internet scans that discovered the lack of an SPF or DMARC record. Others were genuine vulnerabilities that could be easily found without skill by using freely available tools,” he concluded.
“None of the vulnerabilities I investigated were worthy of a payment. The problem is that there are millions of poorly secured sites owned by small businesses that don’t know any better and are intimidated into paying for services out of fear.”