This time we’re looking at a type of email where someone contacts you, out of the blue, saying there’s something wrong/vulnerable/insecure with your site – but they won’t tell/give you a report, unless you pay them…
Many companies (mostly large ones) have proper channels (sometimes called a Bug Bounty) where people who find problem and report them and sometimes there’s compensation for doing so. However, as you’ll see below, that wasn’t the case with this email.
It came in from an ‘Elvin Isaac’ (I know this is a fake name, more below) who was using a Gmail account with his ‘name’ and some numbers in and the subject of the email was “Vulnerabilities in your site”. It went:
Hi team,
Hope that you’re doing all good and healthy.I would like to draw your attention to some of the vulnerabilities in your site which i would like to report.
Kindly provide me the email of relevant team or person and let me know if there is any bug bounty program or reward regarding this disclosure of vulnerabilities as this work requires both cost and timeRegards
Elvin
I’ve seen emails like this before, so I played along…
Hi Elvin,
That doesn’t sound good! Please tell me more.
I quickly got this reply:
Hi,
we have found multiple issues in your site which severity is low,medium and high.kindly clarify is there any payout if we disclose to you?
Regards
Ah, there we are, money… But I don’t offer a ‘bug bounty’ and can’t pay, so I said so.
Oh dear. Sorry, I can’t afford to pay anything.
Can you tell me anymore? What company are you with?
Again, quickly, a reply came in:
Hi,
if you pay like $100 so i will submit all my reports to you,by the way iam individual cyber analyst,if you want my linkedin kindly let me know.
So I replied…
Hmmm, as I said I can’t pay. Why can’t you tell me without paying?
Can you give me an idea of the sorts of issues you’ve found. What’s your LinkedIn link?
That got this reply:
If you pay so I will disclose otherwise no.Because I work hard for that and spent my time also.This is my [Link removed for privacy but it was for someone with a completely different name!].
So I replied, asking if he can tell me, even the smallest bit of information:
Thanks for the link.
Why is the name on your email address Elvin Isaac but on LinkedIn your name is [name removed for privacy]? I find that a rather odd thing for an IT professional to do.
I also work hard for my money. How do I know that your reports are worth anything?
Can you give me any idea of the vulnerabilities? Are they about the site? The SSL? Emails? Anything little bit of information like that?!
That got this reply:
Hi,
I use this mail for clients, if you want contact me so you can directly contact me on linkedin also. Yes all reports are worth for money. You can see my recommendation as well if is it any trust issue. If you ready to pay so i will submit my reports to you.
So, that’s a no then. I have to trust this random person with at least $100 before they’ll tell me anything. Hmmm. So I replied:
Hi,
OK, but I still find it very strange that an IT professional would use a random Gmail account, rather than a professional (domain) based one. The only time I normally see emails like that being used is by spammers!
Also, why is the ’to’ in your original email set to ‘undisclosed-recipients’, rather than directly to me? Is it because you sent this email out to lots of sites/organisations/people at the same time? That could appear to look like broadcast spam!
Again, can you not tell my anything about the kind of vulnerabilities you say you’ve found?
I know many (normally larger) companies have open ‘bug bounty’ programs. They normally publicise these and have formal routes for reporting and payment.
You say that you’re an ethical hacker. However, it could be argued that (bulk) emailing people out of the blue, claiming you know about vulnerabilities but not disclosing any information until you get money is tantamount to a ransom note or even extortion!
That doesn’t seem very ethical to me. Surely the ethical thing to do is to individually contact organisations and disclose information up front?
If you are unwilling to even tell me any basic information about the kind of the vulnerabilities you are talking about, then I am no longer willing to continue this discussion.
Over a week later I’d had no reply, so I asked again.
Are you going to answer any of my questions? Can you tell me any of the types of vulnerabilities you’ve say you’ve found?
Well, it’s been well over another week and nothing back from ‘Elvin’. So I guess he’s not interested in helping unless he gets money.
The linked in profile appeared to show that the person that account belongs to had done some security work on sites and had a few recommendations. But I also have NO WAY of knowing that the account is real identity of ‘Elvin’.
If they’re willing to send out emails to seemingly multiple people at the same time – that’s what having a ‘to’ in an email set to ‘undisclosed-recipients’ means.
And at no point did Elvin actually tell me WHAT site he was talking about. Was it my main business site? Was it this site? Was is one of my Christmas sites? I get emails for all of them through my main business email account…
I also don’t know that Elvin had found anything. He might have started looking for things once I’d paid some money!
So all of that left in rather suspicious. So I Googled the name ‘Elvin Isaac’.
The top result is another blog post from May 2022 by someone who received an identical email from Elvin! And from the partially obscured email on the post, that was a different junk email account. So ‘Elvin’ has at least two email accounts he sends these emails to… That’s doesn’t seem exactly ‘ethical’ to me.
And as I also said in one of my emails to ‘Elvin’:
You say that you’re an ethical hacker. However, it could be argued that (bulk) emailing people out of the blue, claiming you know about vulnerabilities but not disclosing any information until you get money is tantamount to a ransom note or even extortion!
As I also said in my email, and in this post, there are ‘bug bounties’. However, this kind of email can be classed as a ‘beg bounty’ when you only get threats about ‘vulnerabilities’ and no actual information without payment.
Any decent bug reporter, will at least provide some basic information about anything they’ve found so you can verify something and know it might be worth taking further.
People who send these types of emails generally use automated web scanners to find ‘vulnerabilities’. The most common vulnerabilities are SPF/DKIM records (which are to do with email authentication and not actually websites as such) and things to do with SSL Certificates.
Assuming that it was my business site that Elvin was emailing me about, I ran it through some online web security tools. The lowest score I got was an A!
If you’d like to know more about these type of emails and ‘beg bounties’, have a read of the links below:
- https://serverfault.com/questions/1033101/should-i-respond-to-an-ethical-hacker-whos-requesting-a-bounty – A discussion about if these types of emails are ethical or not!
- https://news.sophos.com/en-us/2021/02/08/have-a-domain-name-beg-bounty-hunters-may-be-on-their-way/ – A post by Sophos (a computer security company) on the good and bad kind of emails like this.
- https://www.troyhunt.com/beg-bounties/ – A post by a big web security pro and his dealings with some bug and beg bounty. (Contains a few rude words.)
- https://dennisbabkin.com/blog/?t=recent-prolifiration-of-fake-bug-bounty-hunters-and-racketeers another good example of the rise of beg bounty spammers.
Conclusion
Emails like this aren’t necessary ‘scams’ as such, but if the person sending them is less than informative and won’t give basic information or answer basic questions without getting a payment first, I’d treat it with a deal of suspicion…
[Update March 2023]
Guess what, I’ve had more spam from ‘Elvin’. This time the email address said his name was ‘Alvi Alex’ but the emails were signed ‘Elvin’! I replied with exactly the same words as I used in this conversation and guess what, it was the same person who replied with their same ‘real’ LinkedIn info… I challenged him that he’d done EXACTLY the same thing to me only a few months before – yet he still denied any form of spamming.
Hmmmm. Spammers gonna spam and beg bounty-ers gonna beg.