55

I've just received this email. Is it a standard practice or a scam?

I'm a Security Researcher running a vulnerability identification service for a small group of private clients, and I accidentally found some vulnerabilities in your infrastructure.

For a small fee, I will share the vulnerability details with you (includes POC, screenshots, and suggested solutions).

Paypal instructions:

  1. Recipient: REDACTED GMAIL ADDRESS
  2. Paying for an item or service (covered under PayPal Purchase Protection for Buyers)
  3. Amount: $100
  4. Add a note: [redacted, my domain name]

After I receive your payment, within 48 hours, I will send you an email with all the vulnerability information.

V2Blast
  • 103
  • 5
muszek
  • 551
  • 1
  • 4
  • 6
  • 249
    Were you to send the $100 (which you should not), I suspect the email they send back (if you get one at all) would be *"The vulnerability is as follows: if an attacker sends the website owner an email in the following form [...], he/she will send $100 to the attacker for no good reason"* – abligh Apr 09 '20 at 05:10
  • 8
    Pretty much a standard practice _for scam_. – fraxinus Apr 09 '20 at 08:50
  • 1
    See also: https://security.stackexchange.com/questions/172466/is-demanding-a-donation-before-disclosing-vulnerabilities-black-hat-behavior – Jacco Apr 09 '20 at 08:52
  • 4
    This seems rather polished for "accidentally". The payment in advance is bad, but if he didn't realize your site wasn't an established customer, he may have done research and made a report before realizing he wasn't being paid. The 48 hours makes me think it a minor grammar error. If you remove the second comma, it is a pledge to send your report withing 48 hours of being paid. The term "infrastructure" worries me, it could mean anything from website to hosting company. And the fact that he has "some" vulerabilities, but doesn't show any? But overall, probable scam. – David G. Apr 09 '20 at 12:12
  • 1
    The things that strike me as odd and make me think this is likely a scam: (1) asking for money up front (2) **trying to dictate the payment method** (3) not providing any personal information about himself (signing up for gmail is free; if he gave you a name for his company and an email from that company's domain, it would look better.) (4) only very generic mention of "some vulnerabilities;" I would expect a real security person could tell you a bit more - number of vulnerabilities, potential risks of not fixing them, etc, without giving away all his bargaining chips. – Steve-O Apr 09 '20 at 13:59
  • 1
    If they are legitimate but ill-informed, would sending them a link to this page maybe clear things up and help them help you? If they are scammers, would they benefit from reading this page? I don’t know, just wondering – 11684 Apr 09 '20 at 16:08
  • 24
    I'd be strongly tempted to send a counter-offer of "send me the details of the vulnerability in the next 48 hours, and I won't report your extortion attempt to the police". – Mark Apr 09 '20 at 20:46
  • 16
    Paypal is not an effective **anonymous** payment system. Contact Paypal and tell them about it. They have a vested interest in squashing it. – user10216038 Apr 09 '20 at 21:36
  • 3
    @vsz I read that as they'd send the information within 48 hours of receiving the payment, not that the OP had 48 hours to send the payment. – Anthony Grist Apr 09 '20 at 22:14
  • 6
    We should crowdsource the $100 for you, just to satisfy our curiosity about what you get. My bet is that you will get an actual vulnerability, but it will be *very* low quality and purely a result of dumb automated scanning (such as your secure web server supporting TLS 1.0). – David Schwartz Apr 09 '20 at 22:41
  • 3
    You should send them a (bogus) check for waaay more than $100 that they have to cash and send the difference back. :) – Quinn Culver Apr 10 '20 at 02:57
  • @AnthonyGrist : yes, you're right, that's a more likely interpretation. – vsz Apr 10 '20 at 04:17
  • 3
    I’m absolutely shocked that anyone here is even entertaining the notion that this is not just scam-spam. Has **no one** here received this before? I get spam mails more or less identical to this one at least three or four times a week. – Janus Bahs Jacquet Apr 10 '20 at 10:15
  • 2
    I get email like this for my website, which is nothing but static HTML (and the occasional PDF or image file, still all static files). It is definitely a scam when I get it, so if you get the same thing as I do, then you're also getting a scam. (Same if you get random offers for SEO or to redesign to run more efficiently.) – Toby Bartels Apr 10 '20 at 11:07
  • 1
    The weird capitalisation of words is consistent with it being written by someone from India. Does that fit your expectations about where it should come from? The writing style very often gives away where the writer is coming from. – Peter Mortensen Apr 10 '20 at 13:20
  • 1
    Does the idea that I *might* do it for $90 help? – Andrew Morton Apr 10 '20 at 20:26
  • @PeterMortensen: What weird capitalisation? – Oskar Skog Apr 10 '20 at 21:37

7 Answers7

112

This certainly is not standard practice. Even if this person has found a legitimate problem on your site, it's a form of extortion.

There is proper "responsible disclosure" and professional "security researchers" don't start off asking for cash. Bug bounty programs exist for a reason.

The problem is that you do not know if the vulnerability is worth $100 to you.

This is very, very likely a scam, but on the off-chance that you are dealing with a legitimate professional with poor communication skills, you could ask for details, like where the problem is ("infrastructure"? that's odd for a website), and any details about who they are and proof of their professional work in security research.

If they ramp up the emotion or extend the extortion, then you know it's a scam. Don't install or open any files they send you. If they are legitimate, they will work with you.


To give you an idea, I am not a professional tester and I do not do bug bounties. But once in a while, I discover a vulnerability in a site. I first contact the company asking for the person who would handle site vulnerabilities with a 1-sentence rundown of the general issue. I do this to make sure I get to talk to a responsible person, and not an unauthorised person who might abuse or mishandle (or fail to understand) the information I am about to give them. I also give them proof of who I am so I do not come across as a scammer.

When I am talking to the best person I can, I give the full break down, with my process to repeat the problem, URLs, parameters, etc., and the reason for why I think it is a concern. I answer whatever questions they ask, but I never, ever, give the impression that I need or want them to do anything with any urgency. I let them work out their risk assessment. That's their job. It's their site.

I also don't ask for money, but if I did, it would be after I did as much as I could to help their team resolve it. And I would not expect to get money or any form of reward, even if I asked.

Either the site has a bug bounty program that defines the expectations and relationships for everyone involved, or the site doesn't, and I'm just helping out and maybe getting something out of it, or not.

That's how a professional would approach a site with a vulnerability they discovered.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/106604/discussion-on-answer-by-schroeder-email-send-me-100-for-details-on-a-security). – schroeder Apr 11 '20 at 15:14
23

I am not sure I would even engage with that person. That sounds fishy and borderline extortion. It's even conceivable that the flaw does not even exist but he wants to send you a 'patch' that will install a backdoor on your server.

Before you get in touch with that person (if you so decide), try to find the vulnerability yourself by reading the logs from your webserver and look for suspicious activity like traces of SQL injections that might show up in the URLs. This is going to be tedious. So I would start looking in the few hours before that E-mail was sent.

If you have some scripting skills, you can put them to good use to parse the log file. Useful bash commands would be cut, awk and the like combined with sort and uniq( for example to build a list of unique URLs). I would also focus on 401 or 403 errors that indicate attempts to access unallowed pages. 500 errors too.

Also verify that there are no suspicious files present on your serverlike a web shell.

If you find such a file, then you can use it as a criterion to filter the logs (look at the IP address that made the request on the same line).

Although this is a gmail address, the other party may have sent the message from their home, using their own mail client. Then, there is a chance that you will find the originating IP address in the mail headers.

That person is probably hiding behind a proxy or VPN, but some people are just uncaring, lazy and clumsy. So if you obtain the IP address you can use it to filter your logs and follow their tracks.

When he says "I accidentally found some vulnerabilities in your infrastructure" that's quite possible. If your website allows directory listing he might have found sensitive files laying around just by cutting the URL. Then the 'fix' is to pull out the files and better configure your server. Search engines index a lot of files this way, files that were not supposed to be exposed. There are some queries you can run to find them, they are called dorks. Maybe the 'Security Researcher' (or script kiddie) actually stumbled on your website after running a dork, and he is just looking for some quick and lazy money.

Try to dork yourself. Type this in Google: site:yoursite.com. And see if there are pages indexed in Google, that shouldn't be.

Kate
  • 7,092
  • 21
  • 23
  • 1
    This is not very relevant to the answer, but `sort -u` is normally better than `sort | uniq` – the default. Apr 09 '20 at 09:23
  • 2
    @mypronounismonicareinstate for lager log files something using hashtables is a lot faster, like [this PHP script](https://github.com/0ki/shellscripts/blob/master/sortuniq). Also take note that `sort -u` and `uniq` determines uniqueness by their sort order, i.e. `あ` will be considered as duplicate of `い` if your current collation is something like `en_US.UTF-8`. – Džuris Apr 09 '20 at 13:52
  • It is much to easier to use [Perl](https://en.wikipedia.org/wiki/Perl) for the log file filtering (e.g. one-liners for simple tasks). It is not a coincidence that one of the backronyms is "practical extraction and reporting language". – Peter Mortensen Apr 10 '20 at 13:28
  • @mypronounismonicareinstate But `sort | uniq -c` might be fine – Hagen von Eitzen Apr 10 '20 at 14:12
13

This may or may not be spam (or even extortion, as some answers claim), but it certainly does not sound like a good deal either. Let's look at the facts:

  • The person provides absolutely no indication that there actually is a security problem, nor that you would care about it if there was (not every theoretical security issue is a practical problem for each website), nor that their fix is correct. In some sense, this "offer" is analogous to somebody emailing you "I am providing services in the domain X, send me 100$ and I will tell you what these services are". I suspect in any other domain you would move such a solicitation to trash within seconds.
  • The amount they are asking for is peanuts. This, combined with the fact that they won't tell you what the problem is, suggests strongly that whatever they "found" will be so trivial that nobody would pay for it if they told you upfront. What you would get (if anything at all - remember, it can also simply be spam and you never hear from them after paying) would probably be a report of some automated security scanner and a handful of generic links. Nothing you would normally pay money for. If they found a serious problem and had non-trivial information on how to fix it, they would tell you what problem it is and offer to fix it on a contractual basis (and, of course, ask for a lot more than 100$).
  • Under the assumption that this is indeed a small problem with an obvious fix, every self-respecting security researcher I know would just tell you (especially if you are either a private person or represent a small company, which I assume). Again, 100$ are peanuts as far as contractor rates go, and certainly not enough money to establish a shady-looking deal such as this. Looking at the email template, I assume the just run automated scans of websites and generate such an email whenever these tools report anything. Probably not even the email sender themselves knows at this point if this is anything that anybody would actually worry about.
  • And then, of course, there are some of the usual signs of spam - unsolicited offer, generic Gmail address, important-sounding-but-generic claims, usage of non-traditional payment services (and no mention of contracts, invoices, etc.), asking for money upfront, etc.

All in all: ignore the email.

xLeitix
  • 231
  • 1
  • 4
  • 5
    _The amount they are asking for is peanuts_ , this is not true for a large number of people in the south hemisphere. – elsadek Apr 09 '20 at 20:10
  • @elsadek That's certainly true. Still, it feels to me 100$ is such an oddly low amount to ask for that I consider it a strong signal that the information isn't valuable. Even if 100$ is a significant amount of cash to you, you would not be asking for only 100$ (rather than, say, 5000$) if you felt your information or service is actually valuable. – xLeitix Apr 10 '20 at 08:37
  • 1
    @elsadek And yet it *is* peanuts, even still. Bug bounties are one of those areas where location does not matter. If, for instance, you found a RCE vulnerability in AWS, you would get a big chunk of money regardless of where you live. So regardless of salaries in your local area, the "value" of vulnerabilities is fairly well established world wide. If I find a critical vulnerability in a key aspect of a business' web systems, it is reasonable to ask for much more than $100. I may not get that of course, but the value is still fairly well established – Conor Mancone Apr 10 '20 at 12:17
  • The OP doesn't provide enough details to judge the criticality of his system. That bounty hunter could have targeted some 100 other victims with same email, this could be better profit-making tactic than targeting a single victim with unsure $5000 bounty. – elsadek Apr 10 '20 at 14:23
9

In addition to all the signs screaming "scam" that you noticed, even if this offer is legit (albeit with shady-to-illegal marketing methods) the results are unlikely to be of any value. For $100 you are likely to be getting the results of an automated port scan that just pattern-matches protocol response strings to possible vulnerabilities without doing any actual testing.

For example, I once had a customer pay significantly more than $100 for a "professional" scan that included preposterous results. My response included

Your security analyst told you that the account 'foo' had a known default password. There is no account 'foo' on the system.

Your security analyst told you that your 'bar' service was configured to use a weak encryption method. We removed that encryption method two releases ago.

Would you like me to continue going through the remaining items in the security report or is this sufficient to address your concerns?

The original post included this important bit:

I'm a Security Researcher running a vulnerability identification service for a small group of private clients, and I accidentally found some vulnerabilities in your infrastructure.

So it's theoretically possible that they found a problem on your system while scanning one from an entity you do business with. In that case it would be perfectly reasonable to ask for a referral from their customer who the security company was working with.

arp
  • 531
  • 3
  • 5
3

All one needs to know is, whoever@gmail.com. So this is not any registered company or domain; that guy cannot even afford to register a domain and run a mail-server, but playing the "security researcher", who doesn't want his credentials verified, obviously for "security reasons".

"within 48 hours" generally means, that this is a "limited time offer"; quite a cheap marketing trick.

Many scams play on people's fears; just see what is currently going on in the real world... and there's also scams, which play on people's imagination, expectations and unfulfilled desires.

The solution to the non-existent problem: flag as spam & report to PayPal.
Alternatively, you could play him a little; eg. Just Say OK To Scammers.

This question might probably better fit Psychology & Neuroscience...
as they didn't scan your website for vulnerabilities, but your psyche.


Compared to that attempted fraud (without the least doubt), read about "Responsible Disclosure of Security Vulnerabilities", in order to get a better understanding, how "standard practices" might look alike.

  • 1
    And yet many security researchers use gmail.com, which is a bad idea for many reasons (any free E-mail is a bad proposition and Google already so much data about you). But indeed someone who is genuine (and asking for money) would have **identified himself**, to prove he's a real person with credentials that you can google, and not an anonymous scammer. This one does not pass the smell test. It reminds of those mafia movies when a group of sturdy men approach a business owner and say "nice place that you have, would be a shame if somebody caused trouble isn't it". And then the sales pitch. – Kate Apr 10 '20 at 13:21
  • 2
    Re *"Just Say OK To Scammers."*: There are also [James Veitch's](https://www.youtube.com/watch?v=_QdPW8JrYzQ) [TED](https://www.youtube.com/watch?v=C4Uc-cztsJo) [talks](https://www.youtube.com/watch?v=a2edxiz2M9g). – Peter Mortensen Apr 10 '20 at 13:36
  • @PeterMortensen I've already watch that. It's still remarkable, how one can troll them with their own psychological tricks (in case one has free time at hand and nothing better to do). –  Apr 10 '20 at 21:36
1

100% Scam.

Proper action from your side if you are worried is to contact a professional company that can make a security audit on your webpage.

My advice is to completely ignore all and any offers that are unsolicited by you in the first place.

Don King
  • 111
  • 3
0

Basically, we don't trust a stranger who is asking for reward against a friendly service, or do we ?

That said, we don't have enough details to judge the criticality of your system, and then decide if the $100 is the Juste Prix or not.

If you are running a widely used (opensource) software like CMS or ERP, that bounty hunter could have targeted some 100 other victims with same email, this could be better profit-making tactic than targeting a single victim with unsure $5000 bounty.

In this case, you had better to check your installation, if it has the latest updates and patches, you may also check the vendor vulnerabilities database, hopefully the bounty hunter has not a 0-day exploit that he is taking advantage with.

If the targeted system is a bespoke solution, things may be trickier to cope with, depending of the team you have in place.

The English level of the email is pretty decent, even though it has no implicit threatening, I would be concerned of its seriousness.

elsadek
  • 1,822
  • 2
  • 18
  • 55
  • It doesn't need any literal threat; it is already enough to create a presumed threat. In this case, it's something alike: either pay now or face issues later... which already is a subtile coercion attempt. –  Apr 10 '20 at 21:47