Are Unsolicited Web Site Vulnerability Reports a Scam ?

Have you received an Unsolicited Vulnerability Report on your ecommerce site stating that your site can be hacked and they are looking for a bounty to show you the weakness and fix it ?

TLDR :  The best approach to handling this email is to contact a creditable security consultant, and hire them to investigate the claims.

All site owners have received these emails and some are pretty basic and some are professional.

The basic ones most will delete as they are poorly written and provide no evidence.

The more professional ones will provide a snippet of data that demonstrates that they can access customer data and have gained entry to the site.

First off – in the EU this is an illegal practice and unethical.

“If you want your site scanned for weaknesses then you employ a reputable company to carry out this service.  You do not take the services of an un-solicited emailer.

So as to recognize the modus operandi of the scammer.

Email takes general the format.

 

Hello,

I have found a Web Application Vulnerability [XSS] in ‘websitename.com’ which can lead an attacker to perform unauthenticated tasks like account takeovers and other malicious stuffs like web defacement (your site), port scanning through your servers to other servers on internet or may use your website to spread Ransomware, and this bug is needed to be fixed as fast as possible.

We have extracted the following information from your site. Screen shots attached.

Being a responsible security researcher, I m sending this mail directly to you without making the bug public, so if you are concerned about your website’s security and want detailed information and Proof-of-Concept of this bug, please contact me on my mail – [email protected]

Would be happy to know – do you provide any rewards (bug bounty) / swag as token of appreciation for reporting bugs ?

Thank you,

Name

or

Hi

I found a vulnerability in your website that makes it easy for me to find out the contents of your database.

I can help you fix it. By submitting a report in the form of a 15-17 page document, depending on the vulnerability of your site.

The report I will send is about:

 Location of the vulnerability.

 How to fix it.

 How to prevent vulnerabilities.

How to Strengthen Website Security.

Are you interested ?
I attach evidence if I can access your database, the impact of the vulnerabilities I found.
Best regards

This a typical things that scammers  do.

If so what are they trying to gain, what would be (if any) the risks of replying to the email requesting some more information.

Do not think this is in fact a legit “responsible security researcher”. This is not how responsible companies run businesses.

This is called fear marketing or fear appeal. It’s a marketing method that uses fear as the trigger for action.

https://en.wikipedia.org/wiki/Fear_appeal

The email contains the 3 basic stages of fear appeal.

  1. present a risk.
  2. present a vulnerability to the risk.
  3. suggest a protective action.

It is generally considered unethical.

I’m only pointing this aspect out, because the email is an unsolicited attempt to get a response using fear. It’s the fact that the sender completely left out the details of what the issue is. You have to contact them to get a response, and they’ve already stated that they expect a token of appreciation.

When a scammer is fishing for victims they must first qualify a list of possible targets. His/her scam involves fear as a trigger to action, and if you respond you than qualify as a person who reacts to fear tactics.

It’s likely they will escalate the seriousness of the problem until a trade can be made for details about the security flaw. He/she will most likely request payment by bitcoin for the information.

A true professional security consultant will never cherry pick and cold call. They will always provide full contact details, mailing address and phone number of their consulting services. They also would have mentioned the benefits of their services. Where as, this email only mentions the risk of not responding.

What you can do to help others not failing

Once you are sure its a scammer / hacker.  Then report the email address to Paypal or sho ever is the payment processor. Get the email address listed on some email blacklists. Post the scammers email verbatum into some forums so as people searching for it can see it as a scam quickly. Collect as much information as possible and pass onto your local law enforcement agency.

Finally :

The best approach to handling this email is to contact a creditable security consultant, and hire them to investigate the claims.

Sources for this post :  Scam emails received by our clients over the years.  Forum posts on how to deal with this kind of email. wikipedia.

By | 2021-10-12T20:52:44+00:00 October 12th, 2021|e commerce, ecommerce|