Menu
Is “Beg Bounty” a blackmail?
We got notices from our clients about the latest round of an apparent cybersecurity scam, see below. Our point-of-contact (client) had received an unsolicited email as per below:
[Scam email]
Hello Team,
I am a security researcher and I provide information and knowledge regarding “Vulnerability” on websites. I have found an issue on your website/domain.
I just sent a forged email to my email address that appears to originate from [Your domain name]
I was able to do this because of the following DMARC record:
“No DMARC Record found”
Or/And
“No DMARC Reject Policy”
How to Reproduce:
1: Go To mxtoolbox.com/DMARC.aspx
2: Enter the Website. Click Go.
3: You will see the fault (DMARC Quarantine / Reject policy not enabled)
After this, an apparently “helpful security researcher”
offers a suggestion on how to fix it:
[Scam email]
FIX:
1)Publish DMARC Record. (If not already published)
2)Enable DMARC Quarantine/Reject policy
3)Your DMARC record should look like
“v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:[email protected]”
This can be done with any PHP mailer tool like this one.
Reference:
https://www.siteground.com/kb/configure-spf-dkim-dmarc-records/
Only at the end of the email, there is an
artfully crafted payload and a thinly veiled threat:
[Scam email]
Let me know if you need me to send another forged email, or if you have any other questions.
I’m hoping to receive a bounty reward for my ethical Disclosure.
Beg Bounty little brief
Cybersecurity is crucial to the success of any business. Scammers are always coming up with new ways to take advantage of the most vulnerable businesses and steal their data. But it’s hard to keep up with all these different schemes.
If you received a suspicious email with a subject line like “Do Not Open!,” then there’s high chance that it might be a scam.
The Beg Bounty malware has been used to extort money from innocent victims by threatening to release private data.
This is where we come in — we work exclusively on cybersecurity, so you don’t have to. We can help you protect your data and manage your risks, so you can keep doing what you do best — running your business!
We advised customers NOT to contact the “friendly and ethical cyber-analyst.”
Per our research, this is not blackmail per se, although it can be construed as such.
Those who received similar emails and contacted the “advisor”, got the runaround, as in a blog post by Troy Hunt from haveyoubeenpawned
Targets of Beg Bounty scam
Although we strongly recommend that all our customers get DMARC/DKIM as part of their overall security posture hardening, this example and others that were sent out by “advisors” are low-level vulnerabilities.
The problem is in the mind of potential victims. If they know about this one, what else do they know? One can get sucked into negotiating and even hiring these individuals for their cybersecurity need.
Trust only trusted
Definitely engage a reputable firm to handle your IT security (and the first step is always a Security Assessment).
Hold your ground and remain vigilant. It’s “professionals” like these that give cyber security professionals a bad name. It’s unsolicited advice at best.