Experts Warn of “Beg Bounty” Extortion Attempts

Experts Warn of “Beg Bounty” Extortion Attempts

Experts Warn of “Beg Bounty” Extortion Attempts

Sophos has warned businesses to be on the lookout for unsolicited and often generic emails attempting to extract a bug bounty from them with borderline extortion tactics.

So-called “beg bounty” messages typically involve automated scanning for basic misconfigurations or vulnerabilities, followed by a cut-and-paste of the results into a pre-defined email template, explained Sophos principal research scientist, Chester Wisniewski.

Experts Warn of “Beg Bounty” Extortion Attempts
Experts Warn of “Beg Bounty” Extortion Attempts

Small businesses are typical targets:

even though they do not have a bug bounty program, and perhaps because of this fact, the senders often believe they may be more inclined to pay.

“Beg bounty queries run the gamut from honest, ethical disclosures that share all the needed information and hint that it might be nice if you were to send them a reward, to borderline extortion demanding payment without even providing enough information to determine the validity of the demand,” said Wisniewski.

“Knowing these businesses did not have a bug bounty program and in fact probably didn’t even know what code ran their website, it seemed odd for a legitimate researcher to be wasting their time on the smallest fish in the pond.”

The Sophos scientist was able to gather and analyze a few sample beg bounty incidents, which also featured varying

degrees of professionalism. Some leant more towards extortion and one contained factually inaccurate information,

referring to an organization’s lack of DMARC as a “vulnerability in your website.”

Wisniewski warned of reports claiming that engaging with the bounty hunter could lead to a slew of further

bug reports and demands for more payment.

He urged small business owners to take the emails and the issues they raise seriously, but to not engage with

the sender, and instead seek out a reputable security provider.

“Most of the bugs that were found were not even bugs.

They were simply internet scans that discovered the
lack of an SPF or DMARC record. Others were genuine vulnerabilities that could also be easily found without skill

by using freely available tools,” he concluded.

“None of the vulnerabilities I investigated were worthy of a payment. The problem is that there are millions of poorly

secured sites owned by small businesses that don’t know any better and are intimidated into paying for services
out of fear.”

You can also buy instant:

Cashapp Money Transfer Click here

Paypal Money Transfer Click here

Western Union  Money Transfer Click here

Venmo Money Transfer Click here

Bank Money Transfer Click here to Contact Us

Leave a Reply