Sponsored by:

A Scammer Tried to Scare Me into Buying Their Security Services - Here's How It Went Down

Here's the tl;dr - someone named "Md. Shofiur R" found troyhunt.com on a "free online malware scanner" and tried to scare me into believing my site had security vulnerabilities then shake me down for a penetration test. It didn't work out so well for him, here's the blow-by-blow account of things then I'll add some more thoughts afterwards:

Let's pause here for a moment - the site he's referring to is Quttera and at the time he sent me the above email, a scan of my site reported the following:

Malicious Link

That blog post - The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers) - had a few snippets of HTML and various URLs representing how some of these phishing sites were put together. That's all that cause Quttera to flag my site - it's not doing any sort of dynamic analysis of security vulnerabilities or anything at all which could cause "Md. Shofiur R" to reasonably draw his original conclusions. For some reason, Quttera now also reports my blog as having "no malware detected" despite no change in the aforementioned blog post.

Clearly, I wasn't happy:

Usually the responsive type, a couple of days later and "Md. Shofiur R" has (unsurprisingly) gone quiet.

There were never any of the proclaimed vulnerabilities on my blog. If there were, it would have taken him a couple of minutes to find the section in the footer which says "This site runs entirely on Ghost" then a couple more minutes to find the page titled "Reporting Security Issues" on their GitHub account (I wound up there after a simple Google search). But this was never about reporting real issues, it was just someone trying to make a quick buck.

Now, to the broader issue of people reporting real security vulnerabilities with an expectation of cash in return, I want to share some thoughts on that too: Firstly, bug bounties are awesome. I love bug bounties because they're win-win for all involved. I just recorded two Pluralsight courses in San Francisco with Casey Ellis (friend and founder of Bugcrowd) on precisely this (one course for companies and one for researchers, we should see them live next month):

However, bug bounties are formal programs which set out a series of expectations for companies and researchers alike (this was a point Casey reiterates in the courses). If there is no bug bounty program, you're in no position to ask for money in return and you're possibly getting very close to extortion ("pay me money if you don't want something bad to happen to your site"). This is why the recent Uber situation was such a debacle. Now, you may receive something for your efforts and you may also feel that it's entirely incommensurate with the value of the vulnerability you reported; I once identified one of our largest Aussie banks had disabled cert validation in the mobile app which effectively invalidated their entire HTTPS implementation and I received 2 movie tickets in return (the cheapest seats too, thank you very much). But still, you're in no position to make demands without stepping into a very shady area.

Further to this, any form of unsolicited mass communication to targets in an attempt to sell security things is nothing more than ambulance chasing. I've seen the same thing with companies attempting to gain clients by emailing domain owners when their addresses have appeared in a data breach - it's a sleazy way of doing business and depending on where you are in the world, it can be outright illegal.

And as for "Md. Shofiur R", the following suggestion seemed like a sensible idea:

He was indeed using a Gmail address and Google provides a channel for reporting abuse when users of their service violate the Gmail Program Policies. The very first policy on that page is the following:

Don’t use Gmail to distribute spam or unsolicited commercial mail

Pretty clear cut, so "Md. Shofiur R" got himself an abuse report too:

Gmail abuse report submitted

Finally, for anyone suggesting this was a "mistake" or part of his "education", no, it wasn't. This was designed from the outset to be an absolute shotgun approach maximising his opportunity for profit. He had multiple opportunities throughout the dialogue above to check the site and realise who he was talking to but he instead forged ahead in an attempt to part me from my cash. I'm just one of who-knows-how-many people he directed this scam at and that's precisely what it is - a fraudulent scheme, especially for making a quick profit. If I'd not called his bluff on this and had instead accepted the terms in his fourth email to me, I've no doubt whatsoever he would have happily taken my money. Not only is this behaviour detrimental to those who may end up paying for something they don't need (and yes, people will pay, just look at how effective the virus call centre scammers are), it contributes to the overall noise of "security reports"; is it any wonder that companies ignore legitimate reports when they receive this sort of rubbish?

Security Scam