Here's the tl;dr - someone named "Md. Shofiur R" found troyhunt.com on a "free online malware scanner" and tried to scare me into believing my site had security vulnerabilities then shake me down for a penetration test. It didn't work out so well for him, here's the blow-by-blow account of things then I'll add some more thoughts afterwards:
Should I respond? ? pic.twitter.com/lifCZRcICF— Troy Hunt (@troyhunt) March 20, 2018
I couldn’t help myself pic.twitter.com/zvx3myyItn— Troy Hunt (@troyhunt) March 20, 2018
Ooh, he’s good! Suggestions? This feels like it’ll be more fun crowd-sourced ? pic.twitter.com/i2EFDFgLem— Troy Hunt (@troyhunt) March 20, 2018
Your move ? pic.twitter.com/hzXmVWq2KD— Troy Hunt (@troyhunt) March 20, 2018
Alrighty, we’re still going here, but he seems to have shifted angle a little bit now. I *must* see these professional skills in action and reach 100% secure! pic.twitter.com/kGJdClfo7H— Troy Hunt (@troyhunt) March 20, 2018
There’s an art to this: just enough troll but also just enough hope that perhaps they’ll be able to scam the victim out of some hard-earned cash... pic.twitter.com/bWJ9J35kai— Troy Hunt (@troyhunt) March 20, 2018
We have a price! I wonder how much cyber that will buy me... pic.twitter.com/WDwsbJ7RLS— Troy Hunt (@troyhunt) March 20, 2018
POC or GTFO! pic.twitter.com/lymZeOHc74— Troy Hunt (@troyhunt) March 21, 2018
Ok, one last try, for some reason he started ignoring me ? pic.twitter.com/gsjnzVs9dT— Troy Hunt (@troyhunt) March 23, 2018
Wow! That’s... a very honest response. I don’t know whether I should thank him for his candour or rip into him for attempting to profit without verifying the “vulnerabilities”. What do you reckon I should say to the guy? pic.twitter.com/c9TglDIo9Y— Troy Hunt (@troyhunt) March 23, 2018
Let's pause here for a moment - the site he's referring to is Quttera and at the time he sent me the above email, a scan of my site reported the following:
That blog post - The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers) - had a few snippets of HTML and various URLs representing how some of these phishing sites were put together. That's all that cause Quttera to flag my site - it's not doing any sort of dynamic analysis of security vulnerabilities or anything at all which could cause "Md. Shofiur R" to reasonably draw his original conclusions. For some reason, Quttera now also reports my blog as having "no malware detected" despite no change in the aforementioned blog post.
Clearly, I wasn't happy:
So based on everyone’s feedback, this guy gets a blog post and an opportunity to explain himself. Frankly, I think it’s an outright scam (a fraudulent scheme for making a quick profit) and he’s certainly not the only one engaging in it either. pic.twitter.com/XQEua0o2PB— Troy Hunt (@troyhunt) March 24, 2018
Usually the responsive type, a couple of days later and "Md. Shofiur R" has (unsurprisingly) gone quiet.
There were never any of the proclaimed vulnerabilities on my blog. If there were, it would have taken him a couple of minutes to find the section in the footer which says "This site runs entirely on Ghost" then a couple more minutes to find the page titled "Reporting Security Issues" on their GitHub account (I wound up there after a simple Google search). But this was never about reporting real issues, it was just someone trying to make a quick buck.
Now, to the broader issue of people reporting real security vulnerabilities with an expectation of cash in return, I want to share some thoughts on that too: Firstly, bug bounties are awesome. I love bug bounties because they're win-win for all involved. I just recorded two Pluralsight courses in San Francisco with Casey Ellis (friend and founder of Bugcrowd) on precisely this (one course for companies and one for researchers, we should see them live next month):
Second @pluralsight Play by Play done, this one with @caseyjohnellis of @Bugcrowd fame ? pic.twitter.com/GowQLBM6zc— Troy Hunt (@troyhunt) March 14, 2018
However, bug bounties are formal programs which set out a series of expectations for companies and researchers alike (this was a point Casey reiterates in the courses). If there is no bug bounty program, you're in no position to ask for money in return and you're possibly getting very close to extortion ("pay me money if you don't want something bad to happen to your site"). This is why the recent Uber situation was such a debacle. Now, you may receive something for your efforts and you may also feel that it's entirely incommensurate with the value of the vulnerability you reported; I once identified one of our largest Aussie banks had disabled cert validation in the mobile app which effectively invalidated their entire HTTPS implementation and I received 2 movie tickets in return (the cheapest seats too, thank you very much). But still, you're in no position to make demands without stepping into a very shady area.
Further to this, any form of unsolicited mass communication to targets in an attempt to sell security things is nothing more than ambulance chasing. I've seen the same thing with companies attempting to gain clients by emailing domain owners when their addresses have appeared in a data breach - it's a sleazy way of doing business and depending on where you are in the world, it can be outright illegal.
And as for "Md. Shofiur R", the following suggestion seemed like a sensible idea:
Is he using Gmail or GSuite Services? If so, report him to Google for Spam (with screenshots etc) and they are freezing accounts for TOS violations and spam.— ?KLttyKat #HypnoDomme? (@KLtty_Kat) March 24, 2018
I get annoyed AF with these morons spamming me I report them ALL to Microsoft & google for spamhttps://t.co/3TThx6yi0x
He was indeed using a Gmail address and Google provides a channel for reporting abuse when users of their service violate the Gmail Program Policies. The very first policy on that page is the following:
Pretty clear cut, so "Md. Shofiur R" got himself an abuse report too:
Finally, for anyone suggesting this was a "mistake" or part of his "education", no, it wasn't. This was designed from the outset to be an absolute shotgun approach maximising his opportunity for profit. He had multiple opportunities throughout the dialogue above to check the site and realise who he was talking to but he instead forged ahead in an attempt to part me from my cash. I'm just one of who-knows-how-many people he directed this scam at and that's precisely what it is - a fraudulent scheme, especially for making a quick profit. If I'd not called his bluff on this and had instead accepted the terms in his fourth email to me, I've no doubt whatsoever he would have happily taken my money. Not only is this behaviour detrimental to those who may end up paying for something they don't need (and yes, people will pay, just look at how effective the virus call centre scammers are), it contributes to the overall noise of "security reports"; is it any wonder that companies ignore legitimate reports when they receive this sort of rubbish?