Hackers Target Bug Bounty Hunters with Blackmail Emails

Bug Bounty Hunters Beware: Big Brother is Watching (Your Inbox!)

For all the bug bounty hunters, please check your spam section, especially if you have generated a research email in [username]@bugcrowninja.com format. There’s quite a chance you’ll land up with a potentially harmful email that blackmails you into paying ransom by allegedly claiming a Trojan in your system, giving your sensitive information to hackers. A BTC address is dropped subtly by such hackers to remove all the data gathered by ‘Big Brother’ or the ‘All-Seeing Eye’, an alias they claim to be.

This threat has emerged to my email address through BugCrowd, a widely known and renowned bug bounty hunting platform that provides a base for ethical hackers across the globe. Bugcrowd has a relay service, which can be checked here. The service sends all the content from the research email to the primary email, be it any content or sender.

Threatening email collected in the spam folder of a researcher

Where is the vulnerability?

Multiple attempts exist to exploit this relay service in the series of emails shown below since the content or the sender is not being validated before sharing. The emails have originated from various domains and have reached the peak of brand-harming reputed organizations, such as fujitsu[.]co[.]jp.

Multiple ransom demands relayed via Bugcrowd

Understanding the threat

The above issue quickly escalated into a threat, where further investigation revealed that the BTC addresses mentioned in the email had earned some ransom. Assuming with an educated guess that certain researchers, likely newly emerged on this hunting platform, have fallen for this threat. While the content of the email is psychologically embarrassing enough for them not to come out openly and discuss this matter, a large number of ethical hackers are potentially at risk of being targeted.

Discussing the TTPs

To explain this in a better manner, let’s see how this threat is executed by a simple demonstration below:

1. Identify the domains with a lack of solid email authentication policies
2. Identify different profile usernames of BugCrowd, and append “@bugcrowdninja.com”
3. Send the email with the subject as “No Reply.”
4. Adding the BTC address

Imitating the TTP for better understanding

Imitating the TTP for better understanding

Emails and BTC collected so far

I’m adding below the emails through which the threatening content was delivered to my research based account, along with their BTC addresses and amount asked.

Emails and BTC addresses collected so far

Analysis of the BTC address from the above image

1. Interestingly, payments have been made to many BTC addresses mentioned in the table above. For example, there has been a single transaction to an address where $890 was asked originally, and the wallet was shown to have $888, indicating the ransom was paid.
2. Some of the email addresses were found from temporary email generators (here, “EmailOnDeck”) derived from a GitHub repository, which was created to verify the user base or new subscribers against this managed blacklist to detect fake subscribers. Here, quuradminb[.]com was a match.

Impact

Brand Harming

When such domains are identified with missing email authentication policies, they are used to relay threatening messages via relay, tarnishing the company’s image. Victims on the receiving end are bound to think that company employees generate mail.

At the same time, talented and promising ethical hackers being targeted through this relay service due to lack of content validation that is being relayed can lead to brand harming of such bug bounty platforms as well.

Ransom

Leveraging the above two issues, hackers can successfully gain financially by manipulating researchers into paying money, whilst their system might not even be infected with a trojan. This leads to a loss of morale towards bug bounty and trust towards such reputed and innovative platforms.

Recommendations

While the decision to address this issue and bring about specific changes with the third-party relay service adopted by Bugcrowd stays solely the company’s decision, here are some mitigations that one can follow as an individual and organization.

1. Ensure that the email authentication policies are enabled and strong. (Such as SPF, SKIM, DMARC)
2. Report such harmful messages immediately.
3. As an organization, prioritize content verification and blacklist emails containing specific keywords that are irrelevant to the context.

Read other articles here:

The Dark Side of AI: GPTs as a New Weapon in the Cybercriminal Arsenal

The Dark Side of AI: GPTs as a New Weapon in the Cybercriminal Arsenal

Latest Major Data Breaches and How to Protect Yourself

Latest Major Data Breaches and How to Protect Yourself