Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?

Questions or suggestions about the platform
Post Reply
timegoblin2
Posts: 1
Joined: Mon Sep 20, 2021 7:27 am

Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?

Post by timegoblin2 » Mon Sep 20, 2021 7:48 am

Hi,

I got a Security Vulnerability Notification referring to your website. I'm not sure whether this mail is legit or not:
- The email sender is from another domain: <name>@openbugsbounty.com
- The OBB-ID returns me a 404.
Is this domain openbugsbounty.com one of yours or can I discard this mail as SPAM?

Thanks

User avatar
x1admin
Site Admin
Posts: 3100
Joined: Sun Nov 15, 2015 7:04 pm

Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?

Post by x1admin » Tue Sep 21, 2021 5:11 am

We send signed emails from openbugbounty.org only

User avatar
balu
Posts: 2
Joined: Tue Dec 22, 2020 8:24 am
Contact:

Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?

Post by balu » Mon Oct 25, 2021 7:21 am

FYI: We have received two similar emails. One from "OpenBugBounty <[email protected]>" and one from "OpenBugBounty <[email protected]>"

Interestingly enough is that the template does not replace the website in the text part of the emails: "affecting site.com website" - the HTML part does.

Mine both linked to researcher YassDennis and include his email which is listed on his profile page too, all links go directly to openbugbounty.org.

I have no idea what they are trying to achieve?

User avatar
balu
Posts: 2
Joined: Tue Dec 22, 2020 8:24 am
Contact:

Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?

Post by balu » Sat Oct 30, 2021 8:03 pm

Ok, this gets even more interesting now.

I have just received a reply to my mail asking for details on this faked "OBB-2897797" and it is an actual XSS on our site.

But it is still not listed if I search for the domain on OBB.

Is it possible the researcher himself is faking those emails? He is using the same gmail address as listed on the researchers profile page.

korkman83
Posts: 1
Joined: Mon Nov 29, 2021 12:54 pm

Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?

Post by korkman83 » Mon Nov 29, 2021 2:43 pm

Same here. Actual XSS disclosed, asking for money.

I'd like to empathize the fake domain and add that their second E-Mail, the reply to my reply, contains a tracking image to see if the mail was opened.

Real: openbugbounty.org
Fake: openbugsbounty.com

I suspect there's a black hat network behind this, sharing a profile to reuse with ease (Twitter account and therefore phone number required, which isn't that cheap to get). Their scan was from a different country than the E-Mail - likely hacked servers (IPs are not a known VPN).

Pay a botnet operator for a somewhat real service they provided? I'd say no, because the resources they used were obtained illegally. Also, there's a notable gap between the scan and the fake OBB mail. I guess my XSS vulnerability was up for sale for two weeks and only because no one showed interest it was offered and disclosed to me, the website operator.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest