Page 1 of 1
Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
Posted: Mon Sep 20, 2021 7:48 am
by timegoblin2
Hi,
I got a Security Vulnerability Notification referring to your website. I'm not sure whether this mail is legit or not:
- The email sender is from another domain: <name>@openbugsbounty.com
- The OBB-ID returns me a 404.
Is this domain openbugsbounty.com one of yours or can I discard this mail as SPAM?
Thanks
Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
Posted: Tue Sep 21, 2021 5:11 am
by x1admin
We send signed emails from openbugbounty.org only
Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
Posted: Mon Oct 25, 2021 7:21 am
by balu
FYI: We have received two similar emails. One from "OpenBugBounty <
[email protected]>" and one from "OpenBugBounty <
[email protected]>"
Interestingly enough is that the template does not replace the website in the text part of the emails: "affecting site.com website" - the HTML part does.
Mine both linked to researcher YassDennis and include his email which is listed on his profile page too, all links go directly to openbugbounty.org.
I have no idea what they are trying to achieve?
Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
Posted: Sat Oct 30, 2021 8:03 pm
by balu
Ok, this gets even more interesting now.
I have just received a reply to my mail asking for details on this faked "OBB-2897797" and it is an actual XSS on our site.
But it is still not listed if I search for the domain on OBB.
Is it possible the researcher himself is faking those emails? He is using the same gmail address as listed on the researchers profile page.
Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
Posted: Mon Nov 29, 2021 2:43 pm
by korkman83
Same here. Actual XSS disclosed, asking for money.
I'd like to empathize the fake domain and add that their second E-Mail, the reply to my reply, contains a tracking image to see if the mail was opened.
Real: openbugbounty.org
Fake: openbugsbounty.com
I suspect there's a black hat network behind this, sharing a profile to reuse with ease (Twitter account and therefore phone number required, which isn't that cheap to get). Their scan was from a different country than the E-Mail - likely hacked servers (IPs are not a known VPN).
Pay a botnet operator for a somewhat real service they provided? I'd say no, because the resources they used were obtained illegally. Also, there's a notable gap between the scan and the fake OBB mail. I guess my XSS vulnerability was up for sale for two weeks and only because no one showed interest it was offered and disclosed to me, the website operator.
Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
Posted: Tue Dec 14, 2021 2:14 pm
by NEZBN_ZZF
Hello
about three weeks ago we have received three emails about a security vulnerability:
The OBB number was the same in all cases.
We tried to contact the researcher YassDennis using the email address given in the report, via Twitter and via replies to the sender addresses of the reports. Unfortunately without success.
Is there still a way to get details about the reported vulnerability respectively, were these reports real at all?
Best Regards
Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
Posted: Thu Dec 16, 2021 7:25 am
by x1admin
We send signed emails from openbugbounty.org only