Hi,
I got a Security Vulnerability Notification referring to your website. I'm not sure whether this mail is legit or not:
- The email sender is from another domain: <name>@openbugsbounty.com
- The OBB-ID returns me a 404.
Is this domain openbugsbounty.com one of yours or can I discard this mail as SPAM?
Thanks
Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
-
- Posts:1
- Joined:Mon Sep 20, 2021 7:27 am
Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
We send signed emails from openbugbounty.org only
Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
FYI: We have received two similar emails. One from "OpenBugBounty <[email protected]>" and one from "OpenBugBounty <[email protected]>"
Interestingly enough is that the template does not replace the website in the text part of the emails: "affecting site.com website" - the HTML part does.
Mine both linked to researcher YassDennis and include his email which is listed on his profile page too, all links go directly to openbugbounty.org.
I have no idea what they are trying to achieve?
Interestingly enough is that the template does not replace the website in the text part of the emails: "affecting site.com website" - the HTML part does.
Mine both linked to researcher YassDennis and include his email which is listed on his profile page too, all links go directly to openbugbounty.org.
I have no idea what they are trying to achieve?
Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
Ok, this gets even more interesting now.
I have just received a reply to my mail asking for details on this faked "OBB-2897797" and it is an actual XSS on our site.
But it is still not listed if I search for the domain on OBB.
Is it possible the researcher himself is faking those emails? He is using the same gmail address as listed on the researchers profile page.
I have just received a reply to my mail asking for details on this faked "OBB-2897797" and it is an actual XSS on our site.
But it is still not listed if I search for the domain on OBB.
Is it possible the researcher himself is faking those emails? He is using the same gmail address as listed on the researchers profile page.
Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
Same here. Actual XSS disclosed, asking for money.
I'd like to empathize the fake domain and add that their second E-Mail, the reply to my reply, contains a tracking image to see if the mail was opened.
Real: openbugbounty.org
Fake: openbugsbounty.com
I suspect there's a black hat network behind this, sharing a profile to reuse with ease (Twitter account and therefore phone number required, which isn't that cheap to get). Their scan was from a different country than the E-Mail - likely hacked servers (IPs are not a known VPN).
Pay a botnet operator for a somewhat real service they provided? I'd say no, because the resources they used were obtained illegally. Also, there's a notable gap between the scan and the fake OBB mail. I guess my XSS vulnerability was up for sale for two weeks and only because no one showed interest it was offered and disclosed to me, the website operator.
I'd like to empathize the fake domain and add that their second E-Mail, the reply to my reply, contains a tracking image to see if the mail was opened.
Real: openbugbounty.org
Fake: openbugsbounty.com
I suspect there's a black hat network behind this, sharing a profile to reuse with ease (Twitter account and therefore phone number required, which isn't that cheap to get). Their scan was from a different country than the E-Mail - likely hacked servers (IPs are not a known VPN).
Pay a botnet operator for a somewhat real service they provided? I'd say no, because the resources they used were obtained illegally. Also, there's a notable gap between the scan and the fake OBB mail. I guess my XSS vulnerability was up for sale for two weeks and only because no one showed interest it was offered and disclosed to me, the website operator.
Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
Hello
about three weeks ago we have received three emails about a security vulnerability:
We tried to contact the researcher YassDennis using the email address given in the report, via Twitter and via replies to the sender addresses of the reports. Unfortunately without success.
Is there still a way to get details about the reported vulnerability respectively, were these reports real at all?
Best Regards
about three weeks ago we have received three emails about a security vulnerability:
- the first from [email protected]
- two more from [email protected]
We tried to contact the researcher YassDennis using the email address given in the report, via Twitter and via replies to the sender addresses of the reports. Unfortunately without success.
Is there still a way to get details about the reported vulnerability respectively, were these reports real at all?
Best Regards
Re: Security Vulnerability Notification with email sender openbugsbounty.com - SPAM?
We send signed emails from openbugbounty.org only
Who is online
Users browsing this forum: No registered users and 2 guests