19 May 2022
This page early draft and could have significant changes.
Recently I received an e-mail with the subject "Vulnerabilities in your site" from Elvin Isaac. Website owners periodically receive junk e-mails that end up in the trash instantly, but when it comes to website vulnerabilities, is not something that should be easily dismissed, so I did some digging to see if it's a real deal or a scam. I thought it would be wise to share my thoughts so others don't fall for it.
The first flag that this might be a scam was that the e-mail was automatically flagged as spam, meaning multiple people got something similar.
Furthermore, when investigating if this is a legitimate claim, if others received something like this, if Elvin Isaac is a real person, I decided to Google search, nothing came up. But then I noticed that Google showed as suggested related searches the following : "elvin isaac hacker", "elvin isaac bug bounty", "elvin isaac security", so it's pretty clear a bunch of people searched about Elvin Isaac recently.
Below is the e-mail I got:
------ From: Elvin Isaac <elvin.isaac009 @ ...> Subject: Vulnerabilities in your site Hi team, Hope that you're doing all good and healthy.I would like to draw your attention to some of the vulnerabilities in your site which i would like to report. Kindly provide me the email of relevant team or person and let me know if there is any bug bounty program or reward regarding this disclosure of vulnerabilities as this work requires both cost and time Regards *ELVIN* ------
One thing is for sure, Elvin Isaac is not a good Samaritan. He is also not a legitimate website visitor, stumbling on some critical website vulnerability and offering to help you out.
At the very best, Elvin Isaac is one of those people operating bots that scan websites for vulnerabilities, as such scans happen daily, that may or may not discovered anything. But based on information I gathered, some that I didn't make public, I believe this isn't even the case and that the person behind Elvin Isaac is just a scammer.
This kind of "offers" are not something new, you can read more here and here.
Thanks for posting this, I can confirm we have just received the exact same message.
Thanks, I received the exact same message (exact!) but from David Marvi.
Thank you for sharing this.
I can confirm I just received one from David marvi same text. silly scammers.
Thanks for posting this, I can confirm we have just received the exact same message.
This was helpful, thanks for posting
Wow, this Elvin Isaac sure is persistent. Just got the same email from him, almost identical text. That’s 15 months after your post.
He must have some success with this scam to keep running it.
I have managed to bait him into disclosing, by mentioning "no proof no talk no payout"
The "vulnerabilities" are just bogus "clickjacking" and "DMARC spoofing", which have 0 impact on how a website operate.
I have attached screenshots on my tweet here :https://twitter.com/soulchildpls/status/1698735890351431712
Thanks for posting. I've had exactly the same thoughts, and already wrote a draft response email, when moments before clicking send - found your post.
In my case, "Elvin" used a different text:
---
Hi,
I am a Cyber Security Analyst, I have found some vulnerabilities in your site which I would like to report.
Kindly confirm whether there is any bug bounty program or payout?,
Could you let me know?
Regards
Elvin
---
Also, another potetinal red flag is that I have a security.txt file setup on my site, and the email I've got from Elvin was sent not to the security email, but rather to our general contact email on the website. So chances are, that he used a bot to parse it and send the email itself.
I just received the same email, when I saw the post, make me feel better, thanks all to share
Thanks for sharing, we have also receive similar email from the same email address:
Hi,
I am a Cyber Security Analyst, I have found some vulnerabilities in your site which I would like to report.
Kindly confirm whether there is any bug bounty program or payout.
Could you let me know?
Regards
Elvin Issac
Thaks for your post!
Message that I have received:
" Dear Team,
I hope this email finds you well and navigating through your tasks with ease.
As an ethical hacker, I conducted an extensive review of your website and uncovered several notable weaknesses. If your company offers incentives for resolving these issues, please provide additional information.
Warm regards. "
I am not going to respond to him.