- Scammers are trying to sell fake proofs-of-concept on GitHub for Microsoft Exchange vulnerabilities, which are under attack.
- Some of the account names that are trying to sell fake PoCs are: ‘jml4da’, ‘TimWallbey’, ‘Liu Zhao Khin (0daylabin)’, ‘R007er’, and ‘spher0x.’
- The repositories include a README.md file with a link that leads to a SatoshiDisk page which includes a fake exploit for approximately $420 in bitcoins.
While Microsoft is working on a patch and cybercriminals are exploiting the Microsoft Exchange zero-day vulnerabilities, some scammers are also trying to benefit from the situation. Currently, only a small group of hackers know how these vulnerabilities can be exploited and they are not sharing this information with anyone else. Now, thousands of cybersecurity experts and threat actors are waiting for public disclosure of the vulnerability to be able to use it for their own purposes.
Fake proof-of-concept exploits
There are also scammers who are trying to gain something from this chaotic situation. A scammer is now creating GitHub repositories that claim to include fake proof-of-concept exploits for the vulnerabilities but obviously, they are fake. Huntress Lab’s John Hammond stated that there were at least 5 accounts attempting to sell the phony exploits under the names ‘jml4da’, ‘TimWallbey’, ‘Liu Zhao Khin (0daylabin)’, ‘R007er’, and ‘spher0x.’
There looks to be multiple of these, another one with a different SatoshiDisk link and "only selling FIVE copies"…. scam methinks. Multiple files to look more legitimate?
I've reported the account & repository to GitHub.
— John Hammond (@_JohnHammond) September 30, 2022
Another scammer is trying to impersonate Kevin Beaumont, a well-known security expert, to trick people. The README.md files in the repositories only include the known information about the vulnerabilities and state that one copy of the PoC is available for sale. The link in the file leads to a SatoshiDisk page which includes a fake exploit for approximately $420 in bitcoins. The price tag is a good indicator that it is a scam attempt. A PoC for a vulnerability like this is worth hundreds of thousands of dollars easily.