Increased spam activity for meettomy.site from compromised accounts

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
Derky
Development Team Member
Development Team Member
Posts: 4880
Joined: Sun Apr 10, 2005 9:58 am
Location: Netherlands

Increased spam activity for meettomy.site from compromised accounts

Post by Derky »

In the last days I've noticed a lot of spam being posted for a the same "meettomy.site dating site" by older (trusted and verified) accounts.
example_spam_post.png
I've done some research on a forum I control and I can confirm that these account belong to legitimate users and it seems the spammer appears to know both the username as the passwords of the accounts. The accounts I've checked originate from 2020 or before and the email addresses belonging to the compromised accounts are all listed on https://haveibeenpwned.com/ in 1 or more breaches.

Log Analysis
The spam is being posted from different IP addresses, when I filter the server access logs on an IP-address it's interesting to see what happened. Read this log from the bottom to the top: This is the log from 38.170.124.183
log1.png
Log from 190.185.109.144
log2.png
As you can clearly see in both examples:
  1. It visits the site without https or www and is redirected to the https version
  2. Visits the UCP to change the signature to add spam there as well
  3. Opens a forum and posts a message
No password resets were performed
I can confirm that compromised users did not have their password reset. I've logged all forum mails in the last years and most compromised users only got the "Welcome to" mail (in 2020 or before) and they did not receive any other mails such as password resets.

Widespread
If you check one of the used IPs 190.185.109.144 on https://www.stopforumspam.com/search you will see multiple reports in the last days, and based on the email addresses it also looks like legit accounts were compromised.

When searching on Google for this spam I've found a lot of other sites and forums also being spammed, not just phpBB but also vBulletin, Xenforo and Invision Community. And I've found similar spam on phpBB.com as well.
phpbbcom_screenshot.png

Mitigation
I've been trying to figure out a way to stop this. Because these account are compromised, it means they're already activated (so no captcha needed) and when they already have posts the "Newly registered users" anti-spam features also no longer apply to them anymore causing them to post spam without needing approval.

Pruning older accounts would stop it, but I rather not just do that. I was also thinking about maybe removing or resetting passwords of older accounts, but that's also not really a good user experience. There is a way to force people to complete a captcha on login, that's when they've too many login attempts. So that's how I came to this;

Setting the "user_login_attempts" to 99 for all users that haven't signed in since 1 Jan 2024. This will cause those users to complete a captcha before they can continue to login. For reference, this is the query I used:

Code: Select all

UPDATE phpbb_users
SET user_login_attempts = 99
WHERE user_type = 0
	AND user_inactive_reason = 0
	AND user_lastvisit < 1704063600;
Discuss
I'm looking for thoughts on this idea and I'm open to any other suggestions to fight this type of spammers!
You do not have the required permissions to view the files attached to this post.
User avatar
Toxyy
Registered User
Posts: 963
Joined: Mon Oct 24, 2016 3:22 pm
Location: Namek

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Toxyy »

IP range ban on whatever IP range is accessing the accounts, word filter to catch for key phrases/domains within posts in non general forums, asking for/forcing a password reset upon a very old login (so at least they know they'll get their password reset).. though that could be a problem if they don't have access to those emails anymore. Maybe forcing the Q&A question on logins for accounts that are old or haven't logged in in a very long time. Maybe one of the various anti spam extensions that require a key.
I am a web developer/administrator, specializing in forums. If you have work you need done or are too lazy to do, pm me!

Some of my extensions:
[3.3][BETA] Post Form Templates || [3.3][BETA] Anonymous Posts || [3.2][3.3][BETA] ACP Merge Child Forums || [3.2][BETA] Sticky Ad || [3.2][DEV] User Delete Topics || [3.3][DEV] Moderate While Searching || [3.3][RC] Short Number Twig Extension
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 6767
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James

Re: Increased spam activity for meettomy.site from compromised accounts

Post by HiFiKabin »

Derky wrote: Tue Feb 20, 2024 9:56 pm Setting the "user_login_attempts" to 99 for all users that haven't signed in since 1 Jan 2024. This will cause those users to complete a captcha before they can continue to login. For reference, this is the query I used:

Code: Select all

Code: Select all

UPDATE phpbb_users
SET user_login_attempts = 99
WHERE user_type = 0
	AND user_inactive_reason = 0
	AND user_lastvisit < 1704063600;
Nice idea, I can't see there being much user complaint as a lot of sites require you to reset your password if you have not logged in for x months (although maybe Jan1st is a bit too recent. Maybe 6 months is better?

(I had to reset a password only yesterday on one site I don't use often), not a big deal)
User avatar
cabot
Registered User
Posts: 769
Joined: Sat Jan 07, 2012 4:16 pm

Re: Increased spam activity for meettomy.site from compromised accounts

Post by cabot »

HiFiKabin wrote: Wed Feb 21, 2024 7:35 am although maybe Jan1st is a bit too recent
Not so much in fact: on the French support, an account whose last real activity dated back to early January was compromised in mid-February for publishing meettomy spam.
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26822
Joined: Fri Aug 29, 2008 9:49 am

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Mick »

You could put the users on MQ or back in the NRU, personally I’d prefer that to requesting a password change.
  • "The more connected we get the more alone we become” - Kyle Broflovski© 🇬🇧
User avatar
ssl
Registered User
Posts: 1979
Joined: Sat Feb 08, 2020 2:15 pm
Location: Le Lude, Pays de la Loire - France
Name: Fred Rimbert

Re: Increased spam activity for meettomy.site from compromised accounts

Post by ssl »

It is impossible to place a future spammer in the NRU group so the solution of resetting the password for users who have been dormant for X amount of time is by far the best solution, in my humble opinion.
Sorry for my English ... I do my best! :anger_right:

:point_right_tone3: phpBB: 3.3.13 | PHP: 8.3.9
:point_right_tone4: [Kill spam on phpBB] - [Some French translation of extensions]
"Mistress, Mistress someone is bothering me in pm"
User avatar
warmweer
Jr. Extension Validator
Posts: 11623
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium

Re: Increased spam activity for meettomy.site from compromised accounts

Post by warmweer »

ssl wrote: Wed Feb 21, 2024 12:22 pm It is impossible to place a future spammer in the NRU group so the solution of resetting the password for users who have been dormant for X amount of time is by far the best solution, in my humble opinion.
"a future spammer" :lol:
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.


Time flies like an arrow, but fruit flies like a banana.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72559
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Increased spam activity for meettomy.site from compromised accounts

Post by KevC »

Why is it impossible to put accounts in to another group?

If you could run a query (or even have a regular cron) that puts any account that hasn't logged in for, say, 2 years, in to the NRU or a group of your choosing with a mod queue on it, why not? People who leave forums for that amount of time rarely come back, and if they do, they could still post but it would need approval which is fine. If it's a hacked account being used for spam it wouldn't show on the forum and could be dealt with quietly by the team. Win win.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26822
Joined: Fri Aug 29, 2008 9:49 am

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Mick »

The main reason I mentioned putting the user on MQ (by whatever method) was the issue of emails. If it’s a genuine user who’s old email address is redundant he’ll never see the password reset email.
  • "The more connected we get the more alone we become” - Kyle Broflovski© 🇬🇧
User avatar
ssl
Registered User
Posts: 1979
Joined: Sat Feb 08, 2020 2:15 pm
Location: Le Lude, Pays de la Loire - France
Name: Fred Rimbert

Re: Increased spam activity for meettomy.site from compromised accounts

Post by ssl »

We are talking about unused accounts here, not sure that the members whose account was used for spamming will ever return to the forum.
Sorry for my English ... I do my best! :anger_right:

:point_right_tone3: phpBB: 3.3.13 | PHP: 8.3.9
:point_right_tone4: [Kill spam on phpBB] - [Some French translation of extensions]
"Mistress, Mistress someone is bothering me in pm"
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72559
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Increased spam activity for meettomy.site from compromised accounts

Post by KevC »

No, some of the posts with that spam address have been from accounts that haven't been active on the sites for at least 4 years (I've seen it on one of my sites too). So they're not unused (as in registered but never activated 'sleeper accounts'). They're valid accounts that had previously made real posts several years before, that have then been logged in to by the spammers and used to make posts in an unrestricted way.

By being able to sweep the memberlist for all of the accounts prior to a certain date and putting them in to a mod queue group, you stop that instantly surely.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
ssl
Registered User
Posts: 1979
Joined: Sat Feb 08, 2020 2:15 pm
Location: Le Lude, Pays de la Loire - France
Name: Fred Rimbert

Re: Increased spam activity for meettomy.site from compromised accounts

Post by ssl »

OK KevC, unused for X months if you prefer
KevC wrote: Thu Feb 22, 2024 7:27 pm By being able to sweep the memberlist for all of the accounts prior to a certain date and putting them in to a mod queue group, you stop that instantly surely.
Agree with this
Sorry for my English ... I do my best! :anger_right:

:point_right_tone3: phpBB: 3.3.13 | PHP: 8.3.9
:point_right_tone4: [Kill spam on phpBB] - [Some French translation of extensions]
"Mistress, Mistress someone is bothering me in pm"
Lady_G
Registered User
Posts: 274
Joined: Fri Jun 08, 2012 12:38 pm
Location: US

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Lady_G »

My board has one of those hijacked accounts. I move those posts to a dedicated subforum accessible only to my moderator team. This allows me to preserve the post content and IP address. If I need the information later, I'll have it.

I also have a different hijacked account using BBCode to mask the URL as:

[URLxxx=https://cutt.ly/DwAV4yTX]Exemplary Сasual Dating[/URL] (displays as "Exemplary Сasual Dating")

and
[URL=https://cutt.ly/hwAV7uTB]Top-notch Сasual Dating[/URL] (displays as "Top-notch Сasual Dating")

The account is using a cutt.ly shortcode. Neither myself nor anyone on my moderator team will click on those links.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72559
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Increased spam activity for meettomy.site from compromised accounts

Post by KevC »

Talking of BBcodes, unrelated to this attack, we often see 1 pixel font links hidden in posts.

If you have any accounts with 1 post that look genuine but have a very generic 'AI' type style to them where they unnecessarily describe things or look like rewritten versions of previous posts, or have an edit tag in the post footer a few days after the actual post was made, click the edit icon and look at the text for a hidden spam link. I've seen it many many times in the last year or so.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2435
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦

Re: Increased spam activity for meettomy.site from compromised accounts

Post by P_I »

For anyone who has examined server log files is there anything in the User-Agent that might identifier these posters? Any idea of they are automated posts or human spammers doing the posting?
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

Return to “phpBB Discussion”