Increased spam activity for meettomy.site from compromised accounts

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6267
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: Increased spam activity for meettomy.site from compromised accounts

Post by thecoalman »

[Dimetrodon] wrote: Sat Mar 16, 2024 5:25 pm Makes me wonder if those were ever compromised then and not just spam accounts from the get-go.
I don't think I have seen sleeper account being used for spam that was more than a few moths old.

That said you bring up an interesting point. It may very well have been a spammer registration with poor password and it got stolen by another spammer. :lol: That's actually a very big possibility because the original spammer will have registered on hundreds of forums using same credentials.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
[Dimetrodon]
Registered User
Posts: 462
Joined: Tue Aug 30, 2022 3:29 am
Location: Paleozoic Era

Re: Increased spam activity for meettomy.site from compromised accounts

Post by [Dimetrodon] »

thecoalman wrote: Sat Mar 16, 2024 6:54 pmThat said you bring up an interesting point. It may very well have been a spammer registration with poor password and it got stolen by another spammer. :lol: That's actually a very big possibility because the original spammer will have registered on hundreds of forums using same credentials.
Yeah, that is a very real possibility too.
User avatar
LukeWCS
Registered User
Posts: 275
Joined: Mon Dec 08, 2014 12:32 pm
Location: Germany

Re: Increased spam activity for meettomy.site from compromised accounts

Post by LukeWCS »

Derky wrote: Tue Feb 20, 2024 9:56 pm it also looks like legit accounts were compromised.
Hello Derky

A colleague brought your topic to my attention the day before yesterday. We've been seeing exactly the same problem for a few weeks now: old, long-unused accounts that were previously used for normal posts are now suddenly being abused for spam. With the exact same URL as a link in the post.

I've been working on an extension for 2 weeks. This is designed to combat the potential problem with old accounts. We are currently testing the extension within the team. In this context, I also try to collect further information in parallel.

If I understand your starting post correctly (with my terrible English ^^), then the phpBB logins were not hijacked using compromised email accounts, but in some other way. This would also correspond to our assumptions, since the PW reset would be the only way to hijack a phpBB account via email.

And my extension is also based on the assumption that the email account is not affected.

My question now is: have you received any new information about how the phpBB login data was compromised?

edit:

In the meantime I found a XenForo topic about the problem. The article linked in post 4 is interesting:

https://xenforo.com/community/threads/i ... ts.219448/
May the backup be with you. Always.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72559
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Increased spam activity for meettomy.site from compromised accounts

Post by KevC »

LukeWCS wrote: Thu Mar 21, 2024 6:09 pm I've been working on an extension for 2 weeks. This is designed to combat the potential problem with old accounts.
You can already do it with the autogroups extension.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
Derky
Development Team Member
Development Team Member
Posts: 4880
Joined: Sun Apr 10, 2005 9:58 am
Location: Netherlands

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Derky »

LukeWCS wrote: Thu Mar 21, 2024 6:09 pmI've been working on an extension for 2 weeks. This is designed to combat the potential problem with old accounts. We are currently testing the extension within the team. In this context, I also try to collect further information in parallel.

If I understand your starting post correctly (with my terrible English ^^), then the phpBB logins were not hijacked using compromised email accounts, but in some other way. This would also correspond to our assumptions, since the PW reset would be the only way to hijack a phpBB account via email.

And my extension is also based on the assumption that the email account is not affected.
Sounds interesting, what type of extension are you creating? :-)
LukeWCS wrote: Thu Mar 21, 2024 6:09 pmMy question now is: have you received any new information about how the phpBB login data was compromised?

edit:

In the meantime I found a XenForo topic about the problem. The article linked in post 4 is interesting:

https://xenforo.com/community/threads/i ... ts.219448/
Thanks for sharing that topic, interesting to read. The only common denominator I can find so far it that all email addresses from compromised accounts are listed in one or more dumps when I check them on https://haveibeenpwned.com/
KevC wrote: Thu Mar 21, 2024 7:29 pm
LukeWCS wrote: Thu Mar 21, 2024 6:09 pm I've been working on an extension for 2 weeks. This is designed to combat the potential problem with old accounts.
You can already do it with the autogroups extension.
Moving older accounts to a moderation queue group works, but it does require extra manual labor for handling those posts from either legit as spam users. The query I posted in the first post works really good for me, only two newer accounts (like created 3 weeks ago) have slipped through. It instantly stopped the majority of spam and didn't require any manual labor for our moderators. :)
User avatar
LukeWCS
Registered User
Posts: 275
Joined: Mon Dec 08, 2014 12:32 pm
Location: Germany

Re: Increased spam activity for meettomy.site from compromised accounts

Post by LukeWCS »

KevC wrote: Thu Mar 21, 2024 7:29 pm You can already do it with the autogroups extension.
I know this, I became aware of this ext while reading this topic. I then experimented with this Ext in my local development environment. This Ext is an effective remedy against the security problem. However, this requires some effort at first and, once set up, still requires manual work on the part of the moderators and administrators.

However, I follow a completely different approach that is automated. In principle, I proceed in a similar way to Derky: I use existing phpBB functionalities and combine them with my own code.

So I'm not looking for a solution because I already have one and now with AG I would even have another one if my own is unusable. So I'm looking for information about the background to the data leak so that I know whether I still need to adapt my own solution or whether I even have to abandon my own approach.
Derky wrote: Thu Mar 21, 2024 9:10 pm Sounds interesting, what type of extension are you creating?
I'll give you detailed information via PM, I don't want to reveal unnecessary public information at the moment. ^^ I will change my developer board to English and take new screenshots, since the previous ones are all in German. However, I won't get to that until this evening.
Derky wrote: Thu Mar 21, 2024 9:10 pm The only common denominator I can find so far it that all email addresses from compromised accounts are listed in one or more dumps
Yes, with the information currently available, which you also mentioned in the starting post, it is currently only clear that these email addresses are in connection with other leaked access data. However, it is still not clear to me at the moment whether the accounts of the affected email addresses were also hijacked.

That was the reason why I wrote here, because I wanted to know whether you might have any new information in the meantime.

We currently assume that only phpBB login data was actually leaked, but not the login data of the associated email accounts. That is an immense difference and important for my further approach.
May the backup be with you. Always.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6267
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: Increased spam activity for meettomy.site from compromised accounts

Post by thecoalman »

LukeWCS wrote: Fri Mar 22, 2024 1:47 pm So I'm looking for information about the background to the data leak
It appears to be multiple forum platforms on multiple unrelated sites. I would guess the compromised accounts are using poor passwords that had their credentials compromised through numerous sources. I couldn't tell you where to get such a list but they exist. You would only have to run a scraper across forum pages to find username matches and try the password.

As far as the email if they were using the same password for their email account it's possible the email account is compromised.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
LukeWCS
Registered User
Posts: 275
Joined: Mon Dec 08, 2014 12:32 pm
Location: Germany

Re: Increased spam activity for meettomy.site from compromised accounts

Post by LukeWCS »

thecoalman wrote: Sat Mar 23, 2024 1:36 am I would guess the compromised accounts are using poor passwords that had their credentials compromised through numerous sources.
I suspect the same thing, especially since they were all old accounts so far. So I assume that very weak passwords were used.
thecoalman wrote: Sat Mar 23, 2024 1:36 am As far as the email if they were using the same password for their email account it's possible the email account is compromised.
In that case, everyone loses when there is so much naivety involved. ^^ In this case, as an admin, I can't do anything other than block both the phpBB account and the associated email address, as both can no longer be trusted.
May the backup be with you. Always.
User avatar
[Dimetrodon]
Registered User
Posts: 462
Joined: Tue Aug 30, 2022 3:29 am
Location: Paleozoic Era

Re: Increased spam activity for meettomy.site from compromised accounts

Post by [Dimetrodon] »

LukeWCS wrote: Fri Mar 22, 2024 1:47 pmI'll give you detailed information via PM, I don't want to reveal unnecessary public information at the moment.
May I ask why? I was able to find all the public information about your extension and what it does anyway on the German board.
User avatar
ssl
Registered User
Posts: 1979
Joined: Sat Feb 08, 2020 2:15 pm
Location: Le Lude, Pays de la Loire - France
Name: Fred Rimbert

Re: Increased spam activity for meettomy.site from compromised accounts

Post by ssl »

Because the extension was published yesterday on phpbb.de and when Luke talked about it here it was March 22, three days before.
Sorry for my English ... I do my best! :anger_right:

:point_right_tone3: phpBB: 3.3.13 | PHP: 8.3.9
:point_right_tone4: [Kill spam on phpBB] - [Some French translation of extensions]
"Mistress, Mistress someone is bothering me in pm"
User avatar
LukeWCS
Registered User
Posts: 275
Joined: Mon Dec 08, 2014 12:32 pm
Location: Germany

Re: Increased spam activity for meettomy.site from compromised accounts

Post by LukeWCS »

Like Fred said.

I made progress with the development of the extension faster than I expected. And I didn't want to give any information to the outside world until the extension was ready and downloadable.
May the backup be with you. Always.
Feralkiwi2
Registered User
Posts: 6
Joined: Wed Sep 06, 2023 9:21 pm
Location: NZ

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Feralkiwi2 »

thecoalman wrote: Sat Mar 23, 2024 1:36 am It appears to be multiple forum platforms on multiple unrelated sites. I would guess the compromised accounts are using poor passwords that had their credentials compromised through numerous sources. I couldn't tell you where to get such a list but they exist. You would only have to run a scraper across forum pages to find username matches and try the password.

As far as the email if they were using the same password for their email account it's possible the email account is compromised.
Hi

I have found that these post from the dating spam are still being posted after the account has been deactivated.

As for the passwords I see many password changes from the same IP address for many accounts.
IP address: 3.253.53.146

Also for that same IP address, there are accounts where their user name is an email.
Most of these account can not be accessed as I get this message in a red banner when I try to admin them.

"Information, No users fit the selected criteria."

This happened to a real user who contacted via admin, but I can not remove the account to free up the email address for the user as it will not allow admin access as "No users fit the selected criteria".

These bulk (two to four time in a few minutes for the same account) password changes look like sleeper accounts being refreshed.
That many come from the same banned IP 3.253.53.146 suggests this may be the way these old accounts are hacked.

I suggest you look at your own forum in the user logs and search "Password" there to see this.
Sort by IP address and see if this same IP is password changing on your forum.

Owen
Last edited by Feralkiwi2 on Mon Sep 09, 2024 4:10 am, edited 1 time in total.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72559
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Increased spam activity for meettomy.site from compromised accounts

Post by KevC »

Feralkiwi2 wrote: Sun Sep 08, 2024 9:42 pm after the account has been deactivated.
That's not possible.
Unless you have guest posting enabled.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
Feralkiwi2
Registered User
Posts: 6
Joined: Wed Sep 06, 2023 9:21 pm
Location: NZ

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Feralkiwi2 »

I will look to see if guest posting is enabled.
Please where will I find that?

I find:
User permissions
Guests
No Roll Assigned.

I have spent some time looking at the password changes made from IP 3.253.53.146 tonight.
Many of those password changes are made on disabled accounts.

Many of the accounts with emails as their names that return "No users fit the selected criteria" have changed their password from the IP 3.253.53.146 many times.

Please have a look at your own user logs for this IP address changing passwords.

Owen
Last edited by Feralkiwi2 on Mon Sep 09, 2024 7:58 am, edited 2 times in total.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72559
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Increased spam activity for meettomy.site from compromised accounts

Post by KevC »

Try it yourself in the same forum. Log out and then see if you can post.

No roll assigned means you don't have a set of permissions that match any of the defaults.

Most people select
permissions
group forum permissions
guest group
select the forum you want
read only

Try a wildcard search for a username. It's definitely possible to find registered accounts with emails as the username (which usually happens when the users browser autofills). Try abc* or *@xyz.com for example in the search box.

But if it's a guest account you won't find anything.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"

Return to “phpBB Discussion”