Increased spam activity for meettomy.site from compromised accounts

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5920
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: Increased spam activity for meettomy.site from compromised accounts

Post by thecoalman »

[Dimetrodon] wrote: Sat Mar 16, 2024 5:25 pm Makes me wonder if those were ever compromised then and not just spam accounts from the get-go.
I don't think I have seen sleeper account being used for spam that was more than a few moths old.

That said you bring up an interesting point. It may very well have been a spammer registration with poor password and it got stolen by another spammer. :lol: That's actually a very big possibility because the original spammer will have registered on hundreds of forums using same credentials.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
[Dimetrodon]
Registered User
Posts: 438
Joined: Tue Aug 30, 2022 3:29 am
Location: Paleozoic Era

Re: Increased spam activity for meettomy.site from compromised accounts

Post by [Dimetrodon] »

thecoalman wrote: Sat Mar 16, 2024 6:54 pmThat said you bring up an interesting point. It may very well have been a spammer registration with poor password and it got stolen by another spammer. :lol: That's actually a very big possibility because the original spammer will have registered on hundreds of forums using same credentials.
Yeah, that is a very real possibility too.
Avatar by someone named AdmiralRA on Reddit. (No, I don't have a Reddit account)
When seeking support, please consider filling out the Support Request Template. It makes it easier for anyone trying to help.
User avatar
LukeWCS
Registered User
Posts: 248
Joined: Mon Dec 08, 2014 12:32 pm
Location: Germany

Re: Increased spam activity for meettomy.site from compromised accounts

Post by LukeWCS »

Derky wrote: Tue Feb 20, 2024 9:56 pm it also looks like legit accounts were compromised.
Hello Derky

A colleague brought your topic to my attention the day before yesterday. We've been seeing exactly the same problem for a few weeks now: old, long-unused accounts that were previously used for normal posts are now suddenly being abused for spam. With the exact same URL as a link in the post.

I've been working on an extension for 2 weeks. This is designed to combat the potential problem with old accounts. We are currently testing the extension within the team. In this context, I also try to collect further information in parallel.

If I understand your starting post correctly (with my terrible English ^^), then the phpBB logins were not hijacked using compromised email accounts, but in some other way. This would also correspond to our assumptions, since the PW reset would be the only way to hijack a phpBB account via email.

And my extension is also based on the assumption that the email account is not affected.

My question now is: have you received any new information about how the phpBB login data was compromised?

edit:

In the meantime I found a XenForo topic about the problem. The article linked in post 4 is interesting:

https://xenforo.com/community/threads/i ... ts.219448/
May the backup be with you. Always.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72437
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Increased spam activity for meettomy.site from compromised accounts

Post by KevC »

LukeWCS wrote: Thu Mar 21, 2024 6:09 pm I've been working on an extension for 2 weeks. This is designed to combat the potential problem with old accounts.
You can already do it with the autogroups extension.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
Derky
Development Team Member
Development Team Member
Posts: 4874
Joined: Sun Apr 10, 2005 9:58 am
Location: Netherlands

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Derky »

LukeWCS wrote: Thu Mar 21, 2024 6:09 pmI've been working on an extension for 2 weeks. This is designed to combat the potential problem with old accounts. We are currently testing the extension within the team. In this context, I also try to collect further information in parallel.

If I understand your starting post correctly (with my terrible English ^^), then the phpBB logins were not hijacked using compromised email accounts, but in some other way. This would also correspond to our assumptions, since the PW reset would be the only way to hijack a phpBB account via email.

And my extension is also based on the assumption that the email account is not affected.
Sounds interesting, what type of extension are you creating? :-)
LukeWCS wrote: Thu Mar 21, 2024 6:09 pmMy question now is: have you received any new information about how the phpBB login data was compromised?

edit:

In the meantime I found a XenForo topic about the problem. The article linked in post 4 is interesting:

https://xenforo.com/community/threads/i ... ts.219448/
Thanks for sharing that topic, interesting to read. The only common denominator I can find so far it that all email addresses from compromised accounts are listed in one or more dumps when I check them on https://haveibeenpwned.com/
KevC wrote: Thu Mar 21, 2024 7:29 pm
LukeWCS wrote: Thu Mar 21, 2024 6:09 pm I've been working on an extension for 2 weeks. This is designed to combat the potential problem with old accounts.
You can already do it with the autogroups extension.
Moving older accounts to a moderation queue group works, but it does require extra manual labor for handling those posts from either legit as spam users. The query I posted in the first post works really good for me, only two newer accounts (like created 3 weeks ago) have slipped through. It instantly stopped the majority of spam and didn't require any manual labor for our moderators. :)
User avatar
LukeWCS
Registered User
Posts: 248
Joined: Mon Dec 08, 2014 12:32 pm
Location: Germany

Re: Increased spam activity for meettomy.site from compromised accounts

Post by LukeWCS »

KevC wrote: Thu Mar 21, 2024 7:29 pm You can already do it with the autogroups extension.
I know this, I became aware of this ext while reading this topic. I then experimented with this Ext in my local development environment. This Ext is an effective remedy against the security problem. However, this requires some effort at first and, once set up, still requires manual work on the part of the moderators and administrators.

However, I follow a completely different approach that is automated. In principle, I proceed in a similar way to Derky: I use existing phpBB functionalities and combine them with my own code.

So I'm not looking for a solution because I already have one and now with AG I would even have another one if my own is unusable. So I'm looking for information about the background to the data leak so that I know whether I still need to adapt my own solution or whether I even have to abandon my own approach.
Derky wrote: Thu Mar 21, 2024 9:10 pm Sounds interesting, what type of extension are you creating?
I'll give you detailed information via PM, I don't want to reveal unnecessary public information at the moment. ^^ I will change my developer board to English and take new screenshots, since the previous ones are all in German. However, I won't get to that until this evening.
Derky wrote: Thu Mar 21, 2024 9:10 pm The only common denominator I can find so far it that all email addresses from compromised accounts are listed in one or more dumps
Yes, with the information currently available, which you also mentioned in the starting post, it is currently only clear that these email addresses are in connection with other leaked access data. However, it is still not clear to me at the moment whether the accounts of the affected email addresses were also hijacked.

That was the reason why I wrote here, because I wanted to know whether you might have any new information in the meantime.

We currently assume that only phpBB login data was actually leaked, but not the login data of the associated email accounts. That is an immense difference and important for my further approach.
May the backup be with you. Always.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5920
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: Increased spam activity for meettomy.site from compromised accounts

Post by thecoalman »

LukeWCS wrote: Fri Mar 22, 2024 1:47 pm So I'm looking for information about the background to the data leak
It appears to be multiple forum platforms on multiple unrelated sites. I would guess the compromised accounts are using poor passwords that had their credentials compromised through numerous sources. I couldn't tell you where to get such a list but they exist. You would only have to run a scraper across forum pages to find username matches and try the password.

As far as the email if they were using the same password for their email account it's possible the email account is compromised.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
LukeWCS
Registered User
Posts: 248
Joined: Mon Dec 08, 2014 12:32 pm
Location: Germany

Re: Increased spam activity for meettomy.site from compromised accounts

Post by LukeWCS »

thecoalman wrote: Sat Mar 23, 2024 1:36 am I would guess the compromised accounts are using poor passwords that had their credentials compromised through numerous sources.
I suspect the same thing, especially since they were all old accounts so far. So I assume that very weak passwords were used.
thecoalman wrote: Sat Mar 23, 2024 1:36 am As far as the email if they were using the same password for their email account it's possible the email account is compromised.
In that case, everyone loses when there is so much naivety involved. ^^ In this case, as an admin, I can't do anything other than block both the phpBB account and the associated email address, as both can no longer be trusted.
May the backup be with you. Always.
User avatar
[Dimetrodon]
Registered User
Posts: 438
Joined: Tue Aug 30, 2022 3:29 am
Location: Paleozoic Era

Re: Increased spam activity for meettomy.site from compromised accounts

Post by [Dimetrodon] »

LukeWCS wrote: Fri Mar 22, 2024 1:47 pmI'll give you detailed information via PM, I don't want to reveal unnecessary public information at the moment.
May I ask why? I was able to find all the public information about your extension and what it does anyway on the German board.
Avatar by someone named AdmiralRA on Reddit. (No, I don't have a Reddit account)
When seeking support, please consider filling out the Support Request Template. It makes it easier for anyone trying to help.
User avatar
ssl
Registered User
Posts: 1746
Joined: Sat Feb 08, 2020 2:15 pm
Location: Le Lude, Pays de la Loire - France
Name: Fred Rimbert

Re: Increased spam activity for meettomy.site from compromised accounts

Post by ssl »

Because the extension was published yesterday on phpbb.de and when Luke talked about it here it was March 22, three days before.
Sorry for my English ... I do my best!

phpBB: 3.3.11 | PHP: 8.2.16
[Kill spam on phpBB] - [Some French translation of extensions]
"Mistress, Mistress someone is bothering me in pm"
User avatar
LukeWCS
Registered User
Posts: 248
Joined: Mon Dec 08, 2014 12:32 pm
Location: Germany

Re: Increased spam activity for meettomy.site from compromised accounts

Post by LukeWCS »

Like Fred said.

I made progress with the development of the extension faster than I expected. And I didn't want to give any information to the outside world until the extension was ready and downloadable.
May the backup be with you. Always.

Return to “phpBB Discussion”