Bot Problem - 2024

[FloofyNewfie]

Hello,

So as some of you have already noticed, we seem to being hit by another wave of bots logging into people's accounts and posting spam on the account's behalf, trying to get people to click on a link for a "dating website." This likely isn't targeted at us, nor is it a problem with the Xenforo forum software, as this same bot has also infiltrated forums running on MyBB and Invision Community.

So far I've configuring ZooVille to capture the posts and make them invisible for normal users. It's possible that some posts my still wind up on the forum. If that is the case, please report them.

Here's what we know, and here's what you'll need to do if you can suddenly no longer login:

This bot is only logging into people's accounts. The bot is not changing people's passwords. It pretty much logs in, makes a spam post, then immediately logs out. So most likely this is either from the LastPass breach, or from a computer virus.

Since it's not changing people's passwords, what I'm doing is forcing a password change on the accounts that have been compromised instead of outright banning them. The user will need to log into their email and will need to set a new password by clicking on the password reset link. I'd also advise changing the password on every single account you've used the same password on.

 

[sarahsingletono98]

That sucks

 

[FloofyNewfie]

That sucks

Indeed. Not sure why you're shooting the messenger though? I'm just being transparent with everyone here.

 

[sarahsingletono98]

Indeed. Not sure why you're shooting the messenger though? I'm just being transparent with everyone here.

Never shoot the Floof. Glad that you are on top of it.

 

[FloofyNewfie]

Never shoot the Floof. Glad that you are on top of it.

You gave me an angry face though!

Nah, but yeah. I'm doing what I can with the resources I have available. This is a tricky issue to pinpoint down. But I figure, since it not likely directly their fault they've gotten their account stolen, we probably shouldn't ban them.

 

[sarahsingletono98]

Nooo angry at the problem. But I make the floofster happy

 

[sarahsingletono98]

How you been

 

[FloofyNewfie]

How you been

I'll shoot ya a PM, so we don't clutter up the thread.

 

[YIMBY]

Domo arigato, Mister Administrato.

 

[Goattobeloved]

Easiest way is someone setting a site that will steal the forum active session from the user, then use it to push a message post.

Might be useful to have affected users inform if they clicked any post here with an "odd link" lately.

 

[sarahsingletono98]

Easiest way is someone setting a site that will steal the forum active session from the user, then use it to push a message post.

Might be useful to have affected users inform if they clicked any post here with an "odd link" lately.

Was just thinking same thing about possible link clickers

 

[Der.Zoomer]

Thanks FloofyNewfie for keeping care of this community, you're doing such a good job!

Some things in Internet will never cease to exist: bad passwords, unsafe users, attackers

 

[Goattobeloved]

Was just thinking same thing about possible link clickers

Just thinking, I lately reported a couple of those posts. I usually check user posts to see if there is additional spam.
Well they did not seem to be from existing users but from burner accounts with only that post.

I never clicked or examined that link before reporting... cause I fear this sort if account seizing, but it sure looks like those might be entry point for a honeypot.

@FloofyNewfie
You might want to examine those deleted posts closely or ask afected users if they clicked on them

 

[FloofyNewfie]

Well they did not seem to be from existing users but from burner accounts

Not all of them, no. A couple of users had a few posts, and one of them had like 14 legitimate posts on the forum before the bot took over the account. Most of them have been 0 post lurkers, but 0 post lurkers make up like 95% of this site's userbase.

The IPs of the bot usually comes from the same data center, so it's easy enough to tell the difference between the actual account holder's IP versus the one the bot is using to log into the account.

You might want to examine those deleted posts closely or ask afected users if they clicked on them

The posts themselves are all pretty much copy/pasted messages. Which is why it was easy enough to flag them as spam automatically by the forum software. It's possible that the user might have clicked the link from a prior spam post before it got removed. Or it's possible that their password and username got swiped by a dirty keylogger. Or it could be related to the LassPass breach. It's hard to say for certain. But since the message and link are the same, it was easy enough to plug it into Google and find posts from various other forums that have been hit with the same attacker.

 

[Goattobeloved]

The posts themselves are all pretty much copy/pasted messages. Which is why it was easy enough to flag them as spam automatically by the forum software. It's possible that the user might have clicked the link from a prior spam post before it got removed. Or it's possible that their password and username got swiped by a dirty keylogger. It's hard to say for certain. But since the message and link are the same, it was easy enough to plug it into Google and find posts from various other forums that have been it with the same attacker.

All right.

I was thinking about a trap site destination with a link including a zooville id hash or directory making ZV as origin. But if the links were plain to the ad site, it is not them

That should not work easily on an https site version, still, I fear savvy hackers out there.

Thanks Floof for being on guard

 

[Aka]

 

[dartel]

View attachment 539439View attachment 539440

Those are search engine trollers, it's how search engines build their databases to reference.

 

[dartel]

I'm surprised search engine bots are allowed in to be honest.

You can't stop them. "official" ones like Google and Bing will supposedly obey a robots file in a site's header meta data, which controls what sub pages they're allowed to ping, but they still have to access the main landing page to encounter that file, and for every official trawler there's a hundred non-official that can be programmed to easily ignore it. Regardless of whether they ignore it or not, they'll only have access to any pages that guests can access - which is one of the reasons chat IDs aren't allowed on the open forum where a nefarious bot can skim them.

 

[femboynectar]

how do you know if your account was affected? was everyone auto logged out today? I had to reset mine despite thinking I was typing the correct password.. but maybe I'm just a bit stupid

 

[Goattobeloved]

how do you know if your account was affected? was everyone auto logged out today? I had to reset mine despite thinking I was typing the correct password.. but maybe I'm just a bit stupid

No. It days just the ones posting the spam comments get automatically blocked.

So. Yes. You possibly were affected

 

[sarahsingletono98]

It is crazy how far search engines and bots can dig into a site. Imagine who much they can pull on you

 

[dogydo]

what, so it's spammers.

 

[starkiller]

its a good job i dont use the same email / password from lastpass.

given my IT background .. i am VERY paranoid about viruses and fake emails, as to my email / password useage .... lets just say .... i have a loooong list of random passwords for various sites and i write them down using coded shorthand so NO-ONE know what it is.

i DO have an open list for my social media incase i pass away suddenly so my family can tell my friends online about my passing.

word of advice, ALWAYS USE 2 FACTOR AUTHENTICATION on certain social media and gaming websites.

 

[UR20Z]

View attachment 539439View attachment 539440

Those look to be bog-standard search-engine "web spiders"/crawlers indexing the site. They can be seen literally everywhere online, if you know where and how to look for them.

 

[Chuckpa76]

Thanks for telling us this is happening. It also reminds us to keep an eye on our bank accounts and other things just in case a virus or other nasty software steals the password. I am sure too many people out there know the misery that can cause!! Would Yubikeys work on this site? I never had one so I would not know exactly the way they work. I just know that a lot of people seem to use them. Just don't use one and assume all is well. Keep an eye on accounts just incase those pesky hackers come up with something new!

 

[Chuckpa76]

One thing that may help some people if they have multiple computers is to use one for this and the other for gaming. Use another for banking and bill payment and such. Then hopefully if one gets malware the passwords on the other ones are not compromised. This is because they would only be on the ones that were intended to have them and not all be in one place.

 

[gaymale]

Gross lol.. glad to see someone's on top of the issue though

 

[IHO]

It pretty much logs in, makes a spam post, then immediately logs out.

Doesn't look like I've been affected, and my password is a unique and strong one, but would this activity appear in our account's "Your Content" view?

 

[Goattobeloved]

Doesn't look like I've been affected, and my password is a unique and strong one, but would this activity appear in our account's "Your Content" view?

*types:
user: IHO
pass: "a unique and strong one"
* logs in*

 

[IHO]

*types:
user: IHO
pass: "a unique and strong one"
* logs in*

Dammit! Not again!