UKC

Hi everyone,

I'm afraid we've been targeted by a SPAMers this morning using the User to User messaging.

There's a 5 message/day limit a user can send before alarm bells are triggered. They've either realised this or just assumed something like that is in place. There's been over 20,000 new accounts created today all from different IP addresses. They've all be banned and I've completely disabled the User to User messaging service while we properly investigate. Any unsent email on the server has been purged. There's no way for them to send out anymore SPAM.

For anyone that's received any email asking for crypto currency because the SPAMers have their data. I know it sounds bad but they don't even have your email they've just sent a message through the user messaging service. Please don't reply to any of these, that's the only way they will have your email address.

Our deepest apologies for any inconvenience this has caused.

More details on the News post here

Once again, clear and prompt comms following an issue. Thanks for this.

Thanks for the clear and effective response Paul.

I had 2, from different users, plugging Bitcoin investing.

That is just greedy, I didn't get any.

Thanks, Paul.  I got one of these, which was obviously not kosher, so I immediately came here and was pleased to see your post.  Thanks for the quick notification and for action to stop it.

Cheers, Andy 

I was feeling left out but then I realised I got one too. It is a curious story about a barber from Brighton. Or something.

Perhaps find a way to make replying directly to the first email via the UKC user-to-user messaging system harder or impossible?

(and yes, I got one this morning)

The once was a barber from Brighton
He told a story bound to frighten...

The bizarre case of a waiter from Brighton who accidentally clear up the BTC market like a professional ..............

--

This message was sent to you using a public form at https://www.ukclimbing.com by registered user https://www.ukclimbing.com/user/profile.php?id=332547

Went straight into my junk anyway.  No biggie.

Shame, that story about the theme park attendant from Winchester sounded like a real good yarn.

Ah, Rom is back, then...?

A model response of clear communication & action.

I wonder if you could set two csrf tokens in the registration form.

One of them must be there for registration to work. That's conventional.

The second of them must not be there in original name/value as it is removed or preferably changed/hashed by JavaScript in the browser. 

Alternatively the second csrf must be there but is declared in and added by JavaScript.

It means you would need a JavaScript enabled browser to register, but if the robot registration script is just parsing HTTP & HTML without executing JavaScript the robot registration would fail.

Anybody know how smart the robots are?

Although they might just employ people at 9 cents per hour (e.g. Tanzania minimum wage) rather than use a robot.

Don't really want to reveal all the security we have but the registration page does use Google reCAPTCHA and also checks the email address used using Akismet.

Pretty smart. That's why you're asked to click on low rez pictures of bridges or traffic lights.

There is a huge market not just in spam bots but in screen scraping for price comparison or to gather other trending data. It was common to send a js challenge, e.g. 2+2=, as most bots were simple scripts. But with headless browsers, there is a game of cat and mouse.

A decent bot protection scheme will do a lot of checking, before it sends the capture. Then it measures details of how you click the capture. It will also have in place rate limiting and other web application firewall tools, such as blocking SQL injection XSS etc.

It can't be easy keeping them out!

I replied to all of them and am now rich beyond my wildest dreams

In mine the barber was from Seville. I obviously attract a higher calibre of spammer.

Spoofed IPs? Or botnet registering from compromised machines all over the world?

The email addresses they used for the registration looked like compromised systems. The IPs that did the POSTing were predominantly in Hong Kong.

Can you spare me a couple of £million, then, please?

Fantastic quick response to my email + brilliant user/customer service.  Thank you!

I got one today about becoming a billionaire through bitcoin investment and I emailed Alan about it almost straight away.

In reply to Mountain Spirit: I couldn’t log in to UKC as my password was totally out of date - it’s been rather a long while since I’ve visited this place 😊so I guess that’s the reason I got an email.  I’ve only just updated my log ins……

Kind of you to inform Alan about such a good deal and not to try and keep it all for yourself. 💰💰💰

I wonder if it is worth repeating the final paragraph of the news article in case anyone only reads the thread:

”It would help us out a lot if you just delete these emails and not click on the SPAM button in your email client. We will be blacklisted from email servers if too many SPAM buttons are clicked. The reason this worked so well is ukclimbing.com was a trusted domain in your inboxes and we would like to keep it that way.”

Sure. Just send me your sort code and account number D.O.B etc 

No worries; I’m to be a millionaire tomorrow in an incredible stroke of luck… 

you probs don't need this but just in case. Got one of the spam messages:

id 328361 (from link at end of their message), name is lioprociclo. 
 

And last three digits......

Interesting. I lurk & occasionally post from HK, & am definitely not tech-savvy.  Any indication that a HK-based user might be inadvertently at fault?

It looks like it was co-ordinated from Russia and then farmed out to over 10,000 servers in HK to bypass our rate limit on posts from the same IP address.

Each new user account created sent max 5 messages. Each IP address sent a max of 15 messages.

I'm kinda staggered by the scale of the tech involved that's been coupled with such crappy messages tbh. I can't see the return on investment.

It is odd isnt it. Whilst I would hope that the bright sparks at UKC wouldn't fall for this kind of thing, you would at least expect a degree of 'professionalism' in the attempts. Just get someone local to proof read it. 

The ROI on those servers could be good when you consider that the UKC attempt was but a fraction of the output. Those 10000 servers wont be physical devices. There will be a few beefy physical boxes, probably rented in someone's third party DC and carved up into single purpose VMs meaning resources per VM are small but they will be efficient at the spamming. Would be my guess.

That's my feeling about 99.999% of all spam attacks in general.

Did anyone else get spam to an account other than the one they registered with? I got one to my work account which I've never knowingly used for UKC.

I wasn't worried after the spam email, but I just looked under safari preferences to remember a password for another website and to my surprise there were two UKC users there, one definitely not me.  My computer was remembering the password of another user - one with a name that was all letters and numbers, and didn't look like a name at all.  Is this anything to do with the spam I received? I've recently hard reset my computer so it is fairly obvious it has happened this week as there are only 6 other passwords saved there.  Anyone else had this?

I just looked and I have the same thing here. I searched my emails for the odd username and it turns out it is a password reset code UKC sent me once. Safari must have inadvertently saved it as login details.

Worth searching your emails for the username to see if yours also matches a password reset code - if so I wouldn’t worry at all. 

Edit: also bear in mind that the Mac password manager might be connected to iCloud so wouldn’t necessarily be wiped if you reinstall the OS 

Smokescreen...  Rom adopting desperate measures to hide their latest account sign ups.  They must have a decent budget code for the rate they get through VPNs and email addresses...

Paranoid?  Moi?

No, that'll be me...

https://www.ukclimbing.com/forums/ukc/ukcukh_spam_attack-741244?v=1#x954763...

But does it really cost them anything if they've got the kit to do it.

Isn't that because when you do those particular Turing tests you're actually helping train the AI algorithms for driverless cars?

It is not necessarily 10,000 servers.  Most botnet farms are thousands of infected desktop and laptop computers backed up by central command and control servers.   The “owners” of the botnet farms can rent them out to spammers and other malicious actors.  As long as the infected computers are not harmed in themselves and the infection evades detection; the owners will be blissfully unaware.

A Microsoft article on bot nets

https://news.microsoft.com/on-the-issues/2020/07/24/necurs-botnets-cybercri...

I assume Paul meant 'servers' in the loose sense rather than the 'rack in a data center' sense.

Well, the IP addresses are in groups eg.

• 102.119.108.* Hong Kong
• 103.119.111.* Hong Kong
• 103.119.116.* Indonesia

Not random IPs from all over the world. This means it's not botnet, just cheap VPSs in the Far East... or just compromised servers at these Data Centres.

Have you ever made a visualisation of "hostile" IPs?  I do them occasionally with turning the high and low 16-bits of the IP addresses in to two unsigned integers, and doing a scatter plot in XY space.

There's obvious contiguous chunks corresponding to certain nation's IP spaces, but there's also regular, repeating structures with different periodicities over other ranges.  It looks like those are different IPs each having one go at the default SSH port in a coordinated way.

Back in the day, after the dot com crash, there was a lot of IP hijacking. Companies would be allocated huge ranges of IP's. When they crashed, resourceful spammers changed the allocation owner to themselves, and spammed with glee. You can bind 1000's of IPs to a single network interface. I found that they would use one /24 one day, then the next /24 the following day and so on. Lots of these ranges appeared on the bogon lists, and were blocked, though many got through.

There are companies that manage email reputation such as Spamhaus, Sorbs etc. You can add these filters into your MTA and either block, greylist or spam score based on them. The problem is that you are fighting an enemy with unlimited resources. Its easier to block rather than spam score, but you sometimes hit legitimate mail.

Its been a while since I signed up to UKC, so I guess you validate account email addresses with a URL to click on. It may be worth implementing 2FA with something like Google Authenticator. Its free to deploy, you could either protect the whole account or just the email component.

That's plain silly, most automation of that sort is run out of an instance of a browser so it processes and renders correctly and declares itself as a Mozilla browser (not curl or whatever). 

Look at Chrome's selenium project. It's actually very useful for legitimate non spamming automation, such as robotic processes to mimic human workers and such like