UKC

NEWS: UKC/UKH Spam Attack

Please Register as a New User in order to reply to this topic.

Hi everyone,

I'm afraid we've been targeted by a SPAMers this morning using the User to User messaging.

There's a 5 message/day limit a user can send before alarm bells are triggered. They've either realised this or just assumed something like that is in place. There's been over 20,000 new accounts created today all from different IP addresses. They've all be banned and I've completely disabled the User to User messaging service while we properly investigate. Any unsent email on the server has been purged. There's no way for them to send out anymore SPAM.

For anyone that's received any email asking for crypto currency because the SPAMers have their data. I know it sounds bad but they don't even have your email they've just sent a message through the user messaging service. Please don't reply to any of these, that's the only way they will have your email address.

Our deepest apologies for any inconvenience this has caused.

More details on the News post here

 chris_r 17 Nov 2021
In reply to Paul Phillips - UKC and UKH:

Once again, clear and prompt comms following an issue. Thanks for this.

 Andy Johnson 17 Nov 2021
In reply to Paul Phillips - UKC and UKH:

Thanks for the clear and effective response Paul.

 LastBoyScout 17 Nov 2021
In reply to Paul Phillips - UKC and UKH:

I had 2, from different users, plugging Bitcoin investing.

In reply to LastBoyScout:

That is just greedy, I didn't get any.

In reply to Paul Phillips - UKC and UKH:

Thanks, Paul.  I got one of these, which was obviously not kosher, so I immediately came here and was pleased to see your post.  Thanks for the quick notification and for action to stop it.

Cheers, Andy 

In reply to Paul Phillips - UKC and UKH:

I was feeling left out but then I realised I got one too. It is a curious story about a barber from Brighton. Or something.

 ChrisJD 17 Nov 2021
In reply to Paul Phillips - UKC and UKH:

> Please don't reply to any of these, that's the only way they will have your email address.

Perhaps find a way to make replying directly to the first email via the UKC user-to-user messaging system harder or impossible?

(and yes, I got one this morning)

Post edited at 10:03
 wintertree 17 Nov 2021
In reply to Alkis:

>  It is a curious story about a barber from Brighton. Or something.

The once was a barber from Brighton
He told a story bound to frighten...

 Cobra_Head 17 Nov 2021
In reply to Paul Phillips - UKC and UKH:

The bizarre case of a waiter from Brighton who accidentally clear up the BTC market like a professional ..............

--

This message was sent to you using a public form at https://www.ukclimbing.com by registered user https://www.ukclimbing.com/user/profile.php?id=332547

 Iamgregp 17 Nov 2021
In reply to Paul Phillips - UKC and UKH:

Went straight into my junk anyway.  No biggie.

Shame, that story about the theme park attendant from Winchester sounded like a real good yarn.

In reply to Paul Phillips - UKC and UKH:

> There's been over 20,000 new accounts created today all from different IP addresses.

Ah, Rom is back, then...?

 elsewhere 17 Nov 2021
In reply to Paul Phillips - UKC and UKH:

A model response of clear communication & action.

I wonder if you could set two csrf tokens in the registration form.

One of them must be there for registration to work. That's conventional.

The second of them must not be there in original name/value as it is removed or preferably changed/hashed by JavaScript in the browser. 

Alternatively the second csrf must be there but is declared in and added by JavaScript.

It means you would need a JavaScript enabled browser to register, but if the robot registration script is just parsing HTTP & HTML without executing JavaScript the robot registration would fail.

Anybody know how smart the robots are?

Although they might just employ people at 9 cents per hour (e.g. Tanzania minimum wage) rather than use a robot.

Post edited at 11:06
In reply to elsewhere:

Don't really want to reveal all the security we have but the registration page does use Google reCAPTCHA and also checks the email address used using Akismet.

In reply to elsewhere:

>Anybody know how smart the robots are?

Pretty smart. That's why you're asked to click on low rez pictures of bridges or traffic lights.

There is a huge market not just in spam bots but in screen scraping for price comparison or to gather other trending data. It was common to send a js challenge, e.g. 2+2=, as most bots were simple scripts. But with headless browsers, there is a game of cat and mouse.

A decent bot protection scheme will do a lot of checking, before it sends the capture. Then it measures details of how you click the capture. It will also have in place rate limiting and other web application firewall tools, such as blocking SQL injection XSS etc.

 elsewhere 17 Nov 2021
In reply to Paul Phillips - UKC and UKH:

It can't be easy keeping them out!

In reply to LastBoyScout:

I replied to all of them and am now rich beyond my wildest dreams

 chris_r 17 Nov 2021
In reply to Alkis:

> I was feeling left out but then I realised I got one too. It is a curious story about a barber from Brighton. 

In mine the barber was from Seville. I obviously attract a higher calibre of spammer.

In reply to Paul Phillips - UKC and UKH:

> There's been over 20,000 new accounts created today all from different IP addresses.

Spoofed IPs? Or botnet registering from compromised machines all over the world?

In reply to Toerag:

The email addresses they used for the registration looked like compromised systems. The IPs that did the POSTing were predominantly in Hong Kong.

Post edited at 14:10
 LastBoyScout 17 Nov 2021
In reply to Bulls Crack:

> I replied to all of them and am now rich beyond my wildest dreams

Can you spare me a couple of £million, then, please?

 Tiggs 17 Nov 2021
In reply to Paul Phillips - UKC and UKH:

Fantastic quick response to my email + brilliant user/customer service.  Thank you!

In reply to Paul Phillips - UKC and UKH:

I got one today about becoming a billionaire through bitcoin investment and I emailed Alan about it almost straight away.

 Tiggs 17 Nov 2021

In reply to Mountain Spirit: I couldn’t log in to UKC as my password was totally out of date - it’s been rather a long while since I’ve visited this place 😊so I guess that’s the reason I got an email.  I’ve only just updated my log ins……

 FactorXXX 17 Nov 2021
In reply to Mountain Spirit:

> I got one today about becoming a billionaire through bitcoin investment and I emailed Alan about it almost straight away.

Kind of you to inform Alan about such a good deal and not to try and keep it all for yourself. 💰💰💰

In reply to Paul Phillips - UKC and UKH:

I wonder if it is worth repeating the final paragraph of the news article in case anyone only reads the thread:

”It would help us out a lot if you just delete these emails and not click on the SPAM button in your email client. We will be blacklisted from email servers if too many SPAM buttons are clicked. The reason this worked so well is ukclimbing.com was a trusted domain in your inboxes and we would like to keep it that way.”

In reply to LastBoyScout:

Sure. Just send me your sort code and account number D.O.B etc 

Post edited at 19:42
 Yanis Nayu 17 Nov 2021
In reply to Paul Phillips - UKC and UKH:

No worries; I’m to be a millionaire tomorrow in an incredible stroke of luck… 

In reply to Paul Phillips - UKC and UKH:

you probs don't need this but just in case. Got one of the spam messages:

id 328361 (from link at end of their message), name is lioprociclo. 
 

In reply to Bulls Crack:

And last three digits......

 DRYAN 18 Nov 2021
In reply to Paul Phillips - UKC and UKH:

Interesting. I lurk & occasionally post from HK, & am definitely not tech-savvy.  Any indication that a HK-based user might be inadvertently at fault?

> The email addresses they used for the registration looked like compromised systems. The IPs that did the POSTing were predominantly in Hong Kong.

In reply to DRYAN:

It looks like it was co-ordinated from Russia and then farmed out to over 10,000 servers in HK to bypass our rate limit on posts from the same IP address.

Each new user account created sent max 5 messages. Each IP address sent a max of 15 messages.

I'm kinda staggered by the scale of the tech involved that's been coupled with such crappy messages tbh. I can't see the return on investment.

In reply to Paul Phillips - UKC and UKH:

> It looks like it was co-ordinated from Russia and then farmed out to over 10,000 servers in HK to bypass our rate limit on posts from the same IP address.

> Each new user account created sent max 5 messages. Each IP address sent a max of 15 messages.

> I'm kinda staggered by the scale of the tech involved that's been coupled with such crappy messages tbh. I can't see the return on investment.

It is odd isnt it. Whilst I would hope that the bright sparks at UKC wouldn't fall for this kind of thing, you would at least expect a degree of 'professionalism' in the attempts. Just get someone local to proof read it. 

The ROI on those servers could be good when you consider that the UKC attempt was but a fraction of the output. Those 10000 servers wont be physical devices. There will be a few beefy physical boxes, probably rented in someone's third party DC and carved up into single purpose VMs meaning resources per VM are small but they will be efficient at the spamming. Would be my guess.

In reply to Paul Phillips - UKC and UKH:

> I'm kinda staggered by the scale of the tech involved that's been coupled with such crappy messages tbh. I can't see the return on investment.

That's my feeling about 99.999% of all spam attacks in general.

 DaveHK 18 Nov 2021
In reply to Paul Phillips - UKC and UKH:

Did anyone else get spam to an account other than the one they registered with? I got one to my work account which I've never knowingly used for UKC.

 Cheryl 18 Nov 2021
In reply to Paul Phillips - UKC and UKH:

I wasn't worried after the spam email, but I just looked under safari preferences to remember a password for another website and to my surprise there were two UKC users there, one definitely not me.  My computer was remembering the password of another user - one with a name that was all letters and numbers, and didn't look like a name at all.  Is this anything to do with the spam I received? I've recently hard reset my computer so it is fairly obvious it has happened this week as there are only 6 other passwords saved there.  Anyone else had this?

In reply to Cheryl:

I just looked and I have the same thing here. I searched my emails for the odd username and it turns out it is a password reset code UKC sent me once. Safari must have inadvertently saved it as login details.

Worth searching your emails for the username to see if yours also matches a password reset code - if so I wouldn’t worry at all. 

Edit: also bear in mind that the Mac password manager might be connected to iCloud so wouldn’t necessarily be wiped if you reinstall the OS 

Post edited at 17:37
 wintertree 18 Nov 2021
In reply to Paul Phillips - UKC and UKH:

> I'm kinda staggered by the scale of the tech involved that's been coupled with such crappy messages tbh. I can't see the return on investment.

Smokescreen...  Rom adopting desperate measures to hide their latest account sign ups.  They must have a decent budget code for the rate they get through VPNs and email addresses...

Paranoid?  Moi?

In reply to Paul Phillips - UKC and UKH:

> It looks like it was co-ordinated from Russia and then farmed out to over 10,000 servers in HK to bypass our rate limit on posts from the same IP address.

> Each new user account created sent max 5 messages. Each IP address sent a max of 15 messages.

> I'm kinda staggered by the scale of the tech involved that's been coupled with such crappy messages tbh. I can't see the return on investment.

But does it really cost them anything if they've got the kit to do it.

 kmsands 19 Nov 2021
In reply to dread-i:

> That's why you're asked to click on low rez pictures of bridges or traffic lights.

Isn't that because when you do those particular Turing tests you're actually helping train the AI algorithms for driverless cars?

In reply to Paul Phillips - UKC and UKH:

> It looks like it was co-ordinated from Russia and then farmed out to over 10,000 servers in HK to bypass our rate limit on posts from the same IP address.

> Each new user account created sent max 5 messages. Each IP address sent a max of 15 messages.

> I'm kinda staggered by the scale of the tech involved that's been coupled with such crappy messages tbh. I can't see the return on investment.

It is not necessarily 10,000 servers.  Most botnet farms are thousands of infected desktop and laptop computers backed up by central command and control servers.   The “owners” of the botnet farms can rent them out to spammers and other malicious actors.  As long as the infected computers are not harmed in themselves and the infection evades detection; the owners will be blissfully unaware.

 remus 19 Nov 2021
In reply to Currently Resting:

> It is not necessarily 10,000 servers.  Most botnet farms are thousands of infected desktop and laptop computers backed up by central command and control servers.   The “owners” of the botnet farms can rent them out to spammers and other malicious actors.  As long as the infected computers are not harmed in themselves and the infection evades detection; the owners will be blissfully unaware.

I assume Paul meant 'servers' in the loose sense rather than the 'rack in a data center' sense.

In reply to Currently Resting:

Well, the IP addresses are in groups eg.

  • 102.119.108.* Hong Kong
  • 103.119.111.* Hong Kong
  • 103.119.116.* Indonesia

Not random IPs from all over the world. This means it's not botnet, just cheap VPSs in the Far East... or just compromised servers at these Data Centres.

 wintertree 19 Nov 2021
In reply to Paul Phillips - UKC and UKH:

Have you ever made a visualisation of "hostile" IPs?  I do them occasionally with turning the high and low 16-bits of the IP addresses in to two unsigned integers, and doing a scatter plot in XY space.

There's obvious contiguous chunks corresponding to certain nation's IP spaces, but there's also regular, repeating structures with different periodicities over other ranges.  It looks like those are different IPs each having one go at the default SSH port in a coordinated way.

In reply to Paul Phillips - UKC and UKH:

>Well, the IP addresses are in groups eg.

>102.119.108.* Hong Kong

>103.119.111.* Hong Kong

Back in the day, after the dot com crash, there was a lot of IP hijacking. Companies would be allocated huge ranges of IP's. When they crashed, resourceful spammers changed the allocation owner to themselves, and spammed with glee. You can bind 1000's of IPs to a single network interface. I found that they would use one /24 one day, then the next /24 the following day and so on. Lots of these ranges appeared on the bogon lists, and were blocked, though many got through.

There are companies that manage email reputation such as Spamhaus, Sorbs etc. You can add these filters into your MTA and either block, greylist or spam score based on them. The problem is that you are fighting an enemy with unlimited resources. Its easier to block rather than spam score, but you sometimes hit legitimate mail.

Its been a while since I signed up to UKC, so I guess you validate account email addresses with a URL to click on. It may be worth implementing 2FA with something like Google Authenticator. Its free to deploy, you could either protect the whole account or just the email component.

In reply to elsewhere:

That's plain silly, most automation of that sort is run out of an instance of a browser so it processes and renders correctly and declares itself as a Mozilla browser (not curl or whatever). 

Look at Chrome's selenium project. It's actually very useful for legitimate non spamming automation, such as robotic processes to mimic human workers and such like


Please Register as a New User in order to reply to this topic.
Loading Notifications...