XF 2.2 Old users are becoming SPAM everyday !

[Sadiq6210]

Hello

Recently I upgraded our forum from 2.2.8 to latest version and I noticed that many old users are becoming SPAM everyday (5 to 10 old memberships are stolen everyday and posting spam threads). I can't see any relation between the upgrade and the issue, however, this is what happened. Is it a coincidence? Is this a new method of SPAM attacking to steal the users accounts instead of new registration? I mean I am moderating this forum since 2006, moved to Xenforo since 2015 and I didn't face something similar.

Currently I am trying to control the SPAM posts by banning many valuable old users everyday.
Anyone is facing same issue? and advise?

 

[Seeker-Smith]

Hello

Recently I upgraded our forum from 2.2.8 to latest version and I noticed that many old users are becoming SPAM everyday (5 to 10 old memberships are stolen everyday and posting spam threads). I can't see any relation between the upgrade and the issue, however, this is what happened. Is it a coincidence? Is this a new method of SPAM attacking to steal the users accounts instead of new registration? I mean I am moderating this forum since 2006, moved to Xenforo since 2015 and I didn't face something similar.

Currently I am trying to control the SPAM posts by banning many valuable old users everyday.
Anyone is facing same issue? and advise?

Why not use user batch update and "set user state" of old users to awaiting approval or email verification.

 

[Ozzy47]

@Ozzy47

Wouldn't the Login Spaminator take care of these logins?

Possibly, but they wouldn’t be security locked.

 

[Gsk8]

Having same problem. This is a first for me. Up to five "old" accounts spamming per day. This just started happening. No new addons.

 

[dethfire]

Yeah there are a lot of sleeper accounts over the years that get activated. I end up deleting users with 0 posts older than 3 months.

 

[Suzanne O]

You would think to go through all the accounts and make sure that they aren't hacked.

 

[Gsk8]

Anyone know what caused this?

 

[philmckrackon]

Anyone know what caused this?

Most likely this database breach.

Researcher uncovers one of the biggest password dumps in recent history

Roughly 25 million of the passwords have never been seen before by widely used service.

arstechnica.com

XF discussion:

Thread 'Increase in Spam from old accounts'

Feb 15, 2024

Hello everyone,

I've noticed an increase in spam from old accounts over the past few days. These are accounts that haven't posted on the forum for many years. All the spam is advertising "Top-notch Casual Dating".

After analyzing other forums, I've noticed the same thing happening there too. But the most interesting part is that these forums operate on different platforms.

XenForo - https://pika-network.net/threads/top-notch-sasual-dating-verified-maidens.390411/
Vbulletin - https://www.nissan-club.org/board/showthread.php?t=53559
Invision Community -...

• Dkf
• spam
• Replies: 14
• Forum: Off topic

• 

 

[Mouth]

[OzzModz] Security Lock Old Accounts

Feb 13, 2024

Stop spammers from using breached accounts

• Ozzy47
• Add-ons [2.x]

This free addon will prevent old breached accounts from logging in, https://xenforo.com/community/resources/ozzmodz-security-lock-old-accounts.9372/

Agreed.

[OzzModz] Security Lock Old Accounts

Feb 13, 2024

Stop spammers from using breached accounts

• Ozzy47
• Add-ons [2.x]

 

[Sadiq6210]

Is there a way to revert all the changes done by spam in the user profile and restore the previous user fields values? Any available Addon?

 

[FTL]

@Sadiq6210 this could kill your forum, so it might be worth you enabling 2FA. It can cause some people to be locked out, yes, but it will stop these breaches in their tracks.

 

[DeltaHF]

My forum has been heavily affected by this as well, and now it seems to be getting even more sophisticated.

Today, we had a security locked account doing this same behavior. The spammer actually reset the user's password, so apparently they had full access to the victim's email account and enough time and (non-bot?) attention to carry this out.

We need to come up with more sophisticated ways to deal with this type of "edit spam".

 

[Xon]

Frustratingly, I've seen these compromises from accounts that are +8 years old to ones which are less than 2-3 months old.

I've been using "I'm under attack" clouldflare setting for the /login url which has migrated most of it, but it has collateral damage (hates on 32bit firefox apparently).

I also run haveibeenpwned.com integration which checks on login and forces 2fa emails if the user is using a known compromised password and that isn't enough as it isn't reliably triggering in all cases.

At this stage I think a popular browser extension has been compromised and is/was harvesting credentials

 

[woody]

Here's the latest, I caught yet another today.

I have a global audience, so blocking by Country Code is not an option.

A member registered a few weeks ago, their IP is recorded and the User Field: Location is required. They have logged in from IP's from that same country consistently for weeks. Even if the IP triggers a suspect/known spammer country, I allow the registration IF their Location field matches. (ie: IP from China, and Location entered is China or a city from that country)

The LATEST spam trick is to register and have those two values match...THEN come in weeks later and update their User Field: Location to a USA city.

Is there an existing plugin that reports User Field changes to the Admin (via alert or email)?? Even better if only triggers based on specific IP/Country Codes.

The spammers continue to improve their game....

 

[BassMan]

Or this one...

Upload images in the quick editor and never post a reply. Use the URL of those images in an email for various phishing attacks. The URL points to your forum (images are uploaded to your server).