Detecting account take overs?

[iaresee]

With the latest dumps of usernames and passwords hitting the web, we're seeing an uptick in ATOs on our forum. Old user accounts are being taken over, the email address is changed, and then the account posts something in the For Sale forum. The posts are using AI to manipulate images in very sophisticated ways.

I'm looking for a way to detect ATOs better. The most obvious would be requiring moderator approval on email changes on accounts.

I can't see a permission on the Registered user group that I could change that would require email address changes on accounts to be subjected to moderation. This probably skirts in to weird privacy territory for non-US-based accounts too.

Is there a plugin I could use for ATO detection? Any one have any general advice on how to fight this sort of thing?

Thanks!

 

[Rusty Snippets]

ATO?

 

[StarArmy]

I didn't know what he meant either and I thought about it for a while and I think he means "Account Take-Over."

 

[iaresee]

ATO?

Sorry. Account Take Over.

An existing good account is captured by a bad actor who uses it to make bad behavior seem legitimate because it comes from a user with social rapport and reputation on the board.

 

[StarArmy]

What I've been doing is when members haven't visited for a long time I change the account status to awaiting email confirmation and make them re-confirm their email before they can post again. The main reason is reduce emails sent and emails sent to bad email addresses especially, but it also keeps bad actors from posting using stolen logins unless they also have the email.

 

[iaresee]

What I've been doing is when members haven't visited for a long time I change the account status to awaiting email confirmation and make them re-confirm their email before they can post again. The main reason is reduce emails sent and emails sent to bad email addresses especially, but it also keeps bad actors from posting using stolen logins unless they also have the email.

This is a pretty good idea.

What's "a long time" for you? 90 days? More?

 

[briansol]

you may like this one:

[OzzModz] Security Lock Old Accounts

Feb 13, 2024

Stop spammers from using breached accounts

• Painbaker
• Add-ons [2.x]

 

[Suzanne O]

Maybe speak to @Xon about how to configure his sign up and abuse addon and standard library addon

 

[StarArmy]

This is a pretty good idea.

What's "a long time" for you? 90 days? More?

I think last time I did 6 months.

 

[woody]

I force 60 day resets.

I've also found that ATOs almost immediately change things like their location and about fields. @Ozzy47 and @Painbaker have a pending plugin that alerts for those changes (hint hint)

 

[iaresee]

you may like this one:

[OzzModz] Security Lock Old Accounts

Feb 13, 2024

Stop spammers from using breached accounts

• Painbaker
• Add-ons [2.x]

Yea. Going to go with this one. Thanks!