XF 2.2 Users are getting hacked

dtrumbower

dtrumbower

Active member
Currently on v2.2.6 Patch 2. The site I help with has had people at time get their accounts hacked and and the hacked user tries to sell items in our For Sale forum.
The last case happened this last Wed. The item was put up for sale at 1:25pm PST, but the logs show the password was changed at 5:30pm PST.

Anyone else had this issue on accounts?
 
Sort by date Sort by votes
dtrumbower said:
What db hack was that?
Click to expand...
arstechnica.com

Researcher uncovers one of the biggest password dumps in recent history

Roughly 25 million of the passwords have never been seen before by widely used service.
arstechnica.com arstechnica.com

Dkf

Thread 'Increase in Spam from old accounts'

Hello everyone,

I've noticed an increase in spam from old accounts over the past few days. These are accounts that haven't posted on the forum for many years. All the spam is advertising "Top-notch Casual Dating".

After analyzing other forums, I've noticed the same thing happening there too. But the most interesting part is that these forums operate on different platforms.

XenForo - https://pika-network.net/threads/top-notch-sasual-dating-verified-maidens.390411/
Vbulletin - https://www.nissan-club.org/board/showthread.php?t=53559
Invision Community -...
  • Like
 
Last edited:
Upvote 0 Downvote
Are talking about in the DB? It's in UNIX format.
T

Thread 'Problem with dates'

I'm trying to convert the int date to datetime from the datetime column of my post table. Does anyone have idea or could you help me with this? I'm doing a sql query that returns me the date sorted but with the datetime format. I don't know which is the exact format stored in the BD and how to convert to datetime format
 
Upvote 0 Downvote
We've had this as well, and at least for the two account we know of, we found two common points:
  • Both users have yahoo.com email addresses.
  • Both users have Yahoo usernames matching their forum usernames.
One account was fairly active, but was a long-term member with history in our "for sale" forum; the other hadn't been active since 2020. In both cases though, the perpetrator was traced to an IP address in Morocco. Both had their Yahoo mail accounts hacked to gain access to the forum.

Would this hold true for others we may find? Maybe, maybe not. At least not until it happens again and we can compare.

Yahoo had the biggest data breach in history several years ago, so that may have contributed to it.

So far, this is different from the "old accounts being accessed" issue. This is more a case of a third party (the email provider) being compromised, which in turn allows the scammer to find forum accounts they can get into with the email address.
 
Upvote 0 Downvote
iaresee

Thread 'Detecting account take overs?'

With the latest dumps of usernames and passwords hitting the web, we're seeing an uptick in ATOs on our forum. Old user accounts are being taken over, the email address is changed, and then the account posts something in the For Sale forum. The posts are using AI to manipulate images in very sophisticated ways.

I'm looking for a way to detect ATOs better. The most obvious would be requiring moderator approval on email changes on accounts.

I can't see a permission on the Registered user group that I could change that would require email address changes on accounts to be subjected to...
 
Upvote 0 Downvote
Similar...but a different modus operandi, from what we've seen. One was a current, active account. These were both Yahoo mail breaches that the scammers took advantage of to try and defraud customers with fake "for sale" listings. We're dealing with a completely different set of circumstances with these two latest incidents.

That other type of breach was more about spammers who were using old accounts. The current batch is more sneaky and more dangerous since they're directly defrauding forum members by using long-established accounts with a lot of positive feedback in our "for sale" areas.
 
Upvote 0 Downvote
Similar enough to help with ideas to prevent the problem. I've had it, not fun to deal with.

I have a "required reading" Notice at the top of classifieds that links to a post I made in our Help forum, covering as many scenarios as I could with regards to classifieds and dealing with possible scammers. I get a few reports a month with members expressing concerns over a transaction, and I investigate as best I can.

Their tactics are consistent, the KEY factors are trying to take the conversation offline (txt or email), and their payment provider email NOT matching the email on their forum account. There are email patterns as well (accountname451@domain.com).

I have a ridiculous number of hours into educating myself on their tactics, and keep monitoring to ensure I'm on top of it.

First off, let's be clear....99.99% of the members of this site are trustworthy and 99.99% of the transactions occur without issue.

However....there are occasional problems. Some buyer/seller/scammer red flags are:
  • little or no post history...any existing posts are usually all the same few words
  • joined the forum in recent days
  • suddenly posting a bunch of classifieds threads in quick succession
  • prices WAY too good to be true
  • language/communication oddities
  • user location is overly general, IE: "europe" or "north america"
  • inbox's you directly, no replies in the thread
  • post or inbox message requests further contact via email or phone
  • requests payment from a non-standard provider
  • requests payments through multiple providers, or to other individuals (ie: "my Paypal is screwed up, can you Venmo my girlfriend?")
  • Venmo/Paypal email addy has no resemblance to their name/username/account (easy Admin check when reported)
  • insists on payment without fees
Also, avoid listing or giving your email or phone number. Don't do it when you list an item, try to avoid doing it when you are in a discussion until you are sure the other party isn't a scammer. Nothing worse than putting your private into out into the world for scammers to data-mine.

KEEP the transaction discussion IN the forum. DO NOT move it to email or phone messaging.

The key is to protect yourself and your hard earned money. Do your due diligence with any buyer/seller....because if it seems at all strange or suspicious, it probably is.



If you suspect these types of issues are happening, please REPORT the user/conversation/post and offer a brief description of your suspicions.. Using the forum Reporting system allow better tracking of problem users and can assist in finding patterns that can help block future scammer registrations entirely.

------

The REPORT button is located immediately below every thread and conversation post. That REPORT button gives me the info I need to investigate quickly. The Conversation REPORT in particular will help me investigate.

------

When in doubt, REPORT. Better to be wrong and have the account checked versus not reporting at all.
Click to expand...
 
Upvote 0 Downvote
woody said:
Similar enough to help with ideas to prevent the problem. I've had it, not fun to deal with.

I have a "required reading" Notice at the top of classifieds that links to a post I made in our Help forum, covering as many scenarios as I could with regards to classifieds and dealing with possible scammers. I get a few reports a month with members expressing concerns over a transaction, and I investigate as best I can.

Their tactics are consistent, the KEY factors are trying to take the conversation offline (txt or email), and their payment provider email NOT matching the email on their forum account. There are email patterns as well (accountname451@domain.com).

I have a ridiculous number of hours into educating myself on their tactics, and keep monitoring to ensure I'm on top of it.
Click to expand...
One thing that is snagging our members is that these compromised accounts are long-standing and trusted sellers in our for-sale area. That and whoever is doing this scamming is doing their homework--they're going into the post history and learning enough about what products these members were buying or selling, and are able to get the details close enough that their ads look legit. These are not random items, in other words. Our for-sale area is not visible to the public--we require X number of days and posts before members can see them. So whoever did this has either had another account to reach the bogie and get into the private area to do some surveillance, or the Yahoo account they compromised gave them instant access. This recent scammer is a lot more dangerous than what we've had in the past, and this has only been over the past two weeks.

As I've told the staff--it's not a forum problem, it's a problem with our members' Yahoo mail accounts. They probably have had the same usernames and passwords for years (if not decades) in multiple places, and that made gaining entry to the forum easy.

One of our staffers who did the research noted that one of the email addresses used in the private message of one of the aborted transactions was found during a Google search...which pointed to another forum where the scammer had used the same email address and had been publicly outed.

What alerted a couple of members that the ad they tried to purchase from was exactly what you said--they gave one address for PayPal payment, then another to contact them. That's actually not too unusual (I have done the same for 20+ years) but the way the scammer presented it seemed fishy--it read like it was written by a Gen Z, not someone who is a typical member of our forums (we skew older). Also, the ads looked legit but one of them was slightly suspect--it wasn't quite correct in one of the finer details, something maybe only 1% of our members might notice. (I can't go into much detail here--it would take paragraphs to describe.)

So that is how these are different from the regurgitating of inactive user accounts that we had not too long ago.

I've long wanted to block countries at Cloudflare but the last time I tried that, we had scattered members all over the globe email us saying they were blocked. I could block Morocco but that only makes a scammer fire up a VPN and move their access elsewhere. I really want to block the Tor network but then we'd have our tinfoil hat members complaining they can't get in. 🤦‍♂️
 
Upvote 0 Downvote
woody said:
This plugin is worth installing too:
www.dragonbyte-tech.com

DragonByte Security

Adds login session control, provides security alerts, and more.
www.dragonbyte-tech.com www.dragonbyte-tech.com
Click to expand...
Yeah, it has 2 important features regarding hacked accounts:
  1. You can enable a login captcha. This prevents bots from mass login attempts (which are usually the root of hacked accounts).
  2. You can monitor failed login attempts in the logs. This helps you identify how accounts are hacked.
Support by @DragonByte Tech is also very good. (y)
 
Upvote 0 Downvote
This latest hack was a current active member that had been selling in the past. They definitely are doing their homework. The items for sale are not strange items but do have lower price than usual. We did check the log right away and nothing showed up that passwords are notifications where changed until hours later.
 
Upvote 0 Downvote
dtrumbower said:
This latest hack was a current active member that had been selling in the past. They definitely are doing their homework. The items for sale are not strange items but do have lower price than usual.
Click to expand...
That is the disturbing part, and why this type of scamming can be dangerous. In our case, the prices of items are not really predictable and the prices the scammer(s) posted were not outside the norm. In fact, the scammer(s) learned enough of the grading and terminology our members use to list similar items. They have done a lot of homework. So much so, that we were suspecting it was a member who had gone rogue on us.

Plus, unless we're missing something, these scammers are not altering the member's email account--they seem to log in simply to change the account password, then once in the forum, they can change the email address and go about posting their fake ads.

This is why security add-ons and such won't work. The only thing I can think of to detect this activity is an add-on that would alert us to when a member suddenly logs in from a country halfway around the world. They aren't "hacking" XF at all to get in, nor are they abusing anything. The key here is that they are able to get into email accounts (outside our control) just enough to manipulate a forum account and take it over.

BTW, I did have Dragonbyte Security but found it too flawed to be of any use to us. In essence, what these scammers are doing is outside any normal detection method we've had in the past.
 
Upvote 0 Downvote
Wildcat Media said:
This is why security add-ons and such won't work. The only thing I can think of to detect this activity is an add-on that would alert us to when a member suddenly logs in from a country halfway around the world. They aren't "hacking" XF at all to get in, nor are they abusing anything. The key here is that they are able to get into email accounts (outside our control) just enough to manipulate a forum account and take it over.
Click to expand...
https://xenforo.com/community/resources/ozzmodz-login-by-country-log.8399/ I use this log/alert extensively.

I have an unpublished plugin from ozzmodz that alerts the Admin (me) when users make User Profile Edits - ie: change of location, website, etc. I have had users register and sit dormant, and their IP and user-entered profile information match (ie: India, Russia, Romania, etc), then return months later and change their location to Seattle, Atlanta, Denver, etc and start posting in Classifieds with scam attempts.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

goflish
  • Question Question
RM 2.2 Resources are getting posted 2 times for 1 submission
Replies
1
Views
183
Bob
Bob
webbouk
  • Question Question
Member account hacked
Replies
3
Views
1K
Wildcat Media
Wildcat Media
D
  • Question Question
XF 2.0 Members are getting errors that their 2FA is incorrect
Replies
3
Views
814
Jake B.
Jake B.
D
Getting Hacked
Replies
11
Views
2K
HD-Sam
HD-Sam
zastavra
Bounce emails are getting stack in queue
Replies
4
Views
3K
TPerry
TPerry
Back
Top Bottom