You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2024-03-08 11:48 pm
- DLipman
- Member
- Registered: 2020-10-27
- Posts: 22
Account Compromiser posting spam
We are seeing a pattern but can't determine how accounts are being compromised.
Older accounts that have become dormant, spew a specific spam.
Sample spam text (with little variance)
Experience carefree connections with the top-rated site for casual dating adventures.
Legitimate Girls Exemplary Сasual Dating
Prime Сasual DatingWhen the IP address history is examined, the compromised accounts show no correlation to the spam posting IP which have "mostly" been GeoIP'd to emanate from Montreal, Canada.
It is unknown how the miscreant is doing it. Comparing email addresses on haveibeenpwned.com show no correlation.
Last edited by DLipman (2024-03-09 11:41 pm)
Offline
#2 2024-03-09 6:34 am
- Oblivian
- Member
- Registered: 2018-11-04
- Posts: 79
Re: Account Compromiser posting spam
I raised this here. it's the same on the one I admin. All links to that dodgy dating site.
https://www.stopforumspam.com/forum/viewtopic.php?id=9458
The accts I checked did relate to either the naz leak, or presumably the 65billion one last month (HIBP doesn't appear to have this yet) - the forum in question did admit to a leak back in 2018 which a portion of the data seems either to still be valid and now in the wild suddenly, or more recently stolen somehow. You also can't really go submitting them. Or removing all the users past posts. Just the most recent and a ban.
Likewise, it's the canadian (Catrina Hunsinger) breached IP that now has a really bad reputation score
Last edited by Oblivian (2024-03-09 6:34 am)
Offline
#3 2024-03-09 12:16 pm
- DLipman
- Member
- Registered: 2020-10-27
- Posts: 22
Re: Account Compromiser posting spam
Obrigado!
Offline
#4 2024-04-18 4:53 pm
- DLipman
- Member
- Registered: 2020-10-27
- Posts: 22
Re: Account Compromiser posting spam
It does not appear to be resultant of the naz.api breach whose records are on HIBP.
Looking at new compromised, spamming, accounts only one was listed on HIBP to have been a part of the naz.api breach.
Many had no Breaches shown when checked on HIBP. With another the only breach shown was the Canva Breach of 05/'19.
There may be a Breach that is yet unknown or even an entity may have merged several into one database they are using.
In any case this spam campaign continues but at a slower pace and now all compromised accounts seem to be now using VPN.
Last edited by DLipman (2024-04-19 10:39 am)
Offline
#5 2024-04-19 5:30 am
- pedigree
- uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
- From: New Zealand
- Registered: 2008-04-16
- Posts: 7,056
Re: Account Compromiser posting spam
I wish I could reliably maintain a list of VPN services so that I could provide it in the API as a scoring metric, but they rotate so quickly
Offline
Pages: 1