Message for @admin - hacker/scammer using the forum

Anything about use of this forum : NOT about cycling
DevonDamo
Posts: 1036
Joined: 24 May 2011, 1:42am

Message for @admin - hacker/scammer using the forum

Post by DevonDamo »

I'm asking this question of @admin at the request of @Vorpal with regards to a malicious user I've identified on the forum. I've attempted to resolve this 'offline' with Vorpal and we've exchanged several PMs, but we've reached the agree-to-disagree stage and I'm still yet to be convinced that this possible cybersecurity threat has yet been effectively dealt with.

To cut a long story short, the user has been identified as malicious because they've started two threads, which a quick Google search reveals are cut/pasted from two different Reddit forum users' posts from several years ago. Accounts with the same username were opened on several other forums and used to start threads (also using content cut/pasted from Reddit) on the exact same date/time as the posts on here. This has happened several times before following exactly the same pattern, and each time, the user has later edited their posts to include URLs which are totally unconnected to the content and appear to be malicious (things like www dot routerlogin etc) which I don't understand but certainly wouldn't want to be clicking on. I've reported these posts, made warnings on the relevant threads and started a thread in this section to warn forum members about what appears to be going on - because members are simply not recognising these malicious new accounts and continue to reply to their threads to this day.

On this thread I've been discussing with Vorpal, I'd originally posted a brief, blunt warning as follows: 'For those of you that don't mind wasting their time replying to this sort of 'fire and forget' poster, you ought to be aware that, in this case, the OP has no interest in cycling, and is a spammer, scammer or hacker - probably a bot.' I later reported the thread, but no action was taken so, when users continued to reply to the thread, I posted the following more detailed warning/explanation:
DevonDamo wrote: 7 Aug 2021, 10:37am The OP might be interested in the following discussion which appeared 4 years ago on Reddit:

https://www.reddit.com/r/bicycling/comm ... o_running/

And, while I'm at it, with regards to the other thread the OP started on here, they might be interested in the following discussion which appeared 3 years ago on Reddit:

https://www.reddit.com/r/cycling/commen ... sic_tools/

I reported this OP and their posts a few weeks back, but I'd just made a fat-fingered blunder (mistaking a different user for this OP) so it's my fault that this OP and their threads are still with us - sorting out the feathers I'd ruffled appears to have been the priority at that time. These cut and paste posts have become a relatively frequent occurrence though, so rather than accusing anyone of malicious intent in future, I'll simply post links as I have done above so you can decide for yourselves. (When these threads copied from Reddit have appeared previously, whoever is doing it has done the same across multiple forums at once, and their modus operandi has been to later edit their posts to include URLs which I'm not clued-up enough to understand, but didn't look like anything I'd want to click on from a cybersecurity point of view.)
Vorpal acted by deleting my post above, whilst allowing the malicious user to remain a member, leaving their two threads live where they both continue to attract new posts. After we'd exchanged PMs about this, I was notified that this user "has a user ID set to reactivation; meaning that they cannot log in without reactivation & every post will require approval." I asked Vorpal about this forum functionality, and was asked to redirect my questions to @admin - so here goes:

1. Does this 'ID set to reactivation' status guarantee that this user will not be able to edit their existing posts to insert malicious URLs?
2. Does this offer any benefit over simply deleting the malicious account as has been done previously? Is there any reason we'd want such users to remain members?
3. In the thread I've started about this problem, everyone (users, moderators, 'spambusters' etc.) was in universal agreement that all forum users need to be vigilant about threats like this and to report where we see them. Are warnings/explanations about threats not helpful in this regard, and is it not an own-goal to delete them?
User avatar
admin
Site Admin
Posts: 1514
Joined: 14 Dec 2006, 8:27pm
Location: Lancing, West Sussex
Contact:

Re: Message for @admin - hacker/scammer using the forum

Post by admin »

I'm not clear what the problem is?

The URLs posted were:

https://100001.onl/ (redirects to https://100001.uno/)
https://1921681254.mx/ (redirects to https://1921681254.one/)

which are pages describing how one might log into a router that has an admin interface on those IP addresses. They are irrelevant, but I can't spot anything malicious about them.

1. The plagiarist poster has been banned.
2. Yes, because we can still see which messages they posted (if their account is deleted all their posts will become anonymous).
3. Reports of possible abuse are indeed helpful, thank you. Offending posts are not deleted, they are archived.
DevonDamo
Posts: 1036
Joined: 24 May 2011, 1:42am

Re: Message for @admin - hacker/scammer using the forum

Post by DevonDamo »

admin wrote: 15 Sep 2021, 10:18am I'm not clear what the problem is?

The URLs posted were:

https://100001.onl/ (redirects to https://100001.uno/)
https://1921681254.mx/ (redirects to https://1921681254.one/)

which are pages describing how one might log into a router that has an admin interface on those IP addresses. They are irrelevant, but I can't spot anything malicious about them.

1. The plagiarist poster has been banned.
2. Yes, because we can still see which messages they posted (if their account is deleted all their posts will become anonymous).
3. Reports of possible abuse are indeed helpful, thank you. Offending posts are not deleted, they are archived.
Thanks. In answer to your first question - I have no idea whether there's a problem with those URLs, other than that I can't think of any legitimate reason why someone would go to these lengths to hide any URL on a forum thread. Some of the earlier (now-banned) users also posted up URLs containing the word 'routerlogin' which would tie in with your explanation above for what these URLs do. (I wasn't actually aware that this most recent example had already added any URLs to their posts - only that their posts were copied from Reddit like all the previous ones.)

As I don't understand the threat (and don't want to click on any of the above links) can I get some guidance here: is this serious enough to warrant me continuing to push for these users to be banned, threads deleted, warnings posted etc? Or are these links going to be no more harmful than glorified spam, and I can calm down a bit?
User avatar
admin
Site Admin
Posts: 1514
Joined: 14 Dec 2006, 8:27pm
Location: Lancing, West Sussex
Contact:

Re: Message for @admin - hacker/scammer using the forum

Post by admin »

I would say those links are just spam, they're not pretending to be a bank website or anything like that. My guess is that they're just something random to paste into a message so that it looks like it might have useful links in it.

But, if in doubt about dodgy-looking link, report the message explaining your worry.
thirdcrank
Posts: 36776
Joined: 9 Jan 2007, 2:44pm

Re: Message for @admin - hacker/scammer using the forum

Post by thirdcrank »

While we are an about this, looking at the members list ordered from those who joined most recently there are 10+ on the first couple of pages covering the last three weeks which show dodgy websites including one for doing homework/coursework and another for adult dating. I can't see any good reason for these accounts to have been created and so zapping them would be good housekeeping

memberlist.php?sk=c&sd=d&start=50
DevonDamo
Posts: 1036
Joined: 24 May 2011, 1:42am

Re: Message for @admin - hacker/scammer using the forum

Post by DevonDamo »

admin wrote: 15 Sep 2021, 11:35am I would say those links are just spam, they're not pretending to be a bank website or anything like that. My guess is that they're just something random to paste into a message so that it looks like it might have useful links in it.

But, if in doubt about dodgy-looking link, report the message explaining your worry.
Got it - thanks. Looks like I've been overestimating the threat from these threads, so I'll stand down on them in future.

(And sincere apologies to @Vorpal for having to endure my paranoid lectures on cybersecurity and the great moderator conspiracy against me...)
slowster
Moderator
Posts: 4629
Joined: 7 Jul 2017, 10:37am

Re: Message for @admin - hacker/scammer using the forum

Post by slowster »

Regarding the problem highlighted by thirdcrank, does the forum software give the option of making changes to signatures, including adding or altering websites, subject to admin/moderator approval before taking effect?
Vorpal
Moderator
Posts: 20700
Joined: 19 Jan 2009, 3:34pm
Location: Not there ;)

Re: Message for @admin - hacker/scammer using the forum

Post by Vorpal »

slowster wrote: 15 Sep 2021, 12:31pm Regarding the problem highlighted by thirdcrank, does the forum software give the option of making changes to signatures, including adding or altering websites, subject to admin/moderator approval before taking effect?
Yes. I do remove stuff like that when I notice it. I don't approve new posts from spammers with stuff in their signatures, but people register without posting, or add signatures later.
“In some ways, it is easier to be a dissident, for then one is without responsibility.”
― Nelson Mandela, Long Walk to Freedom
User avatar
mjr
Posts: 20308
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: Message for @admin - hacker/scammer using the forum

Post by mjr »

slowster wrote: 15 Sep 2021, 12:31pm Regarding the problem highlighted by thirdcrank, does the forum software give the option of making changes to signatures, including adding or altering websites, subject to admin/moderator approval before taking effect?
I think not. It's phpbb if you want to check. With the basic software, it is not even possible to "freeze" someone's signature so they cannot edit it. You can deny them the ability to set a signature block or allow it. There might be an add-on that could change this but every add-on comes with some overhead, so admin has been reluctant to install many.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.
User avatar
mjr
Posts: 20308
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: Message for @admin - hacker/scammer using the forum

Post by mjr »

admin wrote: 15 Sep 2021, 11:35am I would say those links are just spam, they're not pretending to be a bank website or anything like that.
Those pages do include Google, Yandex and probably self-hosted trackers. They would be an obvious way for the site owner to collect IP addresses to probe for insecure routers with default passwords owned by inexpert people and attack them.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.
Vorpal
Moderator
Posts: 20700
Joined: 19 Jan 2009, 3:34pm
Location: Not there ;)

Re: Message for @admin - hacker/scammer using the forum

Post by Vorpal »

mjr wrote: 15 Sep 2021, 1:13pm
slowster wrote: 15 Sep 2021, 12:31pm Regarding the problem highlighted by thirdcrank, does the forum software give the option of making changes to signatures, including adding or altering websites, subject to admin/moderator approval before taking effect?
I think not. It's phpbb if you want to check. With the basic software, it is not even possible to "freeze" someone's signature so they cannot edit it. You can deny them the ability to set a signature block or allow it. There might be an add-on that could change this but every add-on comes with some overhead, so admin has been reluctant to install many.

I partially misunderstood the question...

Moderators can remove or alter signatures, websites from profiles, and other stuff that users can put in their profiles. We can also disallow people from using signatures or modifying their profiles. We cannot make signatures & websites subject to moderator approval, except as part of the user registration process.

I have made some changes to the 'newly registered' permissions & will see if that helps with the problem that TC pointed out above.
“In some ways, it is easier to be a dissident, for then one is without responsibility.”
― Nelson Mandela, Long Walk to Freedom
thirdcrank
Posts: 36776
Joined: 9 Jan 2007, 2:44pm

Re: Message for @admin - hacker/scammer using the forum

Post by thirdcrank »

The dodgy links I mentioned have already gone so thanks for that. However, the third page of new members begins with a masseuse. Scrolling further back there are more and this page has a veritable peloton:-

memberlist.php?sk=c&sd=d&start=850

I don't know if this does any real damage because none seems to have posted; perhaps it's just my not liking to thinks these creatures have goy away with it.
slowster
Moderator
Posts: 4629
Joined: 7 Jul 2017, 10:37am

Re: Message for @admin - hacker/scammer using the forum

Post by slowster »

Vorpal wrote: 15 Sep 2021, 1:29pm We can also disallow people from using signatures or modifying their profiles.
Why not do that for all new members? Stipulate that if a new member wants to have the ability to use a signature, it will only be allowed on request and only after a person has been a member for a reasonable period and has also made a sufficient number of posts.
Vorpal
Moderator
Posts: 20700
Joined: 19 Jan 2009, 3:34pm
Location: Not there ;)

Re: Message for @admin - hacker/scammer using the forum

Post by Vorpal »

slowster wrote: 15 Sep 2021, 2:36pm
Vorpal wrote: 15 Sep 2021, 1:29pm We can also disallow people from using signatures or modifying their profiles.
Why not do that for all new members? Stipulate that if a new member wants to have the ability to use a signature, it will only be allowed on request and only after a person has been a member for a reasonable period and has also made a sufficient number of posts.
I have attempted to disallow newly registered users from adding signatures or modifying their profiles. I guess we will see if it works.

As for a 'sufficient number of posts'... that would require that every post be approved until they had passed that number because it is tied to the status 'newly registered'. I can do it, but if I were to set it at, for example, 5 posts, the user would be unable to post without moderator approval or use the pm system at all. So, folks who register to post interest in a for sale item wouldn't be able to pm the seller. That might be okay for some things, but the lack of ability to use the pm system already seems to puzzle new users. And it would be a lot more work for forum staff.

edited to add: I can disallow signatures for individual users, but it requires modifying the permissions associated with the user name, which would be very time consuming to do for all new users
“In some ways, it is easier to be a dissident, for then one is without responsibility.”
― Nelson Mandela, Long Walk to Freedom
User avatar
Mick F
Spambuster
Posts: 56359
Joined: 7 Jan 2007, 11:24am
Location: Tamar Valley, Cornwall

Re: Message for @admin - hacker/scammer using the forum

Post by Mick F »

Time consuming ................

This forum exists from the hard work of Admin and the Mods.
I do my bit, but that's what it is - a bit.
My bit gets rid of outright spam, and I alert the Mods if there's something I'm not sure of.

It's all hard work, and much of it relies on forum members pointing the issues out.
We can't all be on here 24/7 or be all-knowing and have the judgement of Solomon.
Mick F. Cornwall
Post Reply