For anyone who doubts that the web and social media is full of foreign exploiters, looking to influence the unwary, here is a tale for you – as well as an update for those who subscribe to this blog.
I recently noticed a big uptick in the number of people registering on my site. Mostly after I changed the tool that handles new signups. I also noticed in my security reports, a lot of attempted logins to my administrator site.
Concerned, I took a closer look. My site is built using a common website/blogging tool called WordPress. About a month ago, I started using their “widget” to collect subscribers. Signing up there would mean you get an email notification when a new post is uploaded.
Unfortunately, their widget also included a Login field for those who subscribe. This is not really a security flaw in itself – many blogs have levels of membership, and the basic Subscriber can only read posts. But that didn’t stop exploiters from trying to take advantage.
Side rant – I use the term “exploiters” because the term “hacker” is way overused. For example, someone did not “hack” your Facebook account. They either guessed your password was the name of the dog you posted about a thousand pictures of, or they simply created a new account using your name and some of your photos.
Hacking is a skill that involves coding and a deep knowledge of networking and computers. Exploiters are just manipulating data already available, and using brute force techniques to access sites.
That is what was going on with my blogsite. Exploiters were registering with fake email addresses to give them access to the site, then using that login screen to try and guess what my administrator name and password might be.
Fortunately, they did not have a chance of succeeding. I use a randomly generated 24-character password that includes numbers and special figures. This gives a complexity that would take even a super-computer over 400 years to hit upon the right combination (hey, I was a network engineer, ya know).
It is still a nuisance, so I immediately removed the offending widget, and took a list at the over 500 new users who had registered in the past month. It turns out that 93.4% of them were bogus.
Some were very obvious – almost half of them used the mail.ru domain, which is of course a Russian email service (not Ukrainian, sorry). There were also quite a few with the 163.com domain, which is hosted in China. More insidious were a collection of domain names that I traced to a company called Daneco Trading, which operates out of Cyprus. This company apparently hosts over 100,000 sites of questionable content, many linked with scams.
There were also some with fake domain names that don’t exist at all, like modernsailorclothing.com and plasticvoucher.com. Toss in a smattering of email addresses created by domains that specialize in throw-away anonymous email accounts – one of these had the rather blatant name of discardmail.
Most interesting were those that take advantage of the little used .club domain. This was set aside for organizations like Rotary Club, Lions Club, school activities and so on. They are being exploited by users creating temporary email addresses using (on my site) names like bieber.club (I’m sure a lot of Bieber fans read my blog), and my very favorite – maleenhancement.club.
What were they after? Probably valid email addresses of other users, access to Facebook groups and profiles, anything that could be either sold to advertisers or used to spread disinformation and propaganda (and I’m aware that some consider that a good description of my blog .as well)
As my readership approaches 90,000 at the close of 2019 (and I thank you one and all), I will continue to be vigilant against this type of misuse. I can assure you that all attempts were unsuccessful, and that now there is not even a way to make the attempt.
Bottom line for my readers, is that I have gone back to a simpler, harder to exploit method for signing up. You will now see under the Search field in the upper right corner an area to sign up for email notifications of new posts.
This will simply send the user a request to click on a link to verify the email address is valid before adding it to the subscriber list.
If you haven’t received an email notification from this blog lately, you may want to re-register with the new system. And yes, I realize that it is logically impossible to be aware of something you didn’t know you haven’t received, but I gotta start somewhere. Come on, radar love!
If you have any questions about this, or web exploits in general, please send my your questions using the Contact Me form.