spam posts

[Ihia]

 

Since the upgrade, our forum has been inundated with spam posts originating from our members' accounts. It appears that these spammers are utilizing our members' accounts to submit posts containing spam URLs. Despite our implementation of hCaptcha, the issue persists unabated.

This influx of spam posts is not only disruptive but also undermines the integrity and usability of our forum for our genuine members. It is imperative that we find a solution to this problem promptly to maintain the quality of our platform and user experience.

I kindly request your assistance in investigating this matter and implementing measures to mitigate the occurrence of such spam posts in the future. If there are any further details or actions required from my end to facilitate this process, please do not hesitate to let me know.

[Thomas P]

57 minutes ago, Ihia said:

It appears that these spammers are utilizing our members' accounts to submit posts

This is uncommon as this sounds like your member use weak passwords and those accounts got compromised - at least you should consider this possibility imo.
Good luck 

[Marc Stridgen]

There is nothing within the upgrade that would cause something like this in any way. The only way this can happen is if the spammers have the login details for those accounts already. If its happening on a huge number of accounts, it may be worth force changing passwords on accounts.

Its worth noting here, that hCaptcha will do nothing to resolve an issue with spam from existing members. They do not use captcha when posting, as they are members. Its also worth noting we have 2 factor authentication on the software that would prevent this from happening. It would be worth using this and enforcing it for your members if you have such issues

[Ihia]

Thank you, Marc Stridgen. I've forced all members to reset their passwords, but despite this, the same spam issue persists. Even after all members have reset their passwords, spam continues to come from numerous accounts.

 

[Marc Stridgen]

If they are spam users, then of course they will get the spam reset requests. The only option at that point would be to remove the users from being able to post. If you know they are genuine users, its possible they have compromised email accounts I would guess. In any case, if they are getting in with genuine login details, even after having them reset the password, thats not really a software issue unfortunately.

[Svetozar Angelov]

We had the same problem in our forum. Please give a solution.

 

[Marc Stridgen]

As mentioned in my message just above yours, this isnt really something that is a software issue. If users are able to access those accounts to spam, then of course they will be able to do so. 

[Svetozar Angelov]

38 minutes ago, Marc Stridgen said:

As mentioned in my message just above yours, this isnt really something that is a software issue. If users are able to access those accounts to spam, then of course they will be able to do so. 

I asked quite a few software professionals. They claim the opposite of your opinion, because we changed the passwords to very difficult ones and they are still breaking into user accounts. We suspect Exploit. Please, check your code, because this problem appeared in early March and quite a few people from Invision Community are complaining about the problem.

[Randy Calvert]

So you asked someone who literally knows nothing about the software, its security or configuration and you expect them to know what they’re talking about?  That would be like going up to a random police officer and asking them who committed a crime in your country without them knowing anything about the circumstances. 
 

Based on my personal experience… I have seen numerous circumstances where accounts have been created by spammers that instead make a few “innocent” posts and several months later come back and start spamming. In researching the account IP that posted the “innocent” content was posted from a VPN where the spammer would attempt to mask their real IP. They would switch to a different VPN IP for spamming. 

If this was truly a situation where it was a software level exploit it would not happen with just a few accounts. A majority of the accounts would be used including admin/moderator accounts. It would also be impacting EVERY single board. 

[Svetozar Angelov]

1 hour ago, Randy Calvert said:

So you asked someone who literally knows nothing about the software, its security or configuration and you expect them to know what they’re talking about?  That would be like going up to a random police officer and asking them who committed a crime in your country without them knowing anything about the circumstances. 
 

Based on my personal experience… I have seen numerous circumstances where accounts have been created by spammers that instead make a few “innocent” posts and several months later come back and start spamming. In researching the account IP that posted the “innocent” content was posted from a VPN where the spammer would attempt to mask their real IP. They would switch to a different VPN IP for spamming. 

If this was truly a situation where it was a software level exploit it would not happen with just a few accounts. A majority of the accounts would be used including admin/moderator accounts. It would also be impacting EVERY single board. 

Your example with the policeman is absolutely irrelevant! This is about an exploit in user accounts. And how many forums have already complained about it. Do you want to register in Cyrillic with a question who wrote the national anthem? Since the last update in March, the breakthroughs started. It is clear where the problem comes from. When your forum suffers, you will know about the problem. I'm sure.

[Jim M]

2 minutes ago, Svetozar Angelov said:

This is about an exploit in user accounts.

I'm afraid, this is not a security issue. However, it is a case of spammers trying to sneak under the radar and access counts they've setup in the past.. Keep in mind that a spammer can reset a password to an account if they have access to the email address tied to the account.

 

[Svetozar Angelov]

2 hours ago, Jim M said:

I'm afraid, this is not a security issue. However, it is a case of spammers trying to sneak under the radar and access counts they've setup in the past.. Keep in mind that a spammer can reset a password to an account if they have access to the email address tied to the account.

 

Ok, so what solution do you propose specifically? How can we protect ourselves from this and fix the problem that depends on us?

[Jim M]

1 minute ago, Svetozar Angelov said:

Ok, so what solution do you propose specifically? How can we protect ourselves from this and fix the problem that depends on us?

You will want to do the following Spam Prevention items mentioned in this guide: https://invisioncommunity.com/4guides/security-and-rules/spam-prevention-r9/

Looking at your registration form, you are still using CAPTCHA2. You will want to switch to hCAPTCHA to prevent more automated spam bots.

Check that your Spam Defense is configured correctly for our services in ACP -> Members -> Spam Prevention.

Configure the Flag as Spammer option to be used by you and your administrator/moderator teams to quickly remove spam posts and ban spammers.

You will also want to rotate your Question and Answer challenges frequently and ensure that they are things which you are target audience knows but is not easily Googled. This will prevent spam human users from registering.

If you are seeing spammers from a certain country that your community does not serve, you can also block them in ACP -> Members -> Spam Prevention -> Geolocation Settings.

Finally, if you believe spammers are gaining access to accounts through means of exposed credentials from the dark web. Enabling and requiring Two Factor Authentication will help prevent that.

Outside of the items mentioned above, the next steps would be to take moderation action. Require your base member group to have 1 or more posts approved by a moderator prior to them showing up to the rest of your community without being moderated. Use the automated moderation tools so that if a post is reported x times as spam, the system will automatically hide it for your team to review.

If any spammers do get through, be sure to use the Flag as Spammer option as that will report it to our system and help your fellow administrators.

I will say that no 1 spam prevention method will be 100%. However, hopefully, with all the above, it should cut enough down that you are able to not just wake up to a bunch of spam posts that plague your community. If you deploy the moderation techniques, you will not have your community publicly plagued by spammers.

Unfortunately, in the event that a spammer has dormant account(s) on your site and they have already surpassed an acceptable amount of posts (I say acceptable as some may be borderline that your moderation team may still allow) to bypass the moderation queue, the only thing that will help are successful moderation practices by humans and staying vigilant about the future with the above.

[Svetozar Angelov]

Thanks. All spam measures have been taken since before. We also moved on hCAPTCHA. I hope this scourge stops.

[Svetozar Angelov]

Strange, when registering I get the following message:: hCaptcha has failed to initialize. Please see the developer tools console for more information

[Jipa331]

My forum experienced the same issue. In my case, they weren't spamming articles (since only specific member groups can write articles on my forum), but they attempted to purchase products using the "saved credit card" information of genuine users.

I've noticed that this can happen on many IPS websites.
A few days ago, a hacker sent me a leaked list of IDs and passwords for my website, and I asked if they could obtain similar information for other IPS websites. They sent me leaked IDs and passwords for other IPS sites within 10 minutes. For me, this has been happening since March.

Not sure whether this is the security problem related with IPS or not (I'm using the latest version of IPS now), but just want to report a similar issue with the above.

[Marc Stridgen]

I am curious as to how you have "notices this can happen on many IPS websites"? Could you perhaps elaborate on that?

There isn't any way in which to actually get password from the database (for example, even from the database, I couldn't tell you what your password is). So if someone is sending you usernames and passwords that are genuine, its very likely they have gotten it from another source. We often find that users using the same password across multiple platforms are the ones that get targeted. 

Of course, if you have more specific information, please do feel free to contact our accounts department on the contact us link below (or pm me, that's not a problem). But a list of usernames and passwords being sent to you won't have come from your IPS database, as they simply aren't stored in a manner that is readable and would allow that, even with full access to a sites database. 

If you have many customer accounts that have been compromised, I would advise you force all users to change passwords on your site, which you can do from the members section of your admin CP

[Svetozar Angelov]

As a result of my post, I received the following messages from fellow IPS users:

Quote

Do you have issues with genuine accounts being accessed by hackers or spammers?

My forum experienced the same issue. In my case, they weren't spamming articles (since only specific member groups can write articles on my forum), but they attempted to purchase products using the "saved credit card" information of genuine users.

I've noticed that this can happen on many IPS websites. A few days ago, a hacker sent me a leaked list of IDs and passwords for my website, and I asked if they could obtain similar information for other IPS websites. They sent me leaked IDs and passwords for other IPS sites within 10 minutes.

What about your situation? For me, this has been happening since March.

Surely IPS should check our case thoroughly. As I have been a customer of IPS for over 10 years, and I am sure there is a problem.

[Jim M]

3 minutes ago, Svetozar Angelov said:

As a result of my post, I received the following messages from fellow IPS users:

Surely IPS should check our case thoroughly. As I have been a customer of IPS for over 10 years, and I am sure there is a problem.

 

21 minutes ago, Marc Stridgen said:

Of course, if you have more specific information, please do feel free to contact our accounts department on the contact us link below (or pm me, that's not a problem). But a list of usernames and passwords being sent to you won't have come from your IPS database, as they simply aren't stored in a manner that is readable and would allow that, even with full access to a sites database. 

If you have many customer accounts that have been compromised, I would advise you force all users to change passwords on your site, which you can do from the members section of your admin CP

Please see what I have quoted from Marc, who posted above you, in response to the individual replying to your topic here. Again, it does not sound like our application was compromised but if you have specific details, please send them in a response to the accounts inbox at the Contact Us form at the bottom of each page.

[Jipa331]

9 hours ago, Marc Stridgen said:

I am curious as to how you have "notices this can happen on many IPS websites"? Could you perhaps elaborate on that?

There isn't any way in which to actually get password from the database (for example, even from the database, I couldn't tell you what your password is). So if someone is sending you usernames and passwords that are genuine, its very likely they have gotten it from another source. We often find that users using the same password across multiple platforms are the ones that get targeted. 

Of course, if you have more specific information, please do feel free to contact our accounts department on the contact us link below (or pm me, that's not a problem). But a list of usernames and passwords being sent to you won't have come from your IPS database, as they simply aren't stored in a manner that is readable and would allow that, even with full access to a sites database. 

If you have many customer accounts that have been compromised, I would advise you force all users to change passwords on your site, which you can do from the members section of your admin CP

Yes, I am aware that ID and passwords are not stored as plaintext in the database but are encrypted. It's possible that the hacker found various IPS sites using a different ID/PW saving tool and organized this information to send to me.

However, there is a major flaw in the IPS login system. I know that 2-Factor Authentication (2FA) is available and can be enforced, but this is useless for people who have already left the website. A hacker could log in using the leaked ID and password and then register their own 2FA key.

Like many other websites, why doesn't IPS require email-based code verification when logging in? If this were possible, it could securely protect all accounts, including those of people who no longer use the website.

 

[Jipa331]

10 hours ago, Marc Stridgen said:

I am curious as to how you have "notices this can happen on many IPS websites"? Could you perhaps elaborate on that?

Regarding this,

They demanded money to avoid leaking my website's ID and password information. To test their capabilities, I asked if they could obtain the ID and password for three other random IPS-based websites. Within 10 minutes, they sent me the credentials for these sites, involving thousands of accounts for each.

What's most alarming is that these ID and password combinations were indeed functional on other IPS websites.

Even though it's not IPS's fault, there needs to be better login protection. The current 2FA system is insufficient for securing all accounts. Currently, members must manually register 2FA after logging into our website.
Implementing email code verification at login would be a more effective method to protect all accounts.

 

 

[Jim M]

Keep in mind that the biggest hole in any authentication/identity system is the human using it. Odds are that if that user setup several accounts around the internet with the same credentials, their email is more than likely also to be one of those. Your solution may solve the issue in some cases but odds are likely not in its favor. As the attacker, likely has access to their email as well.

Which is why using a non-email source, like a Two Factor Authentication code generation with a cell phone app, is generally more secure. As an attacker obtaining access to that 2FA source is harder.

The best case, would have been requiring it from the start of any community. That’s not always possible but the good news, you can require 2FA starting today and any new members or members who login will have it implemented.

You can also use the logout all members and change password requirements to ensure that users need to reset their password prior to logging in again. In conjunction with requirements around password difficulty, this will help hopefully change passwords for your users.

However, if you feel strongly about the code generating link to an email to login, you’re more than welcome to suggest that in our Feedback forum for further evaluation. 

[Jipa331]

7 minutes ago, Jim M said:

 

You can also use the logout all members and change password requirements to ensure that users need to reset their password prior to logging in again. In conjunction with requirements around password difficulty, this will help hopefully change passwords for your users.

 

Thanks for the suggestion. it would help to solve this issue.
Where can I find this option in IPS ACP? (logout all users at once and request all of them to reset their PW)

 

[Jim M]

5 minutes ago, Jipa331 said:

Thanks for the suggestion. it would help to solve this issue.
Where can I find this option in IPS ACP? (logout all users at once and request all of them to reset their PW)

 

ACP > Members > Force password reset

[Svetozar Angelov]

Despite all the measures taken, today there was again spam in our forum, which is extremely annoying to me and the users. I'm sure you have a bug in IPS that occurred after an update from the beginning of March. Our problems continue. 😣