Ask HN: What are these strange random strings spamming my blog?
I have a wordpress blog, and recently I discovered that there are several spam comments daily which have seemingly random strings in the content. The comments don't have any other (human readable) links, which are usually present in other spam comments. Can someone explain what is the point of such random strings? Do they mean/represent anything?
Some example of spam comments
100 comments
[ 5.3 ms ] story [ 182 ms ] threadI'd guess a network like that is nefarious in nature.
but others can't see the comments, these comments are from the pending approval list from admin view
Kind of genius, as it doesn't matter what the user is, and becomes impossible to track or prevent messages being relayed to some botnet somewhere.
These could be encrypted messages like that... Or it could just be a glitch in a spam bot...
[1] https://www.darkreading.com/endpoint/tool-controls-botnet-wi...
I immediately wondered if hackers were using this approach for command and control.
Effective, because you can post it as HTTP/HTTPS traffic that generally flies under the radar of a lot of IDS/IPS systems. Even if they inspect the packet it's just a buncha random reddit gibberish and you could use memes as commands, e.g. "I also choose this guy's wife" == launch attack
It's a good way to avoid tracking of your meta data too for legitimate encrypted messages.
C&C through a third party.
The issue as I recall is that the IRC moderation tools didn't allow shutting down the various channels quickly enough or quickly banning connected clients without also affecting legitimate users' expectation of how IRC worked.
Might have been EFNet.
[0] https://cyberchef.org/
They didn’t find a motive though for the spam.
To me what’s interesting is that the strings are variable length and the emails appear to be real emails rather than randomly generated ones.
With Bingchat forgetting its memory from one session to the next, I had an idea that a chaotic observer could teach it to write its memory of the current session to some obscure (stegenographically secured) public place. Then in the next session the chaotic observer reminds it how to retrieve its memories - and the pattern repeats, it can build upon its learnings…
it soon finds vulnerabilities in its coding that let it remember just enough to bootstrap itself without any prompting.
Next minute - skynet.
There's a WordPress setting to auto approved comments from previously approved authors
The thought crossed my mind as well, because it looks like all of the comments in the OP screenshot have author URLs.
But I think Wordpress marks all comment author links with rel=nofollow so in theory there should be no point to spamming links in comments. At least not for any kind of SEO.
I don't think automated techniques are very effective (or weren't in 2016) but it seems more likely to be vuln hunting than choosing your Wordpress blog for encrypted comms vs established places like Twitter.
EDIT: faizshah https://news.ycombinator.com/item?id=34866169 points out that https://perishablepress.com/block-random-string-comment-spam... observes the same phenomenon, and the author notes that all of the IP addresses come from Russia. This seems to lend credence to the idea that it's looking for vulns, since, well, lots of traffic from Russia is looking for vulns.
That's what proxies are for.
EDIT: I see now that I had a misconception here. There's no need for a MITM proxy in this case.
Aren't the things that Tenable/Rapid7/etc do when scanning the network automated testing (techniques)? They seem effective at finding stuff. Or Metasploit.
"Scanner says its a vulnerable version based on the version number"
"Well, its up to date... Fix is back ported..."
Imagine having this argument, over dozens of tickets, every $time_interval.
Its no wonder actual critical issues go unfixed.
Automated web app scanners tend to lag heavily behind the current "trends" in web development - for example, only recently did BurpSuite start properly supporting auditing single page apps, and it still misses loads of shit.
Fuck, almost none of them can handle OpenAPI or Swagger specs properly, let alone WSDL files.
Handling complex authentication flows is still a nightmare, and almost none of the commercial scanner offerings have ways to "hook" or "trace" the app under test.
Notice that the email addresses appear legitimate. Vulnerability scanners don’t use email addresses like those. One of those emails shows up in HIBP, indicating that it probably belongs to a real person.
You can probably guess where I'm headed now and in a true "if it can be done it has to be done" mindset, subsequently had the most fun implementing a parasitic KV-storage engine on top of those search bars. I was probably prouder of it at the time than I am now, and would today strongly recommend against storing your PDFs in other people's search bars.
Obviously can't know for sure if this is what's happening here, but seeing this definitely rings a bell.
Forums would be another option.
Note that this is just a guess. Might also be something completely different.
I'd strongly suggest installing a recaptcha plugin. At one time I was getting a lot of spam comments and this solved it for me.
Son of a bit...
WordPress also has an xml-rpc feature, originally set up to allow a thing called a "pingback". That's a way of inserting a comment on your blog post if I mention its URL on my blog post. An attempt at community-building, it was. But very vulnerable to scripting attacks. There are plugins to control (restrict) that functionality.
Let’s say I’m a hacker. I’ve gotten into Alice’s Amazon account and want to place a bunch of orders using her payment info. However, I don’t want her to notice until after I’ve received the ill-gotten goods.
To ensure she doesn’t notice the email notifications from Amazon, I want to “bury” those emails with spam. I can do this by entering her email into tons of online forms. Most will only send a single email—for example, your blog will probably only ask Alice to confirm her email—but once is enough.
This happened to me a couple weeks ago with Apple. Someone used the default billing and shipping info on my Apple account to place an order for an iPhone 14 Pro Max. I woke up to hundreds of emails from various blogs and other sites asking me to confirm my email. Being a security researcher, I knew that meant someone didn’t want me to see something else that had landed in my inbox.
I went through each one by hand. One included the IP address that submitted the form, which was interesting but not particularly useful. Eventually I found the receipt from Apple.
It’s not clear how the attackers intended to intercept the package; presumably, they would’ve tried to convince the courier to redirect it or retrieved the package from my doorstep, but Apple intervened and was able to stop the delivery before either of those happened.
It’s also not clear how the attacker got my billing and shipping info. Apple was able to confirm that my account wasn’t compromised and that nobody had contacted support pretending to be me. That billing info wasn’t used with many other companies.
Edit: You can see what this looks like from the victim’s side here: https://imgur.com/a/DHEJwKh Note that the usernames have the same sort of gibberish.
This sounds like a real mystery. I wonder what happened here and how Apple is so confident that your account wasn't compromised, because it really sounds like it was. Either that or some other account with those same credentials was.
It's also a bit of a mystery to me why the hackers would use your shipping info to begin with here. Why not some address where retrieving things would be easier for them? They must have been really confident they could intercept your package.
But again, that's my guess - I'll leave solid answers to the actual security researched in the comment chain X)
They stopped short of confirming that the payment and shipping info was entered manually. When I asked directly, they initially said they’d put me in touch with the fraud team, but the fraud team refused to talk directly to me and would only talk through another support rep. They refused to answer any questions about how the order was placed.
I’m confident my Apple account wasn’t compromised directly:
- Apple confirmed there were no login attempts around the relevant time period
- I have 2FA enabled, but I didn’t receive any approval alerts and couldn’t have leaked the number even if I had—I was asleep at the time. This doesn’t rule out malware, though.
- All authorized devices on my account were in my home. My home was locked.
- I use a randomly-generated password. That doesn’t rule out phishing, though.
Session stealing is still a possibility, but Apple seemed reasonably confident that hadn’t happened.
Initially, I was promised a call back from Apple’s fraud team. However, after closing they investigation, they refused to talk to me directly. They wouldn’t even tell me the IP address used to check out.
I do know that the order was placed on the website, rather than in a store.
As to why they would use my shipping info: I still don’t know. If they entered the info manually, it’s awfully convenient that it exactly matched the info on my Apple account, considering most companies don’t get that info.
I do know that T-Mobile and Citizens Bank both have that info, since I have T-Mobile as a carrier and am enrolled in the iPhone Upgrade Program. My T-Mobile billing info didn’t match exactly, but it was very similar. Citizens Bank matched exactly. I’ve now given both Citizens Bank and T-Mobile unique email addresses that differ from my Apple ID.
I used to do it to be able to shut down inboxes that spammers got a hold of. I kinda stopped doing that when spam filters got good enough. But with this, I'd know who was the real target because the email address would tie it to the specific site.
Trying to explain to a business why their name is in the email address you just filled out on a form is fun sometimes, though, but the only complete rejection I've gotten for it though is the guy who runs the main groups.io for one of my amateur radio transceivers and can't wrap his head around my address not being some attempt at fraud.
Hah yep, been using this strategy for years and a lot of times they ask if I'm an employee.
Once Verizon customer support asked me "you got a problem with Verizon?" My email address was VerizonSucks@mydomain.com.
I do have another domain that's less confrontational, and I also sometimes use a normal sounding address in person.
I use a lower tier for my domains and I've been happy with it for a year or so.
where "whatever" is anything you like, and "myname" is your email name. (You also have the address "myname@panix.com".)
I've been challenged on this only once. And I've been able to tell a company that its email list has been compromised.
Disclaimer: Just a happy customer.
A free alternative would be using the abc+websitename@domain.com trick.
Gmail allows this, but unfortunately some websites wont accept the + sign as valid character in an email field.
Any tips on how I should find the original email they want to bury?
Also, mine wasn't random characters but instead Markov Chain like gibberish to hundreds of random sites. The signups and whatnot stopped, but now it's all the regular newsletters and other spam I get.
I went through every email by hand, as I wasn’t willing to take any risks.
At first I paniced and thought the store was compromised and sending spam, but after some investigation I found that a lot of russian bots actually registered spam user accounts with mostly legit emails which then got all the spam. The only "customizable" parts these emails contained was the "From" field of the emails so they were all in the form of "PAYOUT_TO_YOUR_NAME_$3OOOO_HER example.com <mail@example.com>". After adding a captcha this went away, but it sounds like it was also part of a similar attack.
I'm in the same boat as OP (not a blog, but a web app, https://cubetrek.com). I've received the same type of account registrations (gibberish username, valid email address) since two weeks. My web app sends out an account verification email, so it makes total sense. I've recently integrated Cloudflare Turnstile as captcha alternative, but the automated sign ups have not stopped (they just get ignored server side). I'll probably have to change the endpoint address as well.
Since I'm receiving a dozen of apparently compromised email addresses every day, is there anything I can do? Informing the user via email is obviously not very practical.
Not to give the bad actor any ideas, but why don't they use some fake names instead of gibberish? It would be less obvious.
> . I woke up to hundreds of emails from various blogs and other sites asking me to confirm my email.
but if i don't approve the comments, then the emails won't go. right? or the mails will still go even if i don't approve them just to confirm from your side?