My account is being hacked?

[paul]

Its happened again,  four emails with “Failed Login Attempt”.

Three users with the same ip address, followed by seven users the next day with a different ip address.
However the user names are not found when I “search for members” so I guess the users accounts have already been blocked / deleted  ?

The user names were mostly random letters (again) and the ip addresses are 45.88.82.128 and 195.208.119.20

[MrMobodies]

Just noticed HPIB's country flag is showing Czech Republic and the IP address is assigned to Czech ISP MagnaLink and DDT has a British flag which is a long way away assuming they are in their respective countries according to flag they set.

https://whois.domaintools.com/188.122.198.84

IP Location   Czech Republic Czech Republic Hradec Kralove Magnalink A.s.
ASN   Czech Republic AS57728 HELIOSMB-AS, CZ (registered Oct 21, 2019)
Resolve Host   host84-198-122-188.magnalink.cz
Whois Server   whois.ripe.net
IP Address   188.122.198.84

[bson]

Many internet providers and most cellular network providers these days use carrier grade NAT (CG-NAT) on their IPv4 address space. This means that you could be sharing an IP address between multiple users. There just isn't enough IPv4 addresses to go around so that everyone has their own unique address (even if it's dynamically assigned).

It could also be a bug in the forum software.  If I try to login in as you, will it associate my address with your account?  It shouldn't, but if it does it would result in exactly these messages if someone is trying guess passwords for a large number of users.

[EEVblog]

Its happened again,  four emails with “Failed Login Attempt”.

Three users with the same ip address, followed by seven users the next day with a different ip address.
However the user names are not found when I “search for members” so I guess the users accounts have already been blocked / deleted  ?

The user names were mostly random letters (again) and the ip addresses are 45.88.82.128 and 195.208.119.20

A couple of people have mentioned this recently.
I presume it's just spam bots randomly attacking account.

[timbob]

Just got and email about failed login today while was at work

[Andy Chee]

I imagine it's a data scraper bot that is harvesting the thread subheader, for example:

DimitriP, Gertjan, mk_, darkspr1te, BennoG, RJSV, JMK, slavoy, Kim Christensen, djsb, coppercone2 and 183 Guests are viewing this board.

So a single bot machine (which explains the common IP address) located in India, Russia, North Korea, could scrape this list of names, and tryout some obvious passwords.

There's probably a bot just sitting on the Test Equipment forum (biggest forum) just scraping away.

[EEVblog]

Just had a forum user contect me that he got an email report that a dozen different new account were set up with part of his username used, sharing the same IP address.
The only conclusion I can come to was that his machien was infected with some sort of malware that was creating accounts. As how else would they kno his udername and use the same IP?

[Halcyon]

Just had a forum user contect me that he got an email report that a dozen different new account were set up with part of his username used, sharing the same IP address.
The only conclusion I can come to was that his machien was infected with some sort of malware that was creating accounts. As how else would they kno his udername and use the same IP?

Username, I can understand, but IP address nope.

[ebastler]

Just had a forum user contect me that he got an email report that a dozen different new account were set up with part of his username used, sharing the same IP address.
The only conclusion I can come to was that his machien was infected with some sort of malware that was creating accounts. As how else would they kno his udername and use the same IP?

Where did that email come from? Does SMF send such emails when it detects fraud attempts? (But why would the creation of an account which uses "part of one's username" be considered fraud? There are plenty of usernames here which share parts of the name.)

I am wondering whether the email itself was a scam attempt, trying to get the user's real credentials?

[Halcyon]

Dave, I know you set up DMARC a little while ago, but I'd recommend implementing a stronger policy. Currently the policy is p=none (which is useful for testing), but worth moving that over to p=reject at some stage.

Also make sure any services sending emails on-behalf of eevblog.com are included in your SPF policy (if they don't login directly to your Google account).

https://checkcybersecurity.service.ncsc.gov.uk/email-security-check/results?domain=eevblog.com

[EEVblog]

Dave, I know you set up DMARC a little while ago, but I'd recommend implementing a stronger policy. Currently the policy is p=none (which is useful for testing), but worth moving that over to p=reject at some stage.

Did that and it caused all my email to be rejected by recipiant (gmail especially)

[EEVblog]

Just had a forum user contect me that he got an email report that a dozen different new account were set up with part of his username used, sharing the same IP address.
The only conclusion I can come to was that his machien was infected with some sort of malware that was creating accounts. As how else would they kno his udername and use the same IP?

Where did that email come from? Does SMF send such emails when it detects fraud attempts? (But why would the creation of an account which uses "part of one's username" be considered fraud? There are plenty of usernames here which share parts of the name.)
I am wondering whether the email itself was a scam attempt, trying to get the user's real credentials?

Yes, SMF detects failed login attempts and alerts the account holder via email.

[ebastler]

Yes, SMF detects failed login attempts and alerts the account holder via email.

Sure, I know about these notification. But in your earlier post, you had mentioned "an email report that a dozen different new account were set up with part of his username used, sharing the same IP address".

What's the deal there? Would I receive an email if someone creates an account with a username which resembles mine? Or if someone creates a new account and comes from the same IP address which I have used at some point before -- i.e. someone just using the same internet provider as me?

[Halcyon]

Dave, I know you set up DMARC a little while ago, but I'd recommend implementing a stronger policy. Currently the policy is p=none (which is useful for testing), but worth moving that over to p=reject at some stage.

Did that and it caused all my email to be rejected by recipiant (gmail especially)

That's working as intended. It also means something else is misconfigured (probably SPF). a policy of "none" is basically like having no DMARC at all.

[golden_labels]

Until ebastler question is answered, I can deliver one guess.

Perhaps the user registered in another service using the same username and email address? If the service was run or compromised by the adversary, they would have their username, email address, and IP address. The first two is enough to send a scam email, pretending that it comes from some service (EEVblog forum in this case).⁽¹⁾ Having the IP address just makes it more believable.

⁽¹⁾ The EEVblog forum itself wouldn’t be special in this case. It just happened that the usernames agree for this particular website.

[madires]

Dave, I know you set up DMARC a little while ago, but I'd recommend implementing a stronger policy. Currently the policy is p=none (which is useful for testing), but worth moving that over to p=reject at some stage.

Code: [Select]

host -t TXT _dmarc.eevblog.com
_dmarc.eevblog.com descriptive text "v=DMARC1; p=none; sp=none; fo=1; aspf=r; adkim=r;"

fo=1 (create forensic report for rejected emails) doesn't make much sense without also setting ruf=mailto:<some email address> to receive the reports.