You are not logged in.
- Topics: Active | Unanswered
#1 2023-01-19 5:25 pm
- Alex Kemp
- Moderator
- From: Nottingham, England
- Registered: 2009-12-02
- Posts: 2,457
- Website
Ongoing widespread credential stuffing attack
There is a widespread credential stuffing attack by malicious actors attempting to hack into Forum accounts using credentials exposed in data breaches at other sites or have been harvested by Data Stealing Trojans
Most notable IP 109.107.166.230
Do a search and you'll see 300+ recorded events in four days.
Every time I look, the number id events increase. If you look at the sparse Evidence entries, they are coincidental.
(by request of the author, this is a repost of an original from another SFS member)
Offline
#2 2023-01-21 7:43 pm
- pedigree
- uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
- From: New Zealand
- Registered: 2008-04-16
- Posts: 7,104
Re: Ongoing widespread credential stuffing attack
thanks, ill look at the credibility of the submitter and remove them if found to be anything but 100% legitimate
Offline
#3 2023-01-22 8:00 pm
- NeoFox
- Member
- From: WI, USA, Earth
- Registered: 2013-09-26
- Posts: 830
- Website
Re: Ongoing widespread credential stuffing attack
Good on you folk to be on top of this. Respect.
Offline
#4 2023-01-23 5:40 am
- robleyd
- Member
- From: Adelaide, Australia
- Registered: 2012-07-15
- Posts: 8
Re: Ongoing widespread credential stuffing attack
I noticed a brief flurry of dormant (not used for several years) forum accounts suddenly promoting crypto pumps, all from this IP; clearly accounts had been compromised. A quick check of the IP revealed that the entire 109.107.166.0/24 range was registered to an individual in UA. Simply banning that IP range seems to have solved the immediate problem for our forum.
Offline
#5 2023-01-23 10:25 am
- pedigree
- uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
- From: New Zealand
- Registered: 2008-04-16
- Posts: 7,104
Re: Ongoing widespread credential stuffing attack
they're being submit by a lot of different accounts, over a dozen so I'm going to spent some time tomorrow going over the specifics.....
New year, new hell at work 
Offline
#6 2023-01-23 11:39 am
- robleyd
- Member
- From: Adelaide, Australia
- Registered: 2012-07-15
- Posts: 8
Re: Ongoing widespread credential stuffing attack
And a new PM to top it off.
Offline
#7 2023-03-14 3:01 pm
- DLipman
- Member
- Registered: 2020-10-27
- Posts: 26
Re: Ongoing widespread credential stuffing attack
I just looked. The IP first shows as a reported event on; 1/14'23. Two months later, the count has more than doubled.
Found 825 entries for "109.107.166.230"
Offline