Warning - Distributed brute force attack on user profiles in progress

[Dave A]

Dear members of TFSA,

I advise that there is currently a distributed brute force attack trying to gain access to member profiles on TFSA.

It is a particularly clever attack that has attempted to be stealthy in that it is not triggering the user profile lockout limit (which is triggered when there are 5 unsuccessful log-in attempts from the same IP address). It is doing so by using a very wide range of IP addresses and appears to be deliberately stopping short of making too many attempts from the same IP address.

So far I have identified 7 hacked profiles - all of which fall in the category of dormant (generally never posted or not logged into for over a year). However, other than seeing a steady stream of failed login attempts at a rate of 3 to 5 per minute in the activity log, I can't see which user profiles are being attacked.

I am working on a way to blunt this form of brute force attack without triggering a flood of warning emails to legitimate users of the site. In the interim I ask that regular users in particular ensure that they have strong passwords that would make their profile difficult to hack.

[Neville Bailey]

Thank you for the heads up, Dave.

I have just changed my password.

[AndyD]

A bit late I know but hope you guys had a great holiday and all the best for 2023.

Thanks for the heads-up Dave. Why would they go to such sophisticated lengths to hack low level accounts? Even if they were sucessful on a small scale what have they got to gain?

[Dave A]

A bit late I know but hope you guys had a great holiday and all the best for 2023.

Thanks for the heads-up Dave. Why would they go to such sophisticated lengths to hack low level accounts? Even if they were sucessful on a small scale what have they got to gain?

So far it has just been to post links to a crypto pump website. The posts have been caught by the auto-moderation scripts which is why no-one else will have noticed up to now. Sometimes hacked accounts are used for PM spam, but no evidence of that in this instance as yet.

So far our systems have coped with the consequences well. However, if they manage to hack a regular's account, it will become a much more significant challenge to contain or prevent nuisance.

The sophistication is probably to delay detection of their activities, but it is also a way to be able to attack at a faster rate if you don't trip known lock-out mechanisms. My immediate problem is I can make mods in the code to lock out profiles quicker and for longer, but it may impact normal use if they are targeting regulars, and it will seed a flurry of "failed log-in" notification emails. Kinda feeling this one over for an elegant solution.

In the meantime, encouraging strong passwords seems the first step to mitigate.

[Mike C]

Thanks Dave. Password changed.