6

For the last two weeks we have been receiving a form of spam through our website contact form that I haven't seen before.

It looks like this:

Name:   iYvNgmpTLwxqaCj
Company:    lqidQuVNMhIJsz
E-Mail: peter.pan@example.com
Country:    Please select...
Phone:  5217200934
Address:    OsHSnquoU
Privacy Policy accepted:    iaccept


Message:
MCGELokRdhvTQYK

The spammer's inputs to form fields are the parts after the colons.

Note: I have changed the mail address. It looked like a legitimate mail address of a larger company, e.g. First.LastName@company.example.com. That is always the case.

Every other field contains random strings of ASCII characters. The phone number seems to be a random number. The privacy field is populated from a checkbox.

Another fact is: We always receive exactly two of these messages at the same time. Not more, not less. The frequency is on average 1-2 attempts per day.

Does anyone have any idea what the purpose of such a spam message is?

Previous similar questions:

My ideas:

The thing I could think of is password bruteforcing, in that the bot doesn't notice that it is on a contact form and instead just tries to log in with a mail address and random password. However, the chances of this working are astronomically low, given the general odds and the low number of attempts (two).

Further information
After a while of dealing with the spam, here are some additional pieces of information:

  • While I initially reported 2 spam messages per try, in fact the bot tried 62 times. Most were blocked from sending because a "privacy policy accept" box wasn't ticked. This indicates, that:
    • It was indeed a bot, because the website front also prevents sending the form without the box ticked (client-side).
    • Check- and radioboxes are probably randomly selected
  • If the privacy box was NOT ticked, the form also contained no other content (fields empty).
  • Per 62-tries attempt, the same IP was used. In later attempts a different IP was used.
  • As Seb_Schulz suggested, I ran the mail addresses through HaveIBeenPwned, but most of them didn't turn up. So maybe it's from a new leak. However, it might be that the addresses are not valid. While the domains all exist, I mostly couldn't find the particular person associated (e.g. if domain is a university with public list of people).

Prevention
Since we didn't want to implement Recaptcha as our site is otherwise Google-free, we tried two mitigations of simple captchas.

  1. We put in a question, e.g. "Select picture of the famous person xy", with two radiobuttons with pictures next to it. The user had to select the correct image. The correct one was the second radiobutton. This did not work, presumably because the boxes were randomly selected by the bot.

  2. We replaced the question with a simple math question, e.g. "Please solve 4 + 2 = ", with a simple text input field. The question even always uses the same numbers. This works for now. I suspect, the bot would fill in its random characters into the box, which is obviously not the correct number.

I hope this helps someone.

Bakuriu
  • 429
  • 4
  • 9
Jens
  • 307
  • 2
  • 11
  • Looks like [security.se] is having the same problem right now. –  Nov 26 '19 at 12:53
  • Interesting to know @MechMK1. A colleague reported that the website of his wife receives the same kind of spam. So it seems to be a current wave, whatever the purpose. – Jens Nov 26 '19 at 14:43
  • Definitely a weird occurrence. Probably some botnet gone rogue. –  Nov 26 '19 at 14:53
  • As for prevention, have you considered using [reCAPTCHA](https://www.google.com/recaptcha)? –  Dec 04 '19 at 09:14
  • @MechMK1 Yes, I'm quite sure it'll work. We didn't want to use it though, due to privacy laws in EU (we use no other google services on the site, to make it easier for us as a small business). – Jens Dec 04 '19 at 09:20
  • Often, these types of form submissions are done using a tool like curl or wget, which simply POSTs to your web server, without first GETting the form itself like a real web browser would do. If you use a value in a hidden filed that changes regularly (such as an encrypted timestamp), and check for that value when the form is submitted, this will like stop these form submissions - without using captcha's or annoying your users with puzzles. – mti2935 Dec 04 '19 at 10:46
  • 1
    @Jens If you need a sample email you should use `example.com` or `example.org`. they are the **official** example emails. Using random domains is dangerous. Someone might register them and now your content might redirect users to a dangerous site, or a legitimate website could receive unwanted attention due to bad actors that find it through your content. – Bakuriu Dec 04 '19 at 18:39
  • @Bakuriu Good point. Thanks for noting that. – Jens Dec 04 '19 at 23:45

2 Answers2

3

The thing I could think of is password bruteforcing, in that the bot doesn't notice that it is on a contact form and instead just tries to log in with a mail address and random password. However, the chances of this working are astronomically low, given the general odds and the low number of attempts (two)

Your idea isn't so bad. It may be 2 attempts a day to bypass the common 3 attempt lockout policies.

Note: I have changed the mail address. It looked like a legitimate mail address of a larger company, e.g. First.LastName@companyname.com. That is always the case.

Further proves your point. Try running the address through haveibeenpwned.com and see if it occurred in a breach. If so, you may deal with a case of credential stuffing.

Seb_Schulz
  • 404
  • 2
  • 4
  • Hi Seb, great idea to run them through haveibeenpwned. The first one I tried was present in 11 breaches, but the next two in none (doesn't mean that they were never breached of course). I'll try some more. I just fail to see the viability, because in those cases as a spammer I would try their breached passwords. But it would be rather untypical if every one of the pwnies had chosen hard-to-bruteforce random password. – Jens Nov 26 '19 at 14:41
2

The thing I could think of is password bruteforcing, in that the bot doesn't notice that it is on a contact form and instead just tries to log in with a mail address and random password. However, the chances of this working are astronomically low, given the general odds and the low number of attempts (two)

I don't think this is the case.

Random character spam can be used to determine how your system works and which prevention mechanisms you have in place.

I suggest having a look at e.g. https://www.abuseipdb.com/ in order to check if the sending IP address is known as malicious.

In my experience 90% of attackers use IP addresses from China, Russia or Asia in general.

I like http://www.utrace.de/ to just have a quick look at what kind of IP address I'm dealing with.

dmuensterer
  • 1,144
  • 5
  • 13
  • Good idea. I checked some of the IPs, and some of some turned up in the abuse database for various reasons. So it's most likely a botnet doing multiple shady things. It might be, that now that we block all the spam messages, they might have stopped. I have to monitor over the next few days. So it might be indeed a probe for a future spam campaign. – Jens Dec 05 '19 at 08:23
  • Correction, the spam continued but is still successfully blocked by the basic captcha system I implemented as explained in the question. – Jens Dec 06 '19 at 08:34