This is a hot topic at DigitalPoint right now as there is a bot working it’s way down the memberslist and doing bruteforce or dictionary attacks on the logins. Because the forum uses vBulletin it only gets 5 shots before there’s a lockout and it has to move onto the next member and then remember to return later. But it’s keen and has been running for a couple of days now. Reports indicate that it’s tried some other forums too.
Why?
It’s possible that the bot is the work of a disgruntled ex-user trying to make trouble and hurt the reputation of the forum but given the total lack of success to date that’s not working.
It’s more likely that, once in, Mr X will offer some deals similar to the ones previously offered. So if our hacked user used to sell web hosting then Mr X will offer some cheap web hosting. He’ll get a stack of signups and be hundreds of dollars richer before our hacked user wakes up for the day and realises anything has happened. Mr X then gets kicked out and he’s onto the next one.
How to stay safe
In this situation the best way is simply to ensure your password has both numbers and letters in it and is not a “dictionary word”.
But wait, there’s more!
But there is one other situation a friend has suffered in the last week or so… He lost his gmail account to hacking.
Now, he would occasionally share his logins to sites and sometimes the passwords weren’t too “safe” so we’ll never know if he was hacked or betrayed but he’s just lost his gmail account. It wouldn’t make much difference if he’d lost a hotmail or yahoo account – they’re all email accounts outside his control.
It’s a common practice to use gmail, hotmail or yahoo for directory submissions and forum signups. Some forum owners sell email addresses and you get spammed. If you use a junk email address then if the account gets spammed you can just create a new, clean account and gradually update your forum profiles. An easy solution, and you’ll find most people do it and recommend it.
Losing one of those email accounts wouldn’t be a huge deal except that he’d used this account for forum signups and this friend has built his business and his reputation through forum participation.
So what happens if you lose that account and someone changes the passwords so you can’t login to change the email address? Things get ugly, that’s what!
A solution
Use gmail – it’s still good (love the spam filter), but create email addresses on your own domains. Either forward them to the gmail address or have gmail handle the pop3 account. If your domain is running a site then the hosting probably allows you more email addresses than you’ll ever be able to use anyway.
So create one just for your forum logins then follow the instructions at gmail to handle it.
If your gmail gets compromised or hacked then you still lose all those emails but all you have to do is change the password on the email account and gmail can’t use it anymore. Use the hosting companies version of webmail to retrieve any forum accounts you may have lost and hey presto, you’re back in business!
If you are a vBulletin owner there is the option of disabling the membership list. Depending on how extreme you want to be in combating the problem 🙂
Yes you can disable membership, but that is pretty drastic and seems a pretty harsh and traffic impacting way to handle it.
Best;
Eric