Recently, one of my clients at Matters told me that more and more people were subscribing to his website. “What a good news!!” I said — I was so wrong!!He discovered that most of the new customers had a strange last name and first name. I then logged into the back office to verify.In fact, I had more than 600 subscriptions in about an hour and all the new account got Russian characters in the last name and first name. As I am not fluent in Russian I used Google Translate to figure out what it says and I find out that the concatenation of first name and last name creates a message like :“Welcome on our website, you have been selected for a discount and you can go to <website.tk> to use it”
Was the attack against my client? Against my company? Nooop!
I checked the web server logs to check the rate of subscription and it was slow : ≃1 new account every second.
It was clearly not DDoS against the web server neither the mail server.
No orders had been made so I assumed no coupon had leaked and it was not the point of the attack.
Maybe this was an attack to reduce the mail server deliverability and then I realized that the website itself was not the target of the attack. It was only a vector to send spam/phishing messages without being sent to spam. The attacker has a list of emails, and he was subscribing with the victim’s email with the custom first and last name.
Now, assume you are “Bob” and your email is bob@foo.com. The attacker will subscribe a new user on my client website with your email bob@foo.com, but with a different surname: “Check out promotions at <malicious website here>”.
You will then receive an email to confirm your registration with the content “Welcome, Check out promotions at <malicious website here>. <rest of the welcome email>“. This email will be sent by my client website, which bypasses the antispam filters.
One of the point of spammers/phishers is to avoid being sent to spam so the message can be delivered to the victim.
Using this method, it is my client’s mail server that will send the message, and it might not be sent to spam as the SPF records allows the mail server to send the message, the DKIM signature is also verified.
Spammed email address will receive the message, and it will look totally legit !
When I looked at the logs I saw that the subscription was made from multiple IPs from different countries so it was clearly not easy to ban them as I can’t know if the IP is a real customer or not.
I tried to turn on the “I’m under attack” feature on cloudflare but as it a DDoS protection, it only slows down the attack but it was not stopping it.
Then I decided to edit the mail templates to remove the first name and last name merge fields in our subscribe mail so the person targeted by the spam is not able to see the custom message added by the attacker.
Then I turned on the captcha feature on the subscription form and on the forget my password form and it stopped the attack. (Yaay !!)
We will remove our captcha and replace it by a ReCaptcha, which is easier to use for our customers.
We will filter the merge field inside our mail template to remove elements with a “.<tld>” value. It won’t block the subscription, but it will remove it from the mail and the spam will be harmless for people receiving it.
We will also add a link to the bottom of our mail allowing people to report spam if they think they should have not received this message.
