Recently, one of my clients at Matters told me that more and more people were subscribing to his website. “What a good news!!” I said — I was so wrong!!
He discovered that most of the new customers had a strange last name and first name. I then logged into the back office to verify.
In fact, I had more than 600 subscriptions in about an hour and all the new account got Russian characters in the last name and first name.
As I am not fluent in Russian I used Google Translate to figure out what it says and I find out that the concatenation of first name and last name creates a message like :
“Welcome on our website, you have been selected for a discount and you can go to <website.tk> to use it”
What was the point of the attack ?
Was the attack against my client? Against my company? Nooop!
I checked the web server logs to check the rate of subscription and it was slow : ≃1 new account every second.
It was clearly not DDoS against the web server neither the mail server.
No orders had been made so I assumed no coupon had leaked and it was not the point of the attack.
Maybe this was an attack to reduce the mail server deliverability and then I realized that the website itself was not the target of the attack. It was only a vector to send spam/phishing messages without being sent to spam. The attacker has a list of emails, and he was subscribing with the victim’s email with the custom first and last name.
Now, assume you are “Bob” and your email is firstname.lastname@example.org. The attacker will subscribe a new user on my client website with your email email@example.com, but with a different surname: “Check out promotions at <malicious website here>”.
You will then receive an email to confirm your registration with the content “Welcome, Check out promotions at <malicious website here>. <rest of the welcome email>“. This email will be sent by my client website, which bypasses the antispam filters.
One of the point of spammers/phishers is to avoid being sent to spam so the message can be delivered to the victim.
Using this method, it is my client’s mail server that will send the message, and it might not be sent to spam as the SPF records allows the mail server to send the message, the DKIM signature is also verified.
Spammed email address will receive the message, and it will look totally legit !
How did I try to mitigate the attack ?
When I looked at the logs I saw that the subscription was made from multiple IPs from different countries so it was clearly not easy to ban them as I can’t know if the IP is a real customer or not.
I tried to turn on the “I’m under attack” feature on cloudflare but as it a DDoS protection, it only slows down the attack but it was not stopping it.
Then I decided to edit the mail templates to remove the first name and last name merge fields in our subscribe mail so the person targeted by the spam is not able to see the custom message added by the attacker.
Then I turned on the captcha feature on the subscription form and on the forget my password form and it stopped the attack. (Yaay !!)
What was the impact of this attack ?
- The first impact, is the image degradation of the brand which sent the message as the mail seems really legit and does not go to spam.
- The second impact is the degradation of your email delivery notation as you will probably be reported as spam by some of the victims (Maybe you will be on some spam blacklist).
- The third impact is that your customer base is now full of spammed accounts. You have to clean it up and be sure to remove only the spammed customers. In our case it was pretty simple as the website mentioned in the lastname was always the same.
What will we do in the future to avoid this kind of attack ?
We will remove our captcha and replace it by a ReCaptcha, which is easier to use for our customers.
We will filter the merge field inside our mail template to remove elements with a “.<tld>” value. It won’t block the subscription, but it will remove it from the mail and the spam will be harmless for people receiving it.
We will also add a link to the bottom of our mail allowing people to report spam if they think they should have not received this message.
To sum up
- Don’t panic !
- Add a ReCaptcha on all public forms
- If you don’t want captchas on your website, always ask for account confirmation before considering that this is a real customer (and remove merge fields in this mail). It will be easier to remove unverified customers.
- Think about your merge fields and anticipate how they can be used to spam people. Filter them if needed.