Notice of attempt to Railforums Account!

[Bill EWS]

Just received an email from [email protected] explaing that someone has tried to get into my Railforms account. It also gave the IP address of the person. I have not long suffered a false download that caused me lots of problems and the computer having to go into the shop to have Windows re-installed so not sure if the above is genuine or not. Likewise, if genuine what can I do about it. Perhaps one of the Administrative staff could let me know, thanks..

 

[Bevan Price]

Although not so far referring to this forum, I get lots of dubious emails claiming to come from various sources , and many look superficially convincing, inviting me to click a link to "fix" some alleged problem (e.g. email box full; financial problem, etc.) . I think it is best to ignore all such messages - never click the link - even though it may claim to come from a genuine source, it is all to easy to divert you to some dodgy site.

If you have not already done so, I suggest you update any anti-virus software, and also get something like Malwarebytes Free to check /clean your computer of most malware.

ccleaner.exe (also has a free version available) is also useful to clean computers of much of the unwanted rubbish that some websites write on computers (usually without your knowledge.)

 

[Donny Dave]

Digging through the dark and murky recesses of my brain, I do recall that the [email protected] address does indeed come from this forum.

It sounds like that the dodgy download you had passed on your username from this and other websites, but fortunately, not your password(s). My advice is that you download and install Spybot and Malwarebytes, plus go round all the forums/websites you use and change passwords (especially for your email and any online financial sites you use).

Takes off former admin hat.

 

[Murph]

From what you describe, your system integrity and security were almost certainly at least partially compromised. It sounds like there's at least some possibility that a malicious 3rd party is attempting to use your forum account. Unless you have a strong reason to believe that it's impossible that the 3rd party may have a chance at getting your password, you should fairly urgently change your password to something never previously used of reasonable complexity. For safety's sake, you should probably assume that all passwords previously used on the compromised system are at risk, including those which were only used before the malware incident (your system may have some passwords cached, so even those not used after the malware appeared are potentially at risk).

If you think there's a reasonable chance of identifying the malicious 3rd party, and feel motivated to do so, what you describe is probably at least a §1 offence under the Computer Misuse Act 1990, possibly even §2 and §3 offences, carrying a prison term of up to 5 years on conviction. It's extraditable, but if the IP in question is outside the EU, US, and other UK-friendly countries, prosecution is probably a non-starter for anything other than a far more serious incident. The listed IP may also not be the true origin of the attack, as it's common for the more sophisticated attackers to proxy their attacks via previous compromised victim systems.

Very short version: Change your forum password to something completely new, and you should probably change ALL passwords ASAP. You are probably a victim of a crime under UK law, but it may well not be worth the effort to try to pursue that if there's no other damage.

 

[Bevan Price]

Digging through the dark and murky recesses of my brain, I do recall that the [email protected] address does indeed come from this forum.


Takes off former admin hat.

But unfortunately, there are techniques for malicious people to "manipulate" links so that they send you somewhere else - even if it appears you are sending an email to a genuine address like [email protected].

 

[Murph]

But unfortunately, there are techniques for malicious people to "manipulate" links so that they send you somewhere else - even if it appears you are sending an email to a genuine address like [email protected].

Yes, NEVER trust a link in email, unless you are 110% certain that the email is genuine and expected from the organisation purporting to be sending it. To the layperson, a spoofed email can be indistinguishable from a real one, but the links go to www . evil-fraudster . com/fake-bank, instead of www . my-real-bank . com, as an illustrative example. Some of them put relatively huge effort into creating fake sites which are incredibly close to the real thing. They break plenty of laws in the process of doing so, and make unauthorised use of copyrights and trademarks, but that doesn't stop them.

If in doubt, type the URL into your browser manually, and pause for as long as necessary to confirm that the URL you're using is the legitimate one. If it's something important, like a bank, and you can't be sure, stop and phone them next business day using a known good contact number.

 

[Crossover]

Yes, NEVER trust a link in email, unless you are 110% certain that the email is genuine and expected from the organisation purporting to be sending it. To the layperson, a spoofed email can be indistinguishable from a real one, but the links go to www . evil-fraudster . com/fake-bank, instead of www . my-real-bank . com, as an illustrative example. Some of them put relatively huge effort into creating fake sites which are incredibly close to the real thing. They break plenty of laws in the process of doing so, and make unauthorised use of copyrights and trademarks, but that doesn't stop them.

If in doubt, type the URL into your browser manually, and pause for as long as necessary to confirm that the URL you're using is the legitimate one. If it's something important, like a bank, and you can't be sure, stop and phone them next business day using a known good contact number.

The advice I give to our users is to roll over links and see where they point - majority are of course dodgy. We are not quite at looking at headers yet, but I sometimes do that too - in Outlook it is fairly easy to do

I do recall receiving email from the address you mention from the forum before (if it turns out to be dodgy I'm sure the staff here would like to have sight of it) but can't recall for sure. I've also never locked my account out either so don't know if it triggers an email. If it is and it does, this could keep happening even with a new password if they keep dictionary attacking under your username - again, if the requests are from similar places it may be possible for the hosts to blacklist the address, but it may be tricky. These things do happen - I know our work firewalls get login attempts on average once every 15 minutes - it shows up in the logs (blocked after three attempts), though none of them are under valid usernames, let alone anything else
--- old post above --- --- new post below ---
Just purposely locked myself out and haven't had an email telling me thus far

 

[PaxVobiscum]

Looks like someone's hacked a word or two out the thread title.

 

[Xenophon PCDGS]

If I ever have any computer-related problems, I find that a descriptive PM to Clip always brings a most informative PM response.

 

[dgl]

I have had emails purporting to come from my domain ([email protected] or something) yet there is only one email account attached to the domain and it is not that. Unfortunately for them I am not as stupid as they think.

Another big advantage is to have a password that not only contains letters and numbers is symbols as well makes a dictionary hack much more difficult.

 

[dosxuk]

Another big advantage is to have a password that not only contains letters and numbers is symbols as well makes a dictionary hack much more difficult.

Although the common symbol / number substitutions are also easily checked for - for each dictionary word you'd try different combinations of uppercase / lowercase and symbolic representations of each letter. An "S" in the dictionary word would also be tested with "s", "$" and "5" as alternate characters. An "A" would also test "a", "@" and "4" and so on.

So a password like "superdupermarmalade" is actually better than "r0$eS", because the former is much longer (meaning many more possibilities to test) and even with character substitutions, still doesn't appear in a dictionary, with a bonus of being easier to remember.

 

[LexyBoy]

... or correct horse battery staple Unfortunately many sites now require you to use characters from two or three different sets (caps, symbols etc) - annoying if it's a site you don't need to worry about security on.

Another big advantage is to have a password that not only contains letters and numbers is symbols as well makes a dictionary hack much more difficult.

How common is this though? My feeling is that you're much more at risk from keyscrapers (minimise by keeping your devices clean) and servers being hacked (unavoidable) than from brute-force hacks. Unless someone has a particular reason for targetting you.

Most importantly, don't use the same password for everything! In particular, email, and any site that has access to your finances.

Bill EWS, did the email ask you to take any action? If there's a link then certainly be suspicious, if not then I'm not sure what it would be (given Crossover's observations).

 

[Merseysider]

I've just had one of these emails;

Dear JakeF,

Someone has tried to log into your account on RailUK Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 117.174.192.179

All the best,
RailUK Forums

and I only ever use my iPhone to access the forum

 

[Mike395]

Can I ask anyone who gets one of these to forward it to mikeATrailforumsDOTcoDOTuk Id be interested to see if the IP addresses are from the same range..i have suspicions...

Thanks!

 

[Mojo]

l probably wouldn't worry about it too much; a search on Google for this issue seems to relate to it happening on other forums but nothing bad ever coming out of it, especially given that we use a "strikes" system to lock out people after 5 incorrect attempts, for 15 Min.

But as to the questions, you do get a PM after 5 incorrect attempts, but it is For Your Information only, there are no links or any prompts for you to take any action. So if you do get one asking for you to visit a website then that would of course be an issue which you should rightly be vigilant about.

It might be wise however to ensure that you have a secure password, as others have suggested.

 

[Crossover]

The PM's must be only if you have notifications turned on - I locked myself out the other day and didn't get an email or such. Even if you are locked out, if you are authenticated already on another device, that seems to continue to work OK

 

[rdeez]

I got the same email yesterday.

The IP address appears to belong to China Mobile.

 

[SoonToBeMrsS]

So...

Who did it? Who tried logging in to my account 5 times within the last 20 minutes, huh?

I have your IP address....

Anyone??

 

[BlueFox]

Probably an automated bot trying a brute force attack. Nothing to be concerned about if you have a secure password.
On the forums I run the IP is usually from somewhere like China or eastern Europe.

There are add-ons available that the forum administrators could install to make attacks like this more difficult.

 

[ShaunRigby]

Hi,

I registered for this forum some time ago, however, due to personal circumstances never got round to using it, then eventually forgetting that I had registered for it. Sorry!

Anyway, today, I received a notification that somebody had tried to login to my account, but was then blocked for the next 15 minutes.

It may be sheer coincidence that the hacker has correctly guessed my username, however, as a matter of security, I would ask that the site owners/administrators review their site security behind-the-scenes and investigate if the site database has been compromised.

I would recommend that users change their passwords, using password best practice such as mixing upper and lower case, including symbols and numbers too.

As I say, this could be coincidence that a hacker has tried to login under a "guessed" username, however, considering that they have tried at least 5 times to login with the same username would suggest that they know that the username is correct.

Thanks

 

[me123]

It wouldn't be that hard for a (very unskilled) hacker to try to hack any of our accounts. All you need to do is put in the user name (for someone like me, it's easy to come across, but for yourself it is still publicly accessible on the members list) and guess at some of the most common passwords. However, it is an inefficient way of working and demonstrates poor hacking skills.

I have no reason to change my password based on this. Mine is secure enough, and I'm not convinced that this person is posing a genuine threat. If they were, they'd have actually hacked into your account.

 

[vicbury]

Related to this I am concerned that the login pages aren't delivered over secure connections; indeed one can login on any page, none of which are delivered over HTTPS.

The moderators/administrators may want to read this page which details the security concerns regarding unsecured login pages:

In order for the secure login form to protect you, both the page that displays the login form and the page the form is being submitted to need to be HTTPS.

Many of the biggest sites on the Web have non-HTTPS pages hosting the actual login form, even if they submit the login info to an HTTPS page.

The moderators should consider switching the whole site to HTTPS if the site continues to have a login form on every page.

 

[Merseysider]

Believe it or not, hackers are constantly trying to gain access to your other accounts like Outlook, Twitter, and online banking. With the exception of the last one, you typically won't be notified after a few failed attempts to login. So the fact you haven't actually been hacked, and have got a notification about it, is nothing to be worried about if you choose a strong password.

This thread runs in a similar vein.

 

[PermitToTravel]

Related to this I am concerned that the login pages aren't delivered over secure connections; indeed one can login on any page, none of which are delivered over HTTPS.

The moderators/administrators may want to read this page which details the security concerns regarding unsecured login pages:



The moderators should consider switching the whole site to HTTPS if the site continues to have a login form on every page.

It's almost certainly unrelated to the OP's problem, but it's amusing to note that the site actually earns bonus points for not even sending login details encrypted!

 

[snail]

Can you be certain it was deliberate?

One of the common causes for people requiring a password reset in my line of work is because someone else is convinced their username is ABC when in fact it's ABC1. So their account is fine, it's the unsuspecting other user they have locked out! It's when they call to get a password reset that their error is politely pointed out to them.

 

[maniacmartin]

I would be in favour of having a login page that is protected by SSL, but I only if a nonSSL option was retained. When out and about, often patchy signal means that the SSL negotiation will fail, yet plain http works for me.

As for the attempted login above, it was almost certainly a bot going through the members list page. The location of this page is common across many vBulletin boards. I wouldn't worry about it if you have a secure password.

 

[digitaltoast]

Got notifications this morning that someone had tried multiple (failed) attempts to get into my account. Good luck having my 130 bit password! Although now changed it, I got locked out a couple of times while I discovered what the character limit was.

Eventually I just went for a 30 character 180 bit alphanumeric, as anything bigger than that SEEMED to accept OK as a new password, but then wouldn't let me log back in.

A quick note about "your password can be x characters max and may/may not include special characters" would be useful!

 

[Crossover]

It happens occasionally - more than likely a bot attempting it
There was a thread not so long since along similar lines

 

[fsmr]

yep reported it to admin was early hours today

this IP was behind the attempted hack http://www.stopforumspam.com/ipcheck/176.10.104.240

 

[Mike395]

It seems like a co-ordinated automated attack on many, many forums across the internet - I wouldn't worry too much, just ensure you have taken the usual precautions - primarily choosing a secure password, ideally not based on any dictionary word.