I’m a full-stack web developer working in a small startup and have been wearing many hats as a result. I am by no means a cyber or information security expert. I’m looking for a general evaluation of severity and potential steps I can take as we seem to have been probed by a phishing botnet which is more advanced than what I am used to.
My application is a small MVP, LAMP stack and deployed on AWS a few weeks ago. It hasn’t been promoted or publicized in any way. Nevertheless, I seemed to be getting scraped by various bots, and this wasn’t a concern for me because in my experience this is a common occurrence once you network your deployment on a popular service like AWS.
Then, I noticed something more unusual in my experience, which is some spammy logins and account creation. Still, nothing too concerning because at the application level we have appropriate roles for new users and I was pretty confident this was just going to be an annoyance.
Finally, I started noticing similar emails popup in the list I identified as spam. Pretty soon I noticed a pattern – they were all
@gmail and all the same accounts – except they had “
.” (periods) in randomly different places. Now I know this means, according to Gmail, that it goes to the same email address.
But then I got concerned that it was going to be a phishing attack because someone could take my email and append a dot in the middle and send emails my way from their account. I thought also if they established an XSS attack they could use this to direct me more easily to the page, and I’m sure there are other things they could do.
A couple notes about these accounts: they weren’t the kinds of bots (if it was a bot) I am used to. The different variations of the same address were small in volume, only three and spread out over several days. When I traced the IP it came back as being on a blacklist associated with the Avalanche botnet. At this point I was a bit intimidated but I couldn’t find any information specifically on Avalanche and this gmail quirk. I also read that Avalanche had largely been taken down by the authorities, so was a bit concerned about this as well.
To pin down my question:
1). Given the nature of the account creation – was it a human being doing this or likely a bot? Was I targeted specifically or is this bot just hitting all AWS IPs, for example? Is the avalanche bot advanced to space out the account creation so it doesn’t look like the more obvious bots and spam attacks?
2). I feel like another shoe has to drop here – obviously I can quickly create some application logic to get rid of treating gmails and other emails with dots as separate accounts – but that in of itself seems like their setup, not their final play. Should I be worried about other exploits on my system? I have setup proper security groups, SSH keys, SSL and have separate servers for my different services.
3). How worried should I be? Is this just part of life on the internet? I just have never seen this bot before and am worried this is only part 1 of a targeted attack – again we have only about 20 users in the database – most of whom are internal company accounts. So I’m worried that we are already dealing with this kind of attack at our small scale.
4). What can I do to mitigate this kind of phishing attack beyond sanitizing the dots things? Are there some canonical resources for these kinds of exploits? I didn’t think about the dots until after I noticed the similarities in the three emails.
EDIT: I should mention I am still going through the logs and trying to find what else this IP/user/bot was doing besides creating these accounts… but my guess is I won’t find much and it is a lot to go through because of how my AWS is spacing out the logs and the fact that we were testing a load balancer for a while.
Thank you so much 🙂