Stolen Passwords How To Find Them and Prevent Them

[Femjoy Michael]

I saw this thread:
https://gfy.com/showthread.php?p=19861288

and was rather surprised by the responses. If you run a paysite, it's important to prevent stolen accounts and password abuse. Bandwidth isn't as expensive, but server load can be deadlier. Paying customers want a site that loads fast and downloads faster.

The basic solution is to purchase specialized software or program your own to detect stolen accounts and block them. Strongbox https://www.bettercgi.com/strongbox/ is often recommended.

But what if you are just starting out and can't afford $269? Or you want more specific details? Or you do have a password solution but it isn't online yet and you need information NOW? I'll show you what I did on Femjoy / Joymii to detect stolen accounts. I've shared this with other program owners and I invite you to share your methods so we can all learn.

1. Install Google Analytics and Track Your Member Pages
I'm constantly surprised how many program owners do not track their members area. You should do it now. You get really useful insight into your member behavior. Once we did, something was obviously amiss. We had 15X the number of uniques per day, as we had members. For most paysites, your daily traffic should be 1/3 to 1/2 of your total member count.

2. Check Out Your Referrals.
There are two places:
Real-Time -> Overview -> Top Referrals.
Take this route instead of "traffic sources" because you can see the full urls of where the incoming traffic is from. You can see the exact pages where stolen passwords and logins are posted.

and

Acquisition -> All Referrals
Go here to catch the rest or the ones the previous days. Referrals with low bounce rates means working passes.

If at this point you can't afford strongbox or your solution isn't ready yet, you can easily catch 95% of the stolen accounts by manually finding them in this manner, and shutting them down. Most are reposts from the bigger forums so taking down the ones posted on the big sites usually does the trick.

When you first start doing this, you'll only find a couple of accounts. Taking them down gives you breathing room for days. But then the number of stolen accounts start increasing. If you are a medium size site, as you take down the stolen accounts, the hackers get more aggressive and post new accounts more frequently, to the point manually doing this requires checking at regular intervals during your day. That's inefficient. So do this:

3. Get Strongbox or Similar Solution
Get it. It's one of your best investments. You'll earn back the costs within a day if you are small-medium.

4. Google your site/domain
Open an incognito window/private window in your browser. Go to google and do a search of your site name and domain. If any pages with stolen passes for your site shows up within the first 2 pages of results, DMCA google immediately. Repeat the process for more refinement using "sitename.com passes", "sitename.com passwords", or something to that effect.

Here's what our member area traffic looked like before and after:



Finally, here are some of the big password sharing sites/forums

http://porn-w.org
http://dixvi.com
http://crackingforum.com
http://passlot.com
http://mygully.com
http://bugmenot.com

There is one other site, but I forgot the address because it uses "ganuurl.com" as the referral/redirect. I'll update this list once I remember. Pretty much taking down your stuff from these sites will do the trick, and any that show up as pastebin or similar.

SteveLightspeed had a comprehensive list from last year
https://gfy.com/showthread.php?t=1066323
but you don't have to go through them everyday. The most efficient way is to check where the majority of your traffic is coming from in analytics.

Best of luck

[Sexier]

Excellent Michael

[Mutt]

Quote:

Originally Posted by Femjoy Michael

We had 15X the number of uniques per day, as we had members. For most paysites, your daily traffic should be 1/3 to 1/2 of your total member count.

If Femjoy's members area had 15X more visitors than its member count then it would seem Strongbox or whatever solution they are using isn't doing a very good job.

I don't have GA in members areas, good idea though and I will install it.

[Femjoy Michael]

Quote:

Originally Posted by Mutt

If Femjoy's members area had 15X more visitors than its member count then it would seem Strongbox or whatever solution they are using isn't doing a very good job.

I don't have GA in members areas, good idea though and I will install it.

I forgot what we had before, but it was the competitor to strongbox and it was not working for us at all. It had too many false positives so we turned it off entirely.
At the time, the programmers on our team were not analytics guys and not aware of the extent of the problem. They figured it was only only a handful of stolen accounts. After the bad experience with the previous software, the development team decided to program an in-house solution which was pushed back because it was deemed low priority.

[tony286]

I like password sentry and his customer service is second to none.

[SplatterMaster]

Quote:

Originally Posted by tony286

I like password sentry and his customer service is second to none.

I have to admit PS customer service is excellent.

Nice post Michael. If you’re a webmaster and have never looked at your server traffic logs, I highly suggest you do. What you see may surprise you. Not only will you see passwords being shared but you’ll also see brute force attacks of hackers/pirates trying to test known username and passwords.

[johnuno11]

thanks for the info.

[lucas131]

Quote:

Originally Posted by SplatterMaster

I have to admit PS customer service is excellent.

Nice post Michael. If you?re a webmaster and have never looked at your server traffic logs, I highly suggest you do. What you see may surprise you. Not only will you see passwords being shared but you?ll also see brute force attacks of hackers/pirates trying to test known username and passwords.

it is called combolist, combination of user:pass. fredh ones taken from unsecure paysite can make many logins to other sites, as many members use same combo everywhere. now, unsecure sites may be a damage for those whose owners care

[SplatterMaster]

Quote:

Originally Posted by lucas131

it is called combolist, combination of user:pass. fredh ones taken from unsecure paysite can make many logins to other sites, as many members use same combo everywhere. now, unsecure sites may be a damage for those whose owners care

Good to know the term Lucas. Thanks

[WetandPuffy]

Very interesting thread.

I definitly need to get GA into my members area.

I have been noticing high server loads recently and maybe this is the cause.

When you have time could you hit me up Michael , would love to talk some biz with you.

Regards

[AdultKing]

Please report stolen password sites here also

https://copycontrol.org/report-piracy

[Nancy M00re]

Another one with stolen U/P here:
http://www.box.wixvi.com/2013/

[Captain Kawaii]

Great thread. Thank youssssss to the OP.

[vdbucks]

What do we do if we run our sites on nginx?

[Femjoy Michael]

Quote:

Originally Posted by SplatterMaster

Nice post Michael. If you?re a webmaster and have never looked at your server traffic logs, I highly suggest you do. What you see may surprise you. Not only will you see passwords being shared but you?ll also see brute force attacks of hackers/pirates trying to test known username and passwords.

Very good point SplatterMaster.
A properly written piece of software will not just look for multiple IPs, but also restrict login attempts. We do occasionally look at our server logs for abnormalities. For example, we discovered a backdoor was exploited a few months back. The hacker also attacked our friends at DDF so we shared the info and fixed the problem.

[ladida]

Quote:

Originally Posted by Femjoy Michael

For example, we discovered a backdoor was exploited a few months back. The hacker also attacked our friends at DDF so we shared the info and fixed the problem.

I'll bet you have not. If you had a breach, you still have it. 100% positive on this.

[Femjoy Michael]

Quote:

Originally Posted by ladida

I'll bet you have not. If you had a breach, you still have it. 100% positive on this.

LOL. Isn't that like saying, "I'm 100% the sky is blue"?
That particular exploit is fixed, as well as a few others when we had a tech security team in to service our servers.

So Ladida brings up a good point: by the time you reach 500 members, invest in backup systems immediately. Get them as soon as you can afford it, but at 500, you have no reason not to. But that is a topic for another thread with someone with more knowledge about that.

[bean-aid]

Ask Teencat... he knows how to hack them, and how to prevent them.