Blocking botnet and improved registration security with reCaptcha

Dear Our Security Followers!

We discovered and banned all botnet accounts in our system. Added reCaptcha to our registration system to prevent spamming.

In our scheduled system check, we noticed that some users added “Hict” to their names (e.g. KesarHict, AdelineHict). After checking those users, it turned out that there are more than 650 such accounts in our system. Every day, there are 20 to 30 new accounts with the same ending were created. All such accounts were registered via email. This was a problem for us.

We began to investigate why someone needed so many accounts in our system and how they were used. We checked the logs of those users and found out that after registration, there was no other activity happened. We discovered that all the account requests came from the same subnet of several IP addresses.

After deeply checking some of those IP addresses, we found out that they were also in the blacklists of spammers. It turned out to be a botnet that attacks target users’ email inboxes. By creating a large amount of accounts, the botnet caused a stream of system emails sent from us to the email addresses that were used for registration. It threatened our mailing service to go into spamming list mistakenly and our mailing service might be suspended by our service provider.

As a result, we:

✅ deactivated all botnet accounts in our Sharpay system
✅ added reCaptcha in our signup form
✅ and blocked all the IP addresses that were used for spamming.

We will continue to monitor unusual activities in our system and give our users the best service.

In Security We Trust! Team