ZH version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
50% Positive
Analyzed from 1605 words in the discussion.
Trending Topics
#abuse#more#platform#llm#service#own#email#phishing#write#read
Discussion (55 Comments)Read Original on HackerNews
For example -- let's say you offer $100 in free AWS credits by signing up to your platform. Expect a malicious user to eventually come to your platform, realize they can resell those $100 in credits for $50, and start using your platform for their own gain. Unless the mechanisms you add in place to reduce fraud / second sign ups / etc is greater than the value that they are receiving ($50), they will continue.
With sites where the platform is free, the math almost always makes sense for these malicious users to eventually abuse. In this case it was leveraging the email reputation of another domain at no cost to their own (along with the added value of anyone getting phished), but on other sites it's public profiles being used for backlinks / spam, etc.
Bonus abuse is a small shop, whereas phishing through third-party services is much more likely to be an organized crime group.
With organized criminals, you can't actually see what the abuse is 'worth' to them. And they can escalate almost infinitely: mimicking real user behavior, routing through residential IP proxies, using email addresses with established reputation, and at the top of the pyramid we've seen full mimics with real social network profiles and activity, they even answer phone calls.
That's why it's worth collecting events before acting: what the account is about, which IP network they use, whether they fake devices, whether there's any warmup prior to registration. Because that's what helps estimate whether your mitigation will actually work, and lets you respond in a balanced manner instead of under- or over-reacting.
I threw part of it into pangram to get a second opinion:
https://www.pangram.com/history/8d6a7de3-86ac-4ce0-86c5-4f93...
Pangram and everything like it is useless. The results are random on known samples.
was a dead giveaway in my mind when I read it.
> You want to know the benefits of free trade? Food is cheaper. Food is cheaper! Clothes are cheaper. Steel is cheaper. Cars are cheaper. Phone service is cheaper. You feel me building a rhythm here? That's because I'm a speech writer - I know how to make a point. It lowers prices, it raises income. You see what I did with 'lowers' and 'raises' there? It's called the science of listener attention. We did repetition, we did floating opposites, and now you end with the one that's not like the others. Ready? Free trade stops wars. Heh, and that's it.
It sounds like this: https://youtu.be/8dGkiJcEK78?si=MGfv2FM_GksGoMho
> There was no exploit. No vulnerability disclosure. No CVE for me to write. The attacker filled out my signup form 942 times, made 942 workspaces, sent 942 batches of about a hundred invitations each, and stopped. They used my tool exactly as designed. The design was just bad enough that the tool was good for phishing.
That made me think if the project is entirely vibecoded as well.
Even for a project manager without network access, hosting flawed software on your LAN can only get you so far.
On the other hand, people say that AI models have tells that no actual person would do.
Which is it? You can't have it both ways.
I will say, I've grown bored of folks complaining about AI generated content. But, to each their own. Good luck storming the castle.
1. You are not alone, this happens at a large scale across the board with companies of all sizes.
2. More than likely the abuser did not do it manually, more than likely they automated it
3. As a thoughtful business one may have rolled out all the authentication features/gates if the business picks up, as a starter the safe idea could have been to put it behind any openly available OAuth provider
You learn to not leave anything open to spammers AT ALL, to your product's detriment because once you're labeled a spammer in this way your product is dead.
I have a few small projects that I would love to serve publicly from my VPS. But I have put them behind strict logins (no signup) or put them in read-only mode, with (likely premature) rate limiting, fail2ban and cloudflare, for fear that a month of bandwidth gets used within minutes by an attacker. For the same reason, sometimes I only shared the source on github and let people deploy it themselves if they are interested.
I've dealt with these and similar issues over the last 8 years, which led our team to develop a security tool 5 years ago that is now open-sourced.
https://github.com/tirrenotechnologies/tirreno
I designed something that was "too open," and that "openness" was abused.
Sadly, spammers are why we can't have nice things; but that's been the case for decades. The incident I mentioned, happened in the 1990s.
The good news is, is that once this happens to you, you learn your lesson.
I thought it was a perfectly cromulent article making a perfectly reasonable point.
The 14000 sends over 3 hours (< 1/s) makes it sound more-than-human speed. E.g. automated.
Wondering if LLM-assisted vulnerability hunting will lead to the same gains in scale for bad actors wanting to find spammable channels in applications. The barrier to entry becomes so much greater because any small project, once found, can be wrung dry of all its trust signals by third parties
a) having an email-sending product typically meant you had a project with a lot of effort invested into it as well as knowledge
b) the models, tokens spent and review done differs in the world of vibecoding and there is a race to the bottom to produce, produce, produce. Quantity > quality