While reviewing a client site, I recently noticed a small number of accounts had registered with spurious
lastName values such as:
firstName:You have 5 new messages from Patty: lastName: http://www.nsbe.org/impakredirect.aspx?url=http://project1200995.tilda.ws
After some digging, it appeared these customers had legitimate email addresses, however had placed no orders, nor had they interacted with our site.
Looking at the logs, these emails had received ‘welcome’ emails – which looked a bit like:
Hello, You have 5 new messages from Patty: http://www.nsbe.org/impakredirect.aspx?url=http://project1200995.tilda.ws
Which reveals the scam.
A bad actor had obtained a list of legitimate email addresses, and they were using the site to send spam, by signing up accounts using a bot.
The accounts then receive a ‘welcome email’ containing the spam links.
We quickly implemented invisible recaptcha on our signup form, and the problem disappeared.
Affected accounts were archived.