This is STRANGE !!!

[levely]

Just had 5 new registrations within an hour, which is unusual because we only get about 2 new members a day.

Here's the strange part. The new registrations were the EXACT same names as active members. I thought SMF blocked people from registering a name that is already in use?

Could this be a security issue?

I'm using 2.0.9 with the Reseller theme. 

[Arantor]

I would be surprised if they were the EXACT same names. Links to profiles or the member list if these are accessible to guests would be useful.

[Shambles]

Maybe they are changing their email addresses? Would that show up as a new registration on your forum?

It would on mine.

Just sayin'

[levely]

No, they were new accounts with 0 posts. Also, one of the usernames that was registered was mine and I'm the Admin on the forum.

I deleted the accounts immediately after I noticed a suspicious pattern.

[Burke ♞ Knight]

I'd figure the names just look the same, but really are not:

levely could also be done as leveIy and be easily seen as the same if not looked at closely.

[Arantor]

Which is why I wanted to look at what had happened.

[levely]

I'd figure the names just look the same, but really are not:

levely could also be done as leveIy and be easily seen as the same if not looked at closely.

No, I checked that carefully. It was the exact match for 2 usernames. If this is some sort of attack, I'm sure it will just get worse. I'll post an update if anything changes.

[Arantor]

I'm not being funny but how exactly did you determine it was an exact match?

There are characters you are not able to see. I thought I'd nailed them all previously. There are other ways characters can be impersonated but without examining them happening I can't work out if there is a vulnerability because all the evidence that would have told me what they were doing has been removed.

[levely]

I'm not being funny but how exactly did you determine it was an exact match?

I'm not trying to be funny either...I looked at it. All the characters were identical. For it to happen twice in the same hour, just raises my suspicions.

Then add in the fact that I got the DigiHelp virus this morning when I updated my CCleaner program and needless to say, I'm a little on edge.

[busterone]

If it happens again, instead of deleting them, allow one of the experts here an opportunity to investigate your forum. If there is a vulnerability, it would not only serve you and your forum to have it discovered, but the entire community would benefit from it.

[levely]

I just double checked the email I received from the forum. I copied and pasted it below.

Travіs has just signed up as a new member of your forum. Click the link below to
view their profile.

My username is Travis.

Here is the other:

auctionguу has just signed up as a new member of your forum. Click the link below to
view their profile.

There is an active member with the same username - lower case and all.


I tried to register my own username and the forum blocked the duplicate username from being created.

So, if someone had access to my password, could they somehow create a duplicate username?

[levely]

If it happens again, instead of deleting them, allow one of the experts here an opportunity to investigate your forum. If there is a vulnerability, it would not only serve you and your forum to have it discovered, but the entire community would benefit from it.

Yeah, I'll be actively monitoring every registration for a while to see if it happens again.

[Arantor]

Well, how about:

SELECT id_member, member_name, real_name, HEX(member_name), HEX(real_name) FROM smf_members WHERE id_member IN (x, y)

Substitute X and Y for your user id and the new registrant's id respectively.

[levely]

Just got another one. Username: Ꭰrew

It looks like they're using a different font in the D. Is this a different character in a foreign alphabet or something?

[Arantor]

This is why I asked for the HEX() characters

[Burke ♞ Knight]

That is what we have been trying to get through to you.
There are symbols and such that closely appear like normal, yet are different enough to make it past the name block....

This is why people need to start reading what we say, and doing as we ask, as we could have saved some time, if you'd just believe that the experts know what they are doing.

[levely]

I stand corrected. It was an illusion.

On to the next issue. Why would someone be registering names that are nearly identical to other forum members?

[Night09]

I stand corrected. It was an illusion.

On to the next issue. Why would someone be registering names that are nearly identical to other forum members?

Because they can

Bots will do a lot of strange things registering on forums. That may just be the bots way of picking similar usernames that wont stand out for longer giving them chance to either make minimum post count for link planting or in some cases just link planting.

You may come across old abandoned forums taken over by bots filled with millions of spam posts although its not as common now.

[Arantor]

Because people might think it's a bug in the forum software that has 'deregistered' their powers or something. It's not a new trick.

I would still be curious to know which characters are being used, because that could be something interesting to add to SMF: letting it be smarter about detecting duplicates.

[levely]

It appears to be the Cherokee alphabet.

http://en.wikipedia.org/wiki/Cherokee_syllabary

Ꭰ Ꭱ Ꭰ Ꭲ Ꭱ Ꭳ Ꭰ Ꭲ Ꭴ Ꭱ Ꭳ Ꭵ Ꭲ Ꭴ Ꭶ Ꭳ Ꭵ Ꭷ Ꭴ Ꭶ Ꭸ Ꭵ Ꭷ Ꭹ Ꭶ Ꭸ Ꭺ Ꭷ Ꭹ Ꭻ Ꭸ Ꭺ Ꭼ Ꭹ Ꭻ Ꭽ Ꭺ Ꭼ Ꭾ Ꭻ Ꭽ Ꭿ Ꭼ Ꭾ Ꮀ Ꭽ Ꭿ Ꮁ Ꭾ Ꮀ Ꮂ Ꭿ Ꮁ Ꮃ Ꮀ Ꮂ Ꮄ Ꮁ Ꮃ Ꮅ Ꮂ Ꮄ Ꮆ Ꮃ Ꮅ Ꮇ Ꮄ Ꮆ Ꮈ Ꮅ Ꮇ

[Arantor]

I was hoping you'd be running the query periodically so I can start assembling a list of such things

[Night09]

The D in question can be created in a few ways from what I see:

Code Select Expand

Unicode Hexadecimal: 0x13A0
Unicode Decimal: 5024
UCS-2 Hexadecimal: 0xA013
UCS-2 Decimal: 40979
HTML Hexadecimal: Ꭰ
HTML Decimal: Ꭰ

Source: http://www.unicodemap.org/details/0x13A0/index.html

Im noticing a struggle to get the HTML ones to show even in code quotes

[Arantor]

And there's even more ways than that

[Night09]

And there's even more ways than that

Its hard because in different countrys those letters are required or some forms of them.

[levely]

I modified my last post and I wasn't sure if you saw it.

It appears to be the Cherokee alphabet.

http://en.wikipedia.org/wiki/Cherokee_syllabary

Ꭰ Ꭱ Ꭰ Ꭲ Ꭱ Ꭳ Ꭰ Ꭲ Ꭴ Ꭱ Ꭳ Ꭵ Ꭲ Ꭴ Ꭶ Ꭳ Ꭵ Ꭷ Ꭴ Ꭶ Ꭸ Ꭵ Ꭷ Ꭹ Ꭶ Ꭸ Ꭺ Ꭷ Ꭹ Ꭻ Ꭸ Ꭺ Ꭼ Ꭹ Ꭻ Ꭽ Ꭺ Ꭼ Ꭾ Ꭻ Ꭽ Ꭿ Ꭼ Ꭾ Ꮀ Ꭽ Ꭿ Ꮁ Ꭾ Ꮀ Ꮂ Ꭿ Ꮁ Ꮃ Ꮀ Ꮂ Ꮄ Ꮁ Ꮃ Ꮅ Ꮂ Ꮄ Ꮆ Ꮃ Ꮅ Ꮇ Ꮄ Ꮆ Ꮈ Ꮅ Ꮇ

[Arantor]

I'm trying to see the ones you actually get from spammers to build up a profile of what the spammers are doing... not just a hypothetical list... 

[Night09]

I'm trying to see the ones you actually get from spammers to build up a profile of what the spammers are doing... not just a hypothetical list... 

Sorry I corrupted the OP's brain with a mission!

[Arantor]

Well, I'm thinking about doing a paid security suite mod for SMF which this could be part of, you see... but I would so much rather get actual profile data rather than guessing...

[Hristo]

The security questions I use are mix of Cyrillic and similarly looking Latin characters. I'm doing that as an obstacle for Google translate, so unless you know the language the questions are in it will be hard to even understand the question no matter how simple it is. I know this could bring some other problems, like for those who use screen readers, but some of the questions would sound nearly the same because often the characters not only look same, but they are pronounced similarly.
Here are most of the look-alike pairs of characters between Cyrillic and Latin:

А-A
а-a
е-e
Е-E
у-y
Р-P
р-p
о-o
Т-T
Н-H
Х-X
х-x
С-C
с-c
В-B
М-M
similar, but not exactly same
к-k
К-K

Font type could play a role too.

[Deaks]

levely is this still happening? I have marked this as solved as their has been no update from yourself on the topic if you feel this is wrong please let us know what you have tried since.