Weird brute force attempts on my forum, what are they trying to accomplish?

[Red Squirrel]

I noticed these weird brute force attempts on my forum coming from what I presume is a bot, where they try to login with a user that doesn't even exist. Like, they're not even trying the admin account or anything, it's all invalid users. They seem to always try twice too.

I'm not all that concerned at this point but more curious. What kind of attack is this exactly and what is their end goal? It's not like they're actually trying to brute force into an admin account or even any account, considering they're picking usernames that don't exist. It would be rather trivial for them to try to brute force a valid account by simply looking at user names on the forum. What's interesting is they seem to be trying the same invalid user multiple times over multiple days, but at a rather slow rate. Even if they had a valid user they would never get in at this rate. Is this some totally different form of attack I'm maybe not accounting for? Maybe some of those email domains are malicious sites and they hope I go to them to see what it is?

 

[compcons]

I don't admin forums, but I imagine this happens a lot. And it's not the forum or your admin accounts they want. Those are nearly worthless. An actual use who interacts with other users and shares files and links is valuable. Imagine if you got into an account for a user who recycles the same account credentials across multiple forums. You could post links or files that other users would trust and open. Pretty easy way to spread some malware or take over machines efficiently.

We have come a long way at protecting infrastructure. People are still really easy to manipulate by comparison.

 

[Red Squirrel]

Seems like an odd thing to do, when they could just create a new account. I guess it's all automated so it's easier to hack an existing account than to make a new one and get past the captchas and email confirmation etc. My forum also has mod verification for new accounts so they would never get through anyway. It's odd they would choose a forum that is super dead though. I guess they figure nobody is moderating it.

 

[HutchinsonJC]

I imagine that doing this across multiple forums and other types of sites, potentially hundreds or thousands of sites per day, results in usable credentials if they are using some kind of "most popular passwords" list. And doing it this way probably avoids automated attack detections, if any exist.

Once they have a working set from one site, odds are high that they work for another, as many people do not do much to vary things up between sites and how they log on.

 

[Red Squirrel]

Yeah I guess this is banking on very pure luck. It seems like a super low effort attack and guess it would fly under the radar on a busier site.

 

[NickdoesWeb]

Admin 2 different websites across Squarespace and WordPress, this is common to run into. Seems like anything visible by web crawlers will have brute force attacks just spammed by bots. Likely using different IP VPNs as my personal blocklist grows day by day. Don't really think there's any way to 100% make these attempts stop but they are low effort bot attempts.