If You Comment On Blogs Extensively, You Should Consider Using Google 2-Step Verification

One recently identified cause of deleted Blogger blogs appears to involve brute force hacking against our Blogger / Google accounts.

We've known, for some time, about blog owners receiving alerts about "suspicious" / "unusual" account activity. The alerts frequently involve locked or deleted Blogger / Google accounts - and generally include the owner having to change their password, solve a CAPTCHA, and / or provide their phone number (mobile or home phone) to login.

Later, people started reporting that their blogs were being deleted - possibly as a result of having to change their password, solve a CAPTCHA, and / or provide their phone number.

I've been observing - and blocking - an annoying style of comment based spam, which I have termed "nice blog" spam, for some time.
Nice blog. I will keep visiting this blog very often.
This style of spam, from what I can tell, has been published by the millions, in various blog comments, on both Blogger and non Blogger platforms.

The reason for the spam always intrigued me. Observing that the spam was published in the millions, suggested to me that it had a special purpose, intended by its creators. Looking at a typical spam message, in my email (since I moderate before publishing), I could see no consistent type of content.
  • Some messages would contain links, others not.
  • Some messages would mention what looked like commercial products, other references were obviously imaginary targets.
  • Some messages would appear to be mere babble.

Recently, I discovered one strong possibility for the purpose of the spam - a very ingenious form of email address mining. The spam comment is only needed to allow a hacker to subscribe to a given comment stream, using the "Email follow-up comments to ..." option. It's possible that the subscription is not even affected by moderation - whether the blog owner is moderating, either before or after the comment is published to the blog, the hacker remains subscribed to the comment stream.

All that the hacker / spammer has to do is to publish a spam comment, select the "Email follow-up comments to ..." option, and watch while his Inbox fills up with subsequent comments from other Blogger / Google / OpenID account owners. Any comment containing an email address, and linking to a Blogger blog, would go straight into the hackers database.

Later, the hacker could go to work against the Blogger accounts referenced in the comments. In some cases, this would result in successfully hijacked Blogger blogs, which would become part of a spammers blog farm where advertisements of various nature could be hosted. Valuable blogs, with established reader populations, could also be used to serve malware (and more hacking) to unsuspecting readers.

The demographics of some hijacking attacks provide interesting clues. In one episode, we had a significant number of home / personal / small business blogs that had been hijacked by one specific individual. Many of the victim blogs
  • Contained details relevant to the owners, which provided clues to passwords used by the owners.
  • Were owned by people who used commenting extensively, for networking both with friends, and with business targets.
  • Were read (and commented upon) by similar people, who similarly provided password clues in their own blogs.

Having been part of the restore process, both with people who had their blogs hijacked, and who had their accounts locked and blogs deleted, I observed that the former (hijacked blogs) seem to have decreased in volume as the latter (accounts and blogs locked / deleted) increased in volume. I don't think that the relationship is coincidental - or spurious.

My opinion is that the locking of Blogger / Google accounts - and subsequent deletion of blogs - directly results from detected attacks against the accounts in question ("suspicious" / "unusual" activity). Noting that the attacks seem to be more common to people who comment on blogs as a form of networking, it appears that commenting can lead to accounts and blogs being locked or deleted, as Google protects us against hacking.

Considering this possible cause and effect relationship, Google 2-step verification is a good idea. Click here, for Google instructions on setting up 2-step verification.

Use of 2-step verification helps safeguard our accounts against brute force hacking. This will help anybody who is anxious about accounts and blogs being deleted or locked, as a result of "suspicious" / "unusual" activity. If you own a blog which is subject to this threat, you should consider using 2-step verification.

The sanity (heart attack, ulcer) that is saved may be your own.

>> Top

Comments

Anne Bennett said…
Can you explain how to set up the Google 2-step verification?
Chuck Croll said…
Anne,

I'll suggest that you re read the article.

Considering this possible cause and effect relationship, I suspect that Google 2-step verification is a good idea. Click here, for Google instructions on setting up 2-step verification.

http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744
Old Coot said…
Chuck, you stated that "It's possible that the subscription is not even affected by moderation...the hacker remains subscribed to the comment stream."

Shouldn't this be considered a bug that should be addressed by the provider - i.e., Blogger? If the moderator rejects the comment, the commenter should not be allowed to subscribe.
Old Coot said…
Oops. I just realized the Subscribe link is entirely separate from the Post a Comment link. So there's not really a good way to prevent someone from subscribing. Unless it was all reworked so that only someone who posted (and whose post was not rejected) could subscribe. And that's a debatable idea.
Chuck Croll said…
Coot,

All things being equal, moderation maybe should affect the thread subscription. Maybe, it shouldn't.

All that we can say is that posting a comment gives the initial ability to subscribe.

Also, thinking about how moderation (both before, and after, comments are published) would have to affect the continued subscription, may involve some interesting questions.

Making protection of the guests who comment, a function of moderation, won't protect everybody, will it? To answer that, take a look at the 22,000,000 + places where the "nice blog" spam was published / was never removed.

At any rate, I've been watching Blogger long enough to know that "should" !== "will be".

Also - and going into hyper paranoia mode, maybe the "nice blog" spam is just a red herring - and the real subscriptions that actually matter to the hackers are based on real, insightful comments that no blog owner would moderate out.

At any rate, Blogger has started using "noreply-comment@blogger.com" for Google+ profiles. If they start doing the same for classic Blogger profiles, this whole issue will be moot. That would be the simple solution, anyway. And as Google+ gains population, this will also become moot.
David West said…
My blog is poorly read, (http://twasmeanttobe.blogspot.com) and only a few friends that I email read it, so if a real person comments, I know who they are.
Every single comment I receive is spam that suggests we visit a link, exactly as you say. The reason for this spam is that the spammer has learned some SEO techniques, and believes that the more links he gets to his web site then the higher his ranking should be.
Maybe there is a way that we can suggest to Google a "de-ranking" for sites that are known to be spamming.

I carefully examined and removed each comment. I saw that they could apply to just about any blog in my niche, and outside.
Kind regards
David
Katie Isabella said…
Oh geez. I need to do better and send this info to fily too.