I maintain a blog for a friend of mine. It’s basically an aggregater of videos from other embeddable video sites, and provides a way for users to comment on those videos. Not really high-value content, but it’s a suitable placeholder until we come up with a better concept for what to do with what is arguably a pretty-valuable domain name.
Commenting is open without registering … but for the most part commenting activity is very, very low.
Over the past week the site has seen a spike in WordPress new-user enrollment. These new users haven’t commented on any of the videos, or interacted with the site in any other noticeable way, but they’re all enrolling with .pl (Poland) email addresses, and not a single one of them has commented after enrolling. I also haven’t noticed anything in my analytics that leads me to believe this is due to a referral link.
So what gives?
Why would users register with a blog only to not do anything with that account? Has anybody had this experience with a coordinated wave of user-registrations that led to something malicious? I’ve locked down commenting so that they’ll only show up on the site after approval, but I’m just trying to plan ahead for what may be a coordinated attack, and would like to know if anybody has experienced this trend with sites they’ve operated.
Sometimes people who run these bots or do this manual are paid for the amount of accounts they create. So the more accounts they create the more rewards they get.
Only after such a run the list goes to the original client who then uses the list of accounts to perform (comment) spam runs or whatever he thinks is needed.
So this can be a reason why you first get a load of accounts created and then later by someone else other actions.
To break this down:
If this is potential security issue? Unlikely.
Do bots register for a reason? Maybe, maybe not. It can just as well be some fluke, bots often do weird things just-because.
What to do? Nothing except cleaning up fake accounts. Close registration if you don’t really need it.
OK – 11 years later, but I feel I need to add something here after stumbling across this.
Unlike the 2 above, I’d like to add an air of caution. A whole host of zombie registrations could be something to worry about.
A lot of plugins mess with the user registration process for their own ends – often I find unnecessarily. One key part of user registration / creation is setting the roles and capabilities for this new user. It’s likely here you’re being sounded out for any number of known User Privilege Escalation vulnerabilities. During registration, the bot may be posting different extra strings and parameters known to allow the creation of admin accounts via unpatched plugins.
Whilst there’s not something to directly worry about – it’s not something to not worry about(?!)
Keep your site & plugins up to date – regularly audit your users and make sure you have alerts set up for any new admin accounts set up.