0

I work for a company which handles some websites that have educational forms prospective students can fill out if they wish to be contacted by a college.

We have attempts coming in from two overseas countries, which are continually filling out and attempting to submit forms using ridiculously bogus information. The only possible outcome if these were to go through would be that the school would try to call them.

I cannot figure out how this could potentially benefit them, in any way shape or form. It seems like it's probably a bot, because they are inserting integers for first name, last name, and email address. I've even considered that some companies I've heard of boost their site traffic unethically by having people (or bots) falsely cause hits on their pages, etc. I don't think that's the case here but I'm not sure.

This isn't my project, but someone mentioned it to me and I found it intriguing. What possible benefit would a bot or hacker have from doing this? Each attempt has been unsuccessful but even if it got through, what's the point? Did someone actually send a bot to try and spam educational websites where all you can do is submit an inquiry to a school? What's going on here, ideas?

My best guess is that it's a bot someone put out there and it's hitting our site by mistake. I don't get it, but I'm not a security ninja. I would love possible scenarios, preferably evidence/fact-based, not opinions if you can't back it up - nothing personal, it's just that I know these are the rules of Stack Overflow.

So if you have a fact-based hypothesis why this may be happening, I would love to understand the how/why...

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Dawn Deschain
  • 156
  • 10
  • 4
    I'm voting to close this question as off-topic because it not a programming question as defined in the [help] guidelines. It's also full of questions that call for opinion and speculation, such as "why would hackers do this?", "why would this happen?", and "what's the point?", none of which can be answered by anyone other than the author of the suspected bot. – Ken White May 07 '15 at 22:19
  • See: http://serverfault.com/questions/31575/why-do-hackers-setup-bots-repeatedly-fill-out-web-forms – NotMe May 07 '15 at 22:24
  • 4
    Not trolling, and not nitpicking. If you go through the [tour] and read the information in the [help], you'll see that a) we have relatively strict guidelines for content here, and b) the majority of the moderation is done by users. (You'll also find out in the [help/be-nice] that no form of personal insult or attack is acceptable here. Please be nice. :-) Your stating that it's on-topic or not inappropriate does not automatically convert an off-topic question to on-topic; if that worked, I could simoply declare that my question about car repair was on-topic because I drive my car to work. – Ken White May 07 '15 at 23:00
  • http://stackoverflow.com/questions/7033509/do-form-submissions-by-spam-bots-ever-pose-a-security-risk?rq=1 Similar question here, and yet no one's carrying torches to raze them for asking an "opinion-based" question.... The niceness policy is intended to foster learning; ripping apart someone who's attempting to follow the rules does the opposite. If my phrasing threw you off, or my sentence structure, or that I didn't include further specifics, I am sorry. As I stated, it's not my department nor my project, and I do not have access to further specifics - I was hoping to help out a friend. – Dawn Deschain May 08 '15 at 22:28
  • I felt like I was very careful to follow the guidelines. What could be less opinion-based than asking for an answer with factual evidence? That's where my problem lies, and if you felt personally attacked I surely apologize, but so did I. Your approach was unnecessary and impolite - there's no denying that, however this isn't facebook and I'm not here to have a sewing circle chat about etiquette. I had a relatively straightforward question about a technical matter and was seeking answers in the interest of assessing a potential threat, and trying to find the factual logic behind a problem... – Dawn Deschain May 08 '15 at 22:28

2 Answers2

1

I don't think that you will ever find any useful answer to your question, because there are lots of reasons that someone may do this. It may be "for fun", increase google ranking, or there are personal "rivalries" between someone else with the company.

Well, you can see at least if the spam comes from automated bot ( if you can change the html/backend code), using the honeypot method, nested somewhere in the form. If the spam stops, it should be an automated spam bot, and most likely you should consider it as a random spam, otherwise someone may have created a spam script for your site and they may do for fun or for other purposes.

P.S. : Do not use ReCaptcha, as some bots can break it.

Themis Beris
  • 980
  • 1
  • 11
  • 25
  • Thanks @Themis, I will talk with them about this. I've heard them refer to Honeypots before, I'll ask him if it's something he's tried to look at already, and what his findings were. It is possible that we'll never know; I'm trying to determine if it creates a reasonable amount of risk for us or not. Martin's comment was useful as well, I will be looking into both of these. Thanks again! – Dawn Deschain May 07 '15 at 22:35
  • @DawnDeschain No problem. It will be a good practice to place `honeypot` somewhere in the middle of the post, with a generally used `name` like `phone_number` – Themis Beris May 07 '15 at 22:38
0

It's most likely a bot attempting SQL injection.

How does the SQL injection from the "Bobby Tables" XKCD comic work?

The bot isn't trying to insert data into your database. It is trying to maliciously craft responses so that it can retrieve data from your database, or perhaps just delete all of it.

You need to make sure that all your SQL queries are properly escaped to prevent request data from the bot modifying database queries to work in unintended ways.

If you provide some examples of the requests, StackOverflow will be be able to tell you exactly what's going on.

Community
  • 1
  • 1
Martin Konecny
  • 57,827
  • 19
  • 139
  • 159
  • This doesn't explain why all the fields are filled with integers, though. – Cameron May 07 '15 at 22:18
  • 1
    Without looking at the requests, I don't think you can jump to this conclusion. – Stephen C May 07 '15 at 22:20
  • I appreciate the efforts here though, thank you. @Stephen C, what kinds of things should we look for to rule Martin 's scenario out? This is a good starting point to begin my research... – Dawn Deschain May 07 '15 at 22:32
  • The SQL injection attack theory is only plausible if the request parameters contain characters that might lead to dangerous SQL if your site's code was creating SQL statements by string concatenation. If the parameters are only letters and numbers, that is implausible. (Hint: read up on how an SQL injection attack works!) – Stephen C May 08 '15 at 10:58
  • Perfect, I will start there. Thanks guys! – Dawn Deschain May 08 '15 at 22:17