Bad actors are abusing large, open-registration, low-moderation Mastodon instances in order to provide direction to the Vidar Stealer trojan horse, which steals passwords, credit card details, bitcoin wallets, etc.

If you run a large, open-registration, low-moderation instance, please consider changing at least one of those qualities.


@noelle How is anyone supposed to find these *unless* you follow the trail from the malware itself? Seems a bit unfair to blame Mastodon servers here

@Gargron @noelle i think you (the generic you, as an admin) can mitigate the attack surface by limiting the amount of time such an account is live, for example by
- disabling open registration
- increasing moderation and review of new accounts
- limiting the user base to a manageable amount

it's not necessarily blaming servers, but these accounts are absolutely findable and the above strategies help to find them more quickly.

@trwnh @noelle That’s far from practical for everyone. You know that if someone creates an empty/innocent looking profile there’s no way to tell that’s it’s somehow used for a nefarious purpose.

@Gargron It's a pretty straightforward concept that if you keep registration wide open, bad actors will set up shop. Whether the attack seems obvious to you or not is frankly irrelevant, bad actors are consistently seeking out open and unmoderated servers to spread their attack, so clearly it's working.

This is kind of like allowing a spammer to use your webmail server to send emails and not understanding why people want you to ban the spammer.

@Sandrockcstm It's more like, people want you to find when someone signs up for your e-mail server and coordinates malware attacks by having his malware connect to the smtp server and read something from an e-mail draft that never gets sent somewhere. We're not talking about refusing to ban someone after they get reported for this.


Except we are?

"The idea is to secure communications from the compromised machine to the configuration source, and since Mastodon is a trusted platform, it shouldn’t raise any red flags with security tools. At the same time, Mastodon a relatively under-moderated space so these malicious profiles are unlikely to be spotted, reported, and removed."

The entire reason this works is that Mastodon is considered trusted and often unmoderated. That's the only way this attack works.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!