Khoros Global Support Home Start a conversation Sign in
Start a conversation
  1. Khoros Classic
  2. Troubleshooting
  3. How-To Articles

Managing Phishing Campaigns Targeting Private Messages

Overview

A coordinated phishing campaign is targeting communities where newly registered users can immediately send private messages (PMs). Affected communities report newly created accounts—often named “Verification*”—sending fraudulent “URGENT Account Verification Notice” messages containing malicious URLs.

Common symptoms include:

  • Sudden influx of new accounts with similar “Verification*” usernames

  • Members receiving PMs with urgent-sounding verification or penalty threats

  • Messages containing phishing URLs such as ristek.link

  • User reports of suspicious PMs or unusual account behavior

This article outlines immediate containment steps, longer-term prevention measures, and best-practice security controls.

Solution

1. Immediate Actions to Contain the Current Attack

1.1 Ban the Offending Accounts

  1. Go to Community Admin > Mod Tools > User Bans.

  2. Ban suspicious usernames such as:

    • Verification0, Verification5, Verification23, Verification324, VerificationBot

  3. Add IP or email-based bans if reliable details are available.

  4. User bans immediately block abusive accounts from sending further PMs.
    Reference: Community Mod Tools - Support Overview

1.2 Block the Phishing URL and Key Phrases Using Content Filters

  1. Go to Community Admin > Mod Tools > Content Filters.

  2. Under Keyword, select Edit Words.

  3. Add malicious URLs and phrases, such as:

    • ristek.link

    • Account Verification Notice for ...

    • International Act No. 567 EU-DIG-ID-2025

  4. In Keyword > Settings, set the action to “Do not allow item to be posted.”

  5. Content filters support wildcards (e.g., *.domain.com).

References:

  1. Set up content filters

  2. About content filters

1.3 Warn Your Members About the Scam PM

  1. Pin an announcement or publish a banner describing the phishing attempt.

  2. Tell members not to click the link.

  3. Encourage use of the Report abuse option on the PM.

  4. Members may delete the messages using Turn on Batch ProcessingDelete Checked.

References:

2. Locking Down Private Messages for New Accounts

This type of attack exploits communities where brand-new accounts can send PMs immediately.

2.1 Create a “New user – no PM” Role

  1. Create a role, e.g., NewUserNoPM.

  2. Set Use the private messenger to Deny.

  3. Attach this role to your first rank.

  4. Configure your next rank to remove this role after minimal engagement (e.g., time/visits/posts).

Reference: Spammers targeting private messages

2.2 Add CAPTCHA for Sending Private Messages (Optional but Effective)

  1. Go to Community Admin > System > Authentication.

  2. Enable Require verification when sending private messages.

  3. Exempt trusted roles by granting Post private messages without verification.

Reference: About content filters

2.3 If Using Private Messenger v3

3. Hardening Registration and Anti-Spam Controls

3.1 Require Email Verification

  1. Go to Community Admin > DISCUSSION STYLES > Posts & Topics.

  2. Enable Users must confirm email before posting to the community and sending private messages. (About content filters)

3.2 Enable and Tune reCAPTCHA at Registration

  1. Go to Community Admin > System > Authentication.

  2. Enable reCAPTCHA for registration (non-SSO flows).

  3. This significantly reduces automated spam sign-ups.

Reference: Tips on combatting spam

3.3 Use Rank/Role Criteria to Restrict New Users

Limit actions by new accounts using criteria such as:

  • Time since registration

  • Number of logins

  • Page views

Use these controls to limit signatures, PMs, or posting until users build trust. (About roles and permissions)

3.4 Review Spam Management and Flood Controls

  1. Ensure automated spam filtering is enabled under Mod Tools > Moderation.

  2. Adjust flood control thresholds if needed (requires contacting support for enabling and also a platform restart).

References:

3.5 Keep Content Filters Updated

As new variants appear, continue adding URLs, domains, and phrasing into your Keyword content filter (Community Mod Tools - Support Overview)

Summary

A coordinated phishing campaign is exploiting communities that allow new accounts to send PMs immediately. You can contain the attack by banning suspicious accounts, blocking malicious URLs/phrases, and warning your members. Long-term prevention requires restricting PM access for new users, enabling CAPTCHA, requiring email verification, and maintaining strong spam and content-filtering configurations.

FAQ

1. Why didn’t content filters stop the phishing PMs already in user inboxes?

Content filters apply only to new content. Messages sent before filters were added remain in member inboxes and must be manually deleted.

2. Will restricting PMs for new users negatively impact legitimate members?

Typically no. Most communities set very low thresholds (e.g., 1–2 logins or a single post) so authentic users gain PM access quickly while bots cannot abuse the system immediately.

3. Does the platform need a restart after adjusting flood control settings?

Yes. Flood control changes require a platform restart (and also Khoros Support intervention), while most other moderation and role/permission settings do not.


Choose files or drag and drop files
ai_initiated
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Ciprian Nastase

  2. Posted

Comments