I have mentioned the huge increase in random account signups on WordPress installations all over the world. Previously,
I speculated if this was part of some sort of vulnerability they tried to abuse to get access to the site.
From further investigation, it seems like there is a new pattern where the ones signing up uses a "spam" username like:

SBERBANK OPROS 724 637 RYB telegram - @sibbnk

The Numbers are random, and the SBERBANK seems to be TINKOFF (and a few others) from time to time.
It seems like they want to be able to either use it to get the username listed like e.g. here https://www.bahzani.net/?author=5 or here https://talentoaguila.com/candidate/sberbank-opros-412-311-ryb-telegram-sibbnk/ or maybe automate posting comments to all the many sites.
Searching on Google for "sibbnk" reveals a lot of sites with the same bank. Searching on @duckduckgo does however give a list of different banks that could be belated (it could also just be some username or tag of the attacker).
The IP and email domain is mostly Russian, but the email address itself seem to be disabled (often due to some limit on how many messages they can receive per hour) or simply non-existent. At least in most cases.

Any of you that have an idea what they try to achieve with adding these tags on all these sites?
#wordpress #spam #attack #usersignup #infosec #websec