from Frida Rush Natalia

How are you doing,sorry if I’m disturbing in any forms. I’m just bored so i thought i should say hi hope you don’t mind?

Account (Banned)

It seems "Nicole" got competition

EDIT: https://kbin.earth/m/nicole/@feddit.org/t/1095706 also mentioned it

Just got a DM from a nicole account recently and it seems they've stepped up their game and are now using only images, no text, to prevent from being detected by automated systems, or having their links censored via the slur regex.

Putting the text in the image! Working hard to bypass those spam filters.

Today I received a DM from frida@lemmy.world and wonder if it is another Nicole type DM-wave or real (as real as random strangers on the internet can be).
Did someone else also received such DMs?

Message:

How are you doing,sorry if I’m disturbing in any forms. I’m just bored so i thought i should say hi hope you don’t mind?

little do they know nobody is going to type out those urls by hand...

I heard from Nicole today (but, y’know,I call her the Fediverse Chick). She seems like a nice Polish girl living in Toronto. I think I’ll help her out with some cash, after all she’s a college girl. 💸💸💸

I wonder why it stopped for a while. Seems like the new batch doesn't include the crypto adresses. I guess that's a good thing maybe?

Looks like she moved onto sending photos instead of text.

another one from flipboard

@nicole

nicole10

I got TEN identical spam this time...

Lemmy will soon need some spam control tools...

so sweet to think of me

No much traffic here from like 1-3 days.
So, is Nicole still active?

Also, Matrix room is gone.

Just some thoughts. We know the spammed messages have alluded to real places, and at least one of them has even given a workplace address, inviting the recipient to "come say hi" or similar. I'm aware that some of the places seem to change around, but that workplace thing in particular has galvanized how I think about this whole situation. The same day, I scrolled through some posts that were treating all the "hints" like some kind of ARG, like going to that workplace and asking for a Nicole would yield some special clue that will lead them to the next step of the ARG. (the shitty thing is that there is a vanishingly small non-zero chance of that being true regardless)

The odds that the person in the photos is consenting to being part of a spam effort are pretty low I'd think. The fact that some of them seem to be baiting users to a particular physical location reads like some early 2000s kiwi farm bullshit, and it's creepy to see unfolding here on the Lemmyverse. The links are just spam, sure, and spam is just part of the sewage wading exercise that is using the internet, that's not what bothers me. It's the social side. These are real places, they're photos are of a real person, which means someone really wants to get this face out there to a bunch of nerds. Given a big enough population, there's statistically going to be someone receiving this spam who could give that person a hard time with enough nudging.

Personally I don't think it's a pig butchering scam. I think someone is trying to rope an unstable stranger into hurting/stalking/physically harassing someone.

I'm conflicted on one thing: I would think that the person in the photos should know that their likeness is being used this way, and to maybe take some precautions if any of the information. At the same time, I'm not exactly jumping with joy at the thought of going on a public forum like this one and saying "Hey guys help me dox this person for their own safety!". Maybe I haven't had to think about this much before since I avoid a lot of traditional social media where the spindly pointy tentacles of harassment campaigns do breach out into popular online spaces. This can't be the first time something like this happens. I just don't know what the most ethical way to deal with this is.

Not the spam, you can filter spam. I'm talking about dealing with the social consequences of whatever this is.

edit: cleaned up some wording.

cross-posted from: https://lemmy.today/post/25826615

For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named "Nicole". This has been ongoing for some time now.

Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it's possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.

In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.

It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:

https://github.com/LemmyNet/lemmy/issues/1036

I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn't looked until the most-recent message, but the image embedded here is indeed remote:

https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png

I haven't stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don't know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn't also be moving the hostname on the pict-rs instance.

Another mitigation would be to route one's client software or browser through a VPN.

I don't know if there are admins working on addressing the issue; I'd assume so, but I wanted to at least mention that there might be privacy implications to other users.

In any event, regardless of whether the "Nicole" spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.

My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there's no great way to prevent a user's IP address from being exposed.

If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I'm all ears.