A newly identified Python framework spamming the contact forms and chat widgets on the websites of small and medium-sized businesses has made over 80,000 victims over the past half a year, SentinelOne reports.
Dubbed AkiraBot due to its use of domains that have ‘Akira’ as the search engine optimization (SEO) service brand, the framework can evade CAPTCHA filters and network detections. The name ‘ServiceWrap’ also stands out in its SEO domain naming.
The framework was designed to target websites with spam messages that can be indexed by search engines, and uses OpenAI services to generate tailored messages for each targeted website.
The analysis of archives containing AkiraBot scripts revealed that the framework has been active since September 2024, initially targeting Shopify, and progressively expanding to websites built using Wix, Squarespace, and generic website contact forms.
“These technologies are primarily used by small- to medium-sized businesses for their ease in enabling website development with integrations for eCommerce, website content management, and business service offerings,” SentinelOne’s SentinelLabs says.
The cybersecurity firm identified multiple versions of the framework, all using hardcoded OpenAI API keys, as well as the same proxy credentials and test sites.
In AkiraBot’s user interface, the operator can view attack metrics, select a list of websites to target, and choose how many sites to be targeted concurrently.
Spam messages are generated based on a template containing a generic outline, which is served to the OpenAI chat API. The OpenAI client is instructed to act as an assistant that generates marketing messages.
“The resulting message includes a brief description of the targeted website, making the message seem curated. The benefit of generating each message using an LLM is that the message content is unique and filtering against spam becomes more difficult compared to using a consistent message template which can trivially be filtered,” SentinelLabs explains.
To evade CAPTCHA services, including hCAPTCHA and reCAPTCHA, AkiraBot intercepts the website loading process using the Selenium WebDriver automated framework, which also simulates legitimate user activity. As a failover, it uses CAPTCHA bypassing services such as Capsolver, FastCaptcha, and NextCaptcha.
For network detection evasion, the bot relies on proxy hosts, and each of the identified iterations has used the SmartProxy service with the same credentials.
AkiraBot is logging success metrics, which helped SentinelLab identify over 80,000 unique domains successfully spammed by the framework, and more than 420,000 unique domains that have been targeted since September 2024.
The Akira and ServiceWrap SEO services that appear in the framework’s messages have numerous 5-star reviews on TrustPilot, all with similar, likely AI-generated content. They also have 1-star reviews with complaints about the service being either a scam or spamming the reviewer.
“AkiraBot is a sprawling framework that has undergone multiple iterations to integrate new spamming target technologies and evade website defenses. We expect this campaign to continue to evolve as website hosting providers adapt defenses to deter spam,” SentinelLab says.
Related: Sites of Major Orgs Abused in Spam Campaign Exploiting Virtual Tour Software Flaw
Related: Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites
Related: Scareware Combined With Phishing in Attacks Targeting macOS Users
Related: ClickFix Widely Adopted by Cybercriminals, APT Groups
