Announcement

Collapse
No announcement yet.

Someone is creating new fake customers accounts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #31
    Like I said...musing...it would be great to just be able to say, "We don't accept input unless its from a 'keyboard'" (And that would include voice-to-text etc since they trigger key-events.)
    Bruce Golub
    Phosphor Media - "Your Success is our Business"

    Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
    phosphormedia.com

    Comment


      #32
      Since most bots try to fill in all form fields, we use a "honeypot" input field with a touch of JavaScript. The honeypot input is hidden with CSS, and listened to with JavaScript. If a value is entered into the honeypot we change the form submit location via JavaScript (a black hole). It's not a perfect solution, but has eliminated our spammy form submission issues, AND we do not need to use a Captcha.

      Comment


        #33
        I think Bruce is saying that the bot is a headless browser that hits the CGI endpoint with request headers and a post payload. The bot never actually visits the page.

        It looks like the bot REQUESTS the ACAD page with a Customer_LoginEmail parameter (Password Recovery Email) and is looking for RESPONSE with a g.customer_invalid_addinfo.

        If g.customer_invalid_addinfo is TRUE then the bot has a valid Customer_LoginEmail. If g.customer_invalid_addinfo is FALSE then a fake account is created - but that is just collateral damage to the bot.

        I would check the User Interface > Error Message tab for 'The email address you entered is already in use.' to see if the bot captured anything.

        http://www.alphabetsigns.com/

        Comment


          #34
          Any of you developer types interested in writing a module to add reCAPTCHA v3 to Miva? Looks like it's pretty slick and powerful without a negative user experience for real people.

          https://www.google.com/recaptcha/intro/v3.html
          https://developers.google.com/recaptcha/docs/v3

          I would definitely be interested in a module that managed this for my site.
          Last edited by oliverands; 10-14-19, 03:44 AM.
          Todd Gibson
          Oliver + S | Sewing Patterns for Kids and the Whole Family

          Comment


            #35
            Somehow between Bruce installing the Phosphor Media Easy Account and some additional Bot Block code the problem has gone away.
            http://www.invinciblemusic.com

            Comment


              #36
              Originally posted by invinciblerecordings View Post
              somehow between bruce installing the phosphor media easy account and some additional bot block code the problem has gone away.
              yaay!!!
              Leslie Kirk
              Miva Certified Developer
              Miva Merchant Specialist since 1997
              Previously of Webs Your Way
              (aka Leslie Nord leslienord)

              Email me: [email protected]
              www.lesliekirk.com

              Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

              Comment


                #37
                So now I'm getting hit. I came in this morning to about 5K bot spam. From the server logs:

                Code:
                52.186.121.92 - - [18/Oct/2019:03:33:57 -0400] "POST /customer-account.html HTTP/1.0" 200 40141 "https://www.alphabetsigns.com/customer-create.html" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
                52.186.121.92 - - [18/Oct/2019:03:33:57 -0400] "GET /mm5/merchant.mvc?Screen=%3bn%3aexpression(netsparker(9))%2f*&OAuth_Provider_Code=GOOGLE&action=OAUTH_LOGIN&Store_Code=XX&Session_Id=78bfd19b6009837711d3bea0fb63e40d HTTP/1.0" 404 41182 "https://www.alphabetsigns.com/customer-account.html" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
                I'm not sure if netsparker is the bot or why its crawling my site. I don't subscribe to their service.

                I added to .htaccess:

                Code:
                RewriteCond %{REMOTE_ADDR} ^52\.186\.121\.92
                RewriteRule ^.* - [F,L]
                It's gone for now. I hope it doesn't come back.


                http://www.alphabetsigns.com/

                Comment


                  #38
                  *Puts on tinfoil hat* I feel like someone is targeting the forums signatures with urls, as both alphabet and InvincibleRecordings have their website in the signature

                  Comment


                    #39
                    Originally posted by Beefy Nugget View Post
                    *Puts on tinfoil hat* I feel like someone is targeting the forums signatures with urls, as both alphabet and InvincibleRecordings have their website in the signature
                    No, don't think so, we had other clients with this issue. But maybe they are finally targeting Miva sites, which has been rare in the past.
                    Sabine Sharp
                    eCommerce Strategies & Solutions
                    Glendale Designs
                    Support Desk
                    623.322.6066

                    Comment


                      #40
                      We had a similar issue on our save your basket page recently. we added a recaptcha to the form and that stopped it. As part of this, we disabled the submit button and only enabled it using a call back when the recaptha was checked. We used recaptcha2.
                      Last edited by wajake41; 10-22-19, 09:23 AM.
                      Larry
                      Luce Kanun Web Design
                      www.facebook.com/wajake41
                      www.plus.google.com/116415026668025242914/posts?hl=en


                      Comment


                        #41
                        A perhaps more robust implementation would be to have the reCapture populate and hidden field (or better yet, have it REMOVE a value from a hidden field). This will help when a Bot is not submitting the form directly, but rather just directly posting the form and its data to the server.
                        Bruce Golub
                        Phosphor Media - "Your Success is our Business"

                        Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
                        phosphormedia.com

                        Comment


                          #42
                          Add one more site to the list.. Looking into blocking by IP, but obviously recaptcha would be best.
                          Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                          Comment


                            #43
                            IP blocking alone is a game of Wackamole. either removing the link and using other methods of account creation or recaptcha is the only thing to stop it.
                            Bruce Golub
                            Phosphor Media - "Your Success is our Business"

                            Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
                            phosphormedia.com

                            Comment


                              #44
                              No way to remove the link since presumably they have a script that's just sending a POST directly to merchant.mvc.. I contacted Miva to see if they can add ReCaptcha
                              Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                              Comment


                                #45
                                How does reCaptcha provide server side validation with the LOGN action?

                                I added reCaptcha to a LOGN form that enables the submit button

                                Once submitted, the reCaptcha response token should also be sent along to the LOGN action to be validated server-side.

                                The LOGN action should make a call to google's reCaptcha API to validate the token. Otherwise the LOGN will validate without an authorized domain request.

                                It seems to me that we would need a LOGN extension if we want to use reCaptcha.

                                - - - -

                                The CSRF token will work in most cases. There are more sophisticated bots that can brute force their way past a CSRF token in which case you would need the reCaptcha. In either case, the token needs to be validated server side.

                                Even if you you can validate the reCaptcha token it only prevents the server response, not the bot request. You will need a combination of IP, user-agent or ASN rule to block the bot altogether. And as Bruce pointed out, that is a game of Wackamole.




                                http://www.alphabetsigns.com/

                                Comment

                                Working...
                                X