Announcement

Collapse
No announcement yet.

Someone is creating new fake customers accounts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #61
    Yea, the admin interface has a spot for you to enter the site key and secret key (right now it only uses Google ReCaptcha v3). Site key is not currently used but I figured if I ever update it to handle the front end, can't hurt to have a field for it. Right now this only handles the back end, so code must be added to the front end manually (google's scripts, etc)."
    Mike:
    Are you saying that recaptcha for any page is already available in admin or have you created a module to do this?
    Larry
    Larry
    Luce Kanun Web Design
    www.facebook.com/wajake41
    www.plus.google.com/116415026668025242914/posts?hl=en


    Comment


      #62
      wajake41 Hi Larry - I wrote a module to do it - there's no way to do it through Miva out of the box. I haven't posted it for anyone to use yet since I wanted to be 100% confident in it. I've had it running on a couple of sites I work on for a few weeks now with no problems, but I'm not a module developer and I don't really want to be on the hook supporting it for dozens of sites. Maybe I'll just post the source on github for everyone to use as they wish.

      I had a long back-and-forth with Miva about this and eventually they confirmed what I was saying - that the only way to validate the ReCaptcha token was via a module. (lesliekirk also) - Miva pointed me to this thread, where it seems like there's a way to use the Toolbelt module to validate the token. I read through it and it seemed like it would work. Miva said that they don't view this as a vulnerability, and I didn't get the impression that any further fix was coming from them.

      lesliekirk - I didn't think of trying to use the payment screen's ReCaptcha on ACAD - I imagine it would use the same settings. Off the top of my head I'm not sure if it would work, since the ACAD form submits with a different Action than OPAY, so even though the token might be created on ACAD, I don't think it would get validated by merchant.mvc on submit.
      Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

      Comment


        #63
        I am having the same problem also, their emails end in; .ru or .fr or .de. They are typical SPAM adds like; how to get rich and bitcoin schemes with a few "how the meet a beautiful girl" etc. There have been a least 200 so far in the last month, and this looks like it is going to be another maintenance duty cleaning these up.


        Is there a way to block these by country?

        Paul
        Last edited by meum71; 12-12-19, 11:28 AM.

        Comment


          #64
          Yep, now count us among one of the sites being affected as well. :(

          Tons of accounts (about 300 so far), almost all end in .ru

          I wonder how many other sites are being targeted that don't even realize it?
          Psydde Delicious
          Delicious Boutique & Corseterie
          Philadelphia, PA
          www.DeliciousBoutique.com
          www.DeliciousCorsets.com

          Comment


            #65
            Originally posted by Mike521w View Post
            Maybe I'll just post the source on github for everyone to use as they wish.
            Mike, this is a good idea. I'm sure some of us other developers would be glad to help out. I'd offer personally but a tad busy ATM as one could imagine.

            Bruce Golub
            Phosphor Media - "Your Success is our Business"

            Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
            phosphormedia.com

            Comment


              #66
              Originally posted by Mike521w View Post
              [USER="18206"]

              lesliekirk - I didn't think of trying to use the payment screen's ReCaptcha on ACAD - I imagine it would use the same settings. Off the top of my head I'm not sure if it would work, since the ACAD form submits with a different Action than OPAY, so even though the token might be created on ACAD, I don't think it would get validated by merchant.mvc on submit.
              I'm testing the code snippet generated on the OPAY screen instead of using the token. I'll keep you posted as to if it seems to activate displaying the reCaptcha on the OPAY screen.



              Leslie Kirk
              Miva Certified Developer
              Miva Merchant Specialist since 1997
              Previously of Webs Your Way
              (aka Leslie Nord leslienord)

              Email me: [email protected]
              www.lesliekirk.com

              Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

              Comment


                #67
                I've been seeing the same thing with fake profiles generated for spam purposes on a WordPress discussion forum I run. It's been happening there for well over a year now and increasing over time. Seems like profile creation is a new webspam vector that is continuing to spread.

                I'm using a WordPress plugin called CleanTalk (https://cleantalk.org) that has been doing a really good job of stopping this at the source. As an added feature, it has a firewall function that completely blocks site access to known spammer IP addresses. It's cut my site traffic, too, but in a positive way.

                CleanTalk has plugins available for many, many systems, including e-commerce applications. Perhaps someone could develop a Miva plugin or convince CleanTalk to do it.

                But from what I've seen on my WordPress site, I think we've been lucky in the Miva community that this hasn't been an issue to date. But it's here now and it's only going to get worse. There's a real need here for a solution, either from Miva or a third-party.
                Todd Gibson
                Oliver + S | Sewing Patterns for Kids and the Whole Family

                Comment


                  #68
                  ok I threw together a quick github repo: https://github.com/MWScripts/Miva_GoogleReCaptcha

                  Feel free to download and edit the original .mv, or just use the .mvc. Remember, this does not add Google's ReCaptcha code to the front end of your site - that you have to do manually. It just listens for the actions you tell it to listen for, and when found, it validates the token. If good, everything proceeds as normal. If bad, a 403 and a blank page are returned.
                  Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                  Comment


                    #69
                    Originally posted by Mike521w View Post
                    ok I threw together a quick github repo: https://github.com/MWScripts/Miva_GoogleReCaptcha

                    Feel free to download and edit the original .mv, or just use the .mvc. Remember, this does not add Google's ReCaptcha code to the front end of your site - that you have to do manually. It just listens for the actions you tell it to listen for, and when found, it validates the token. If good, everything proceeds as normal. If bad, a 403 and a blank page are returned.
                    Thanks for the module! I'm still trying to wrap my head around version 3. So no checkbox displays? It just sends the form to never-never land if it's a bot?


                    Leslie Kirk
                    Miva Certified Developer
                    Miva Merchant Specialist since 1997
                    Previously of Webs Your Way
                    (aka Leslie Nord leslienord)

                    Email me: [email protected]
                    www.lesliekirk.com

                    Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

                    Comment


                      #70
                      No problem : )

                      Right - it just gives them a blank page. Basically v3 returns a score from 0 - 1, and Google leaves it up to us to decide what score we're comfortable with. So we decide the lowest score we'll allow, AND we decide what to do if the score is too low.

                      So I set the module so we can enter the score we want, but as far as what it does with a low-score, that's coded in the module itself - 403 status and a blank page. Since the source is available you can change that if you want.

                      On the sites I manage, the good score returned by Google is almost always 0.9, and bad scores are almost always 0.1 (with a few 0.7's and 0.3's thrown in).
                      Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                      Comment


                        #71
                        AFAIK: With "bot holes" the general idea is to not give them any ideas. So, it might be better to then a 200 response to "/you-have-found-the-back-door-to-my-fortune.html. If the bot sees that its getting a 4xx response, it no KNOWS to try other urls or methods.
                        Bruce Golub
                        Phosphor Media - "Your Success is our Business"

                        Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
                        phosphormedia.com

                        Comment


                          #72
                          Bruce - PhosphorMedia good point - maybe on the next go-round I'll add an option where the user can configure what status code they want to return, and/or a corresponding URL
                          Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                          Comment


                            #73
                            Originally posted by Mike521w View Post
                            Bruce - PhosphorMedia good point - maybe on the next go-round I'll add an option where the user can configure what status code they want to return, and/or a corresponding URL
                            yea, if i had the time, i'd do that and a bit more...i really like the idea of creating a bunch of 'open source' modules as there are many things that can be simplified with the use of a module, but there is no market for 'simple' modules.
                            Bruce Golub
                            Phosphor Media - "Your Success is our Business"

                            Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
                            phosphormedia.com

                            Comment


                              #74
                              yea, I thought there might be a market for this one but I'm not a module developer and I don't want to get into providing support etc. There are some features that can be added though - the admin UI can be adjusted to a table layout like:
                              Action Tolerance Status Code on Fail Redirect URL on Fail
                              ICST 0.3 200 /whatever.htm
                              Then each action can be a new row, and the user can add rows as they wish. That would be smooth and easier to understand. But to begin with I just needed something that worked
                              Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                              Comment


                                #75
                                Originally posted by Bruce - PhosphorMedia View Post

                                yea, if i had the time, i'd do that and a bit more...i really like the idea of creating a bunch of 'open source' modules as there are many things that can be simplified with the use of a module, but there is no market for 'simple' modules.
                                Bruce, is it possible and is there a market to create a module to help others create their own simple modules for individuals who don't know how to create simple modules like Online Miva Merchant Module Builder?
                                Last edited by William Davis; 12-18-19, 02:29 PM.
                                Thank you, Bill Davis

                                Comment

                                Working...
                                X