quote:

---

Also, isnt there a way to add a recaptcha to the order page form where they fill out the billing details, before they input their credit card info?

---

Not built in, but it could be custom coded.

David

They're back! Now hundreds of bots all different names, addresses, emails, ip addresses. they order the same product. But when I remove that product they just order some other product. I cannot add recaptcha to the ordering page because of Braintree integration. What else can I do???

Hi, what did Vince come up with back in 2021 for you?
Do you display the user agent on orders?
If so, post one here so I can see it.

If you are not seeing the user agent on orders, then add this to your includes. $captureuseragent=TRUE;

Thanks,
David

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0

Hi, so all of them have the same user agent?
The one you posted just translates to Firefox 107 on Windows 10
So, unfortunately, that's not much help.

Typically when I've seen this, they usually have a common metric, such as email address or IP for example.
What about the shipping or billing address - all different?

Thanks,
David

The only thing that is the same is the product they order. They only order 1 thing and it is the same thing every time. They used to order the chips, but I removed it from the store, now they order the California Strawberry Shake. No-one ever orders only 1 item.

The emails are different, but all @yahoo.com

Also, the most recent ones all have the "Customer certifies shipping is to a commercial location" box checked.

Also all seem to be from the state of New York but different cities. However I do have real customers from New York.

Next, I would look through the server logs next to see if there is anything you can spot.
I would also show the host that you are under attack and see what they can do at the server level.

Thanks,
David

Well, I am not sure how to look through the server logs and what if anything they would show. How do I do that?

The server says: "Regarding the issue, I have found that the orders should all be coming from /home/dennis/public_html/cart.php file. We can try disabling it but that would most probably break the entire page setup.

I have also tried creating an account and ordering something from the page. While doing so, I noticed that there isn't any sort of confirmation required to either register an account or create an order. I also noticed cart-recaptcha.php file there but you stated Braintree is not working with. If that is the case, we would highly recommend trying some other way of creating a verification procedure. You can have your dev set up something like email confirmation or similar when creating an account.

In the meantime, your page remains vulnerable to order spams as anyone could create an account with made-up credentials and immediately start shopping while logged in, with no control over whether it is a real person with a real email or a bot."

I have done most everything I can on the BrainTree end but all the security settings are based on repetitive actions.

I added the recaptcha code to the cart page and the logo show up but it does not work. Is there any way to change the checkout page so I can make recaptcha work?

What about making everyone create an account before ordering. Would that work?

BTW some of the bot orders are coming in as authorized.

As for this

quote:

---

In the meantime, your page remains vulnerable to order spams as anyone could create an account with made-up credentials and immediately start shopping while logged in, with no control over whether it is a real person with a real email or a bot."

---

Normally you do not want to force users to create an account, particularly, one that must be approved before use, but that may very well be an option for you.

It's also possible you are under attack of a bot that is submitting data to the form and this may not work, but I would try this.
$forceclientlogin=true;

I was thinking there was a setting where accounts must be approved, but I don't see that, so I will keep looking.
You could change $allowclientregistration=true; to false and that would stop users from self registering, but that may be too restrictive and prohibit legitimate sales.

If you at least set the $forceclientlogin=true; at least the bot would need to create an account before ordering. Maybe it's not sophisticated enough to do that.


Another idea just hit me.
You can add a checkout question and make it required.
Perhaps ask "are you a human"? and require a response.
https://www.ecommercetemplates.com/phphelp/ecommplus/parameters.asp#exorder

Try something like this
$extracheckoutfield1="Are you a Human?";
$extracheckoutfield1required=TRUE;
$extracheckoutfield1html="<input type=\"checkbox\" name=\"ectfield\" value=\"Yes\">";

I tested it on my php test site ( https://www.floridasurpluswarehouse.com/dev/ ) and it works, so give that a try
You should need to tick the box before you can proceed.

David

I added the checkout question and it worked when I tested it. But, alas, the unauthorized orders still keep flying in. When I look at the unauthorized order, the question is there but there is no answer next to it. (shouldn't the word yes show up?) So somehow the bot is getting around it? Also I noticed that the bots check the box that says to check here for commercial location. So the bots know how to check boxes.

Are there any options in the BrainTree settings that I could try? What about the Braintree Express?

Hi All
That was a really good idea of Dave's about the extra checkout fields but I don't think it is working as these people are creating a direct post to bypass the customer details page. I've got some changes that may help with this so if you don't mind me updating your site, could you send me the site FTP login and I'll get the changes installed.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Yes, I was afraid my homemade captcha might not do the trick.
These bots are submitting data right to the form and not actually going through the steps of checkout.
Anyway, Vince is on the job, so this is good.

David

quote:

---

Yes, I was afraid my homemade captcha might not do the trick.

---

Very good thinking though!



*Contact Us*
*Buy The PHP Capture Card Plugin*
*Rate Our Services/View Our Feedback*

Good News! because the bots always ordered one each of the same item, last night I limited the purchase of that item to a minimum of 2. This morning the bots were gone! I dont want to dissuade Vince from making adjustments to my site though as this is the second time hackers have found my site and I feel vulnerable as to the next attack. So whatever Vince can do on the backend please proceed. But for now, I want to change the ordering limit from that one product to limit the store total to a minimum of 2 because no one ever orders just one item from our store.

Now, if someone can tell me how to delete all the thousands of fake orders in bulk that would be helpful.

quote:

---

Now, if someone can tell me how to delete all the thousands of fake orders in bulk that would be helpful.

---

Pull up a page of offending orders, hold down your control key and change the status to deleted, all orders on the page will change to that status.
Then update and do the next page.
Once they are all in deleted status, you can then purge your deleted orders.

David

Thank you David. And thank you for your efforts and for following me on the terrible ride!

No worries. Keep in mind, I am a store owner too, so I feel your pain.

David

They are back again! They switched to another product. And I think they will keep doing that.

Vince, were you able to make any changes to my site?

I am by no means an expert here but I did notice a couple things that need updated if it's the website in your profile. Manage Your Weight DOT com

I ran a test on it in SSLlabs.com and noticed you are running a very outdated version of PHP on your website. X-Powered-By PHP/5.6.40

I would highly recommend getting the latest version like PHP 8.1.13 or close to that.

Something else I noticed in the report: Strict Transport Security (HSTS) No

Add this to your .htaccess file in your Securty Headers Section:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

Also add these if you don't have them.

Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "same-origin"

This may or may not fix it but it will make it more secure. It could also increase your SSLlabs score from A to A+

Just my thoughts.

Patrick