This is a new one for me. I'm not quite sure how to handle the situation.

Since yesterday evening, my online store has been getting orders every few seconds. edit: The current batch of 150 orders I'm looking at were all placed within a 6 minute interval.

The orders are created but then abandoned before payment. Each order is for a single item from my store. Stock in that item is now at zero, but these fake orders are still coming in for the item.

IP addresses for these fake orders vary all over the world, so I can't just block an IP or a reasonable range of IPs. Anything I can do other than delete the orders and wait for the attack to be over?

Many thanks for your time and any advice you can offer. --DeeAnna

Classic Bells, Postville, Iowa, USA, https://classicbells.com/

I am betting they all have the same email address, please confirm.
If so, you can block them by adding a line to your includes.
Let us know if they all have the same email address.
David

Checked a random selection of the 150+ orders I mentioned earlier.

Good thought, DBDave, but nope, the orders don't all have the same email address.

The email is set up as buyerName @ gmail.com

Examples:
Order from buyer Judy Hunt has the email judyhunt@gmail.com
Order from Tracy Finklea has tracyfinklea@gmail.com

I was able to stop the orders from being created by altering the product ID of the product that's common to all these orders. I realize that doesn't necessarily mean the attack itself has stopped. Just that the orders aren't being added to the database.


Classic Bells, Postville, Iowa, USA, https://classicbells.com/

dbDave: The one thing that is common to these fraudulent orders is the email address is buyerName@gmail.com At the risk of alienating a legit customer with a gmail address, would there be a way to shut down multiple orders with a gmail address?

Or perhaps is there a way to throttle an attack like this based on the rate of orders arriving? I may get, say, up to 20 orders a day, but never hundreds per day. The timing of legit orders is also pretty random and irregular. Multiple orders coming in minutes or seconds apart is next to unknown for me.

So as yet another chapter in this unpleasant experience, someone in the fraud department at PayPal sent me a caution message today. They said is was probably an attempt to verify if stolen credit card information is valid.

I have my store set so it creates an authorization for payment, but doesn't complete the transaction, so none of these fraudulent orders actually caused someone's card to be charged. That's the only good thing about this whole experience, though.

I'm getting good at making mass changes to the status of orders. When looking at a list of orders in the Orders Administration main screen, hold down CTRL and change the status of one order in the list. All visible orders will change to that status.

Classic Bells, Postville, Iowa, USA, https://classicbells.com/

Your first defense is already built into the cart - reCaptcha. Get some keys from Google and enable it for checkout. I have had a client who this happened to with the reCaptcha set but you should do this first.

Here is how to set it up.

https://www.ecommercetemplates.com/help/admin-main.asp#recaptcha








Mike Beebe
President,
DataLinks Software Solutions
www.dlss.ca
Rate Me Here

ASP and PHP mods - www.dlss.ca/products.asp
A Tremendous Home - www.ATremendousHome.com
Cigar Smoke Shop - www.CigarSmokeShop.net

Thanks for the suggestion, Mike. I really dislike recaptcha as a user, but it may be a necessary evil I'll have to learn to live with. The "check the box if you're not a robot" type of recaptcha is something I probably can tolerate.

edit 1: Hmmm. Recaptcha V3 looks interesting -- it appears designed to operate behind the scenes to avoid making the user's life miserable.

edit 2: Looks like only V2 is available for ECT at this time.

Classic Bells, Postville, Iowa, USA, https://classicbells.com/