Jump to content
René H4

Fake accounts

Recommended Posts

In my case, it blocked about 10 and they seem to have stopped.  I do wonder what their end game with this.  Don't really see much purpose unless they have a way to worm into the site with it. 

 


I'm not really a dog.

Share this post


Link to post
Share on other sites

I get an occasional one of these. I have noticed that the number of logins is one i.e. they have logged out and back in.

I did a search in my database using phpmyadmin for the email address used and discovered it in the sessions table on two lines. Would this be correct, I thought that you pick up the same session when you log back in?

It still seems odd, what are they trying to achieve?


OsC 2.3.4.1 CE Frozen   PHP 7.2   MySQL 10.1.36-MariaDB-cll-lve. Phoenix in development

Is your version of osC up to date? You'll find the latest osC community version (CE Phoenix 1.0.2.0) here.

Share this post


Link to post
Share on other sites

 

2 hours ago, mhsuffolk said:

what are they trying to achieve

These seem to be forum spammers, they sign up and later they will try to spam their sh*t  on your forms using the signup details.

if i look in my error.log i can see that they also try to visit  contact_us.php and  www.forum.mysite.nl even if it does not exist.

i block them by honeypot system, its working .


:heart: osCommerce

I am using osCommerce version 2.3.4.1 CE  Frozen

Get the latest Responsive osCommerce CE (community edition) here

 

Share this post


Link to post
Share on other sites

I too have been getting lots of problems with these spam/fake accounts being created and worse over the last few months, exactly the same as everyone else usually something like same name for first name and last name with two capital letters on the end e.g.  'samename samenameGP'

Most of it seems to go back to IP's from Moldova and the Russian Federation, tried to block some IP address ranges and it did cut it down, but its a never ending battle, I did also try and block those countries in my .htaccess but either they get round it or my host doesn't let me do it that way.

I found that if I get these fake accounts I get loads more spam email than normal, and if block the fake accounts from registering I don't get any spam, its like they register using a genuine email address that works, and as soon as they get the welcome email they automatically fire back loads of spam at the address it came from.

I found this thread in a way of trying to stop it, and I have just come up with another simple way that seems to have worked for me.

I don't use the customers_fax field, I have even removed the part of the page that displays the input field on the create_account page, but all the fake accounts are still managing to put a entry in the DB for customers_fax, but none of the genuine customer registrations do.

I just made a super crude error... so if the entry in customers_fax is longer than the minimum length that's used for the Telephone Number as set in admin it will throw an error, but didn't even bother putting a error message up.

    if (strlen($fax) > ENTRY_TELEPHONE_MIN_LENGTH) {
      $error = true;

    }

I did look at some other fields that I don't use, like customers_gender… but with all the other ones there seems to be some anomalies depending on how the customer registered, as people who manually fill the form end up with the customers_gender set to NULL, but for customers that have their details automatically completed by PayPal Express checkout have that field empty.

Obviously wont work for everyone, but it kind of shows how crude these bots are, as have read loads of stuff before about people using .css to make a hidden input field transparent, or positioning them off the screen, but in reality there is no need.

Share this post


Link to post
Share on other sites
40 minutes ago, Enzo79 said:

reality there is no need.

I am afraid you are mistaken. Bots these days are very clever they are able to bypass simple attempts like you have made. They even now are able to get past the honeypot method. Do not underestimate how clever spammers are.

You will need to use several layers of protection to reduce the spam levels.

Begin with secure forms and I mean all forms on your website.

1) Use honeypot and Google recapatch if you can.

2) use .htaccess file to block if you can

3) use your server (cPanel or other) IP blocker if you can

4) Make sure you have a spam fillter set up on your email server.

It's just a starting point as with spam you just have to keep updating as the spammers evolve.

one of the worst spammers at the moment is,----- well i will not post the name but it's .ru  this is the ip range they use currently add it to your server IP block list. Just enter it as it is.

128.140.169.0-128.140.169.255

Edited by JcMagpie

 

Share this post


Link to post
Share on other sites

If they are using Google for the company name, then you can add the code I posted early in this thread and change company_tax_id to company and it will block all of those.  I get a couple a day sometimes, but they are blocked.


I'm not really a dog.

Share this post


Link to post
Share on other sites

I found that one of the short commings of osC is the fact the the customers.php file will not allow you to sort the customers display. This means that you have to manually search for a name to get rid of fake accounts.

Now these buggers normally do this in hits so you will get a stack of these on a given date. Yes you can go to phpadmin and sort y date and remove, but not all shop owners are able to do this. A simple solution would be to add sort capability to customers.php.

So had a quick look and it's been done and works fine. It's an old add-on but if you follow the edit instructions you can apply it to BS.

https://apps.oscommerce.com/GMMzz&customer-sort-admin

you now can sort by first or second name and date account created. Makes removing fake accounts much quicker. Tested on BS4 only.

image.thumb.png.063fb3e76f51cd6753bdf6817baff2f8.png

 

Edited by JcMagpie
add info

 

Share this post


Link to post
Share on other sites
On 10/15/2018 at 8:36 PM, John W said:

I've had a few of these in the last month with some different names, but they enter Google for company and google for company tax id each time.  I know not company tax id isn't stock code, but I added this to block spammers and I can add more to it if I need.  Most regular customers don't enter a tax id, but only spammers enter google for it.  I also have it send me an email to notify me it's happened so I can track it.


//Added to block spammers
    if (strtolower($company_tax_id) == 'google') {
      $error = true;

      $messageStack->add('create_account', "You have triggered spamming prevention rules.  If you info is correct and you are not a spammer please contact us or try again.");

      $spam_email_text = "Spammer Alert: " . $firstname . " " . $lastname . "Using company name: " . $company . " with tax id: " . $company_tax_id . " triggered spam alert.";
      tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Spammer Alert:', $spam_email_text, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
    }
//END Added to block spammers

 

Thank you John, it worked for me too with this modification to avoid the need to include the tax id field:

if (strtolower($company) == 'google') {
    $error = true;

This stopped most of this kind of fake account sign-ups, but sometimes their bot uses "apple" or "AT&T" as a company name. I am not sure in what format do I need to add other company names to my ban list?

I tried this, but it did not work: if (strtolower($company) == 'google' 'apple') {

As you see I am not an IT specialist, just trying to solve this by trial and error coding :(

Share this post


Link to post
Share on other sites
$bad_companies = array('google', 'apple');

if (in_array(strtolower($company), $bad_companies)) {
  $error = true;
}

You can add more company names into the $bad_companies array.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites
3 hours ago, xhussar said:

This stopped most of this kind of fake account sign-ups, but sometimes their bot uses "apple" or "AT&T" as a company name.

The problem is that all of these accounts are, technically, legitimate so there's no one good way to stop them all. What happens If a legitimate customer that works for AT&T puts that as a company out of habit? Or what if they start using "Amazon", or whatever? You could add a list of bad companies and have the code compare against it but I'm afraid managing that list will become a full-time job as the spammers learn which companies not to use.

Share this post


Link to post
Share on other sites

I see Jack's point and it's one of the reasons I use the $company_tax_id, which I already had as part of SPPC addon.  I haven't had any spammers use apple or At&T, but I do have legimate customers in my database using both of those.  Apple as part of part of a business name and not Apple the company.  However, none of them have that as their $company_tax_id, so I would feel safe using it there.  I don't know if it's worth adding that field to do this, but since it already exist, I'm using it.  Every spammer account that I know of is using Google for company and google for tax id.

 

Edited by John W

I'm not really a dog.

Share this post


Link to post
Share on other sites

Just a note to be careful when screening for fake accounts or using a honeypot to catch bots, that you don't fool legitimate users who are visually impaired and need to use a screen reader or braille output. Some field that's white-on-white or visibility: none might still be presented to a blind user, who could innocently fill in such a decoy field. At best, you've lost a potential customer; at worst, you could be in legal trouble for discriminating against the handicapped (ADA, etc.). In other words, don't count on "invisibility" (visual appearance) to keep all legitimate users from "seeing" an input field. If you have something like a "company tax ID" decoy field, might someone innocently enter "none" or "N/A"? Keep that in mind when designing such bot-traps. Perhaps it would be best to disable certain functions (reviews, contacts, emails, etc.) and flag such suspicious "customers" until the administrator has had a moment to look over their registration and decide that it's a bot to be flushed. Unfortunately, that's a bit of extra work for the administrator, but might be worth it to keep spam out of the system. To avoid harming real customers who trigger false positives, you should probably inform them that the account is being "held for review".

Also, bots might be soon (if not already be) smart enough to look for things labeled "honeypot" or "decoy" or similar names and phrases, and avoid them. If you have a field with nearby text "do not enter anything in this field" or "for office use only", a smart bot might know to avoid it. Similarly, a smart bot might notice that text is the same color as the background, or something's positioned offscreen or fudged on visibility, and refrain from filling in something there. It will be a never-ending war.

Share this post


Link to post
Share on other sites

In my case I think this would be rather impossible @MrPhil I think most of my customers need visibility to ride a motorcycle... 🙂

However, I allways enjoy your critical points of view. You mention things nobody else has thought about.... Thumbs up!


  • Gold is EOL
  • Frozen is Sunset
  • Edge is defunct and no longer exists
  • Phoenix is the default recommended download

Share this post


Link to post
Share on other sites
47 minutes ago, MrPhil said:

Also, bots might be soon (if not already be) smart enough to look for things labeled "honeypot" or "decoy" or similar names and phrases, and avoid them.

That's why I changed the Honeypot addon to store the IP. It certainly isn't a 100% fix since one can't exist for this problem but I think it is a better choice than checking things that may change.

Share this post


Link to post
Share on other sites
1 hour ago, honda4 said:

In my case I think this would be rather impossible @MrPhil I think most of my customers need visibility to ride a motorcycle... 🙂

However, I always enjoy your critical points of view. You mention things nobody else has thought about.... Thumbs up!

I would hope so, but I wouldn't count on it. I've heard accounts of legally blind* people still licensed to drive a car. I don't know if this ever has been confirmed, but I wouldn't be surprised if the disability people don't talk to the Motor Vehicle people!

Thanks for the support... I do try to look at things from a different angle that may not have been discussed yet. This seems to annoy some people, but I think it's better to cover all angles.

* "legally blind" does not necessarily mean "totally unsighted". It can mean greatly reduced vision in some form.

Edited by MrPhil

Share this post


Link to post
Share on other sites

In the long run the only way to prevent fake accounts will be to have a two stage verification so that before the account is approved and moved into the database it is verified as valid.

Many company's are introducing sms or email verification as standard. This works well as they normally introduce guest checkout at the same time so you can still make your first purchase.

Some have done away with registration and every order is as guest, with orders being tracked with a unique ID, customer is emailed this and can login and check order.

The same can be done for reviews, let them write one but until it’s been verified it just sits in quarantine and is dumped if not validated.

From what I have seen over the last 2-3 months most of the fake accounts are coming from .ru and many of the details include “Russian Federation” in the data entered.

It looks like most are just crap inserted to see if the site responds to them but every so often one will contain script!

I have simply updated the customers in admin code to allow me to sort customers by date account was made and then every day I just check and remove the crappy ones.

It's tedious but simple enough to do.


 

Share this post


Link to post
Share on other sites
17 hours ago, honda4 said:

In my case I think this would be rather impossible @MrPhil I think most of my customers need visibility to ride a motorcycle... 🙂

Fair point, but the blind customer may be buying a present for a visually unimpaired person.


OsC 2.3.4.1 CE Frozen   PHP 7.2   MySQL 10.1.36-MariaDB-cll-lve. Phoenix in development

Is your version of osC up to date? You'll find the latest osC community version (CE Phoenix 1.0.2.0) here.

Share this post


Link to post
Share on other sites
On 1/31/2019 at 12:55 PM, burt said:

$bad_companies = array('google', 'apple');

if (in_array(strtolower($company), $bad_companies)) {
  $error = true;
}

You can add more company names into the $bad_companies array.

Thank you Burt, for me this is good for a quick fix, I know in theory someone could legitimately enter "apple" or "google" as a company, but as far as I understand this field is there for people who want to get an invoice made out to their companies, and unfortunately no on of the blue chip companies are ordering dietary supplements from us :( I will try to integrate John's script to exclude registrations with company names instead of numbers in the tax ID field, but for now this seems to do the trick. I had this fake registration problems a few years back already, and after about a half a year it stopped. Just as now, back then too, they used this 3 company names only. They might be kids in Moldova or Russia learning how to hack but probably not being very thorough to put infinite variables when filling out these two fields, as they do in the other fields.

Share this post


Link to post
Share on other sites

Installed the honeypot yesterday and it worked for most of the day until I woke up this morning to 20 fake accounts, and 20 emails from honeypot stating someone had tried too many times to create accounts - thankfully the honeypot gave me the IP address, which were all the same, so I banned them, but they're back again already. Did I do something wrong or is this just the way it is?  It's getting worse!

Share this post


Link to post
Share on other sites

@fiodhIf you get emails saying someone tried too many times, it just means they tried but were blocked. If you want to stop even that, then set the count option to 2. They will always be able to create one account since there's no way to distinguish between it and a legitimate one. But if you blocked their IP, you should not see any new tries since they should not be able to reach your site. You might want to verify you added the IP to the shops root .htaccess file.

 

 

Share this post


Link to post
Share on other sites

Hi Jack

Thanks a million for this. Does the honeypot addon block their ip or their email address when repeated attempts are made? Looks like email I think? Could it be made to block repeated attempts from the specific IP? Or is there a bad reason for that?

Share this post


Link to post
Share on other sites

It stores the IP and if they try to create a second account in a certain amount of time, it prevents the account from being created. You can test this by trying to create two accounts. Actually, you should do that because the displayed message may not be what you want to show. The code doesn't do anything else with the IP. I thought about adding code to automatically ban it but if, for example, you have the account limit set to 3 and then a regular customer forgets they have an account and decides to create another one, they would be blocked. So that is a dangerous option for the create account page.

Share this post


Link to post
Share on other sites

So then I am going to set the minimum amount of time to something like 4 hours which should atleast keep them at bay!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×