Jump to content
René H4

Fake accounts

Recommended Posts

I just had about 25 fake accounts with http:// addresses instead of the last name. Is there any easy way of blocking it?

 

Share this post


Link to post
Share on other sites

20-30 from different people or the same one? If the former, it depends on what page they are using. If the latter then your settings are probably not correct.

Share this post


Link to post
Share on other sites

I have been monitoring this crap for a number of months now and have installed honey pot on a number of site and it works for nearly all  but some still get in. The vast majority of these are from .ru and they are relentless in there attacks. In the end I have had to change the settings in admin to limit the form submtions to every 50-60 miniute I did this in incraments of 10min and the attacks reduces in line with the increese in time. Now with the resubmit set to 60 minutes they are down to 3 or 4 per email address per day.

I guess they just give up after a few hours!

From what I have seen on the 4 test sites that have been under attack these are not bots but actual people, they are clearly using some sort of script to generate the user names as they follow a pattern but all the emails used are real and clearly stolen and most are real.

In my sites they all appere to be attacking the customer account form. From what I can tell so far they are attempting to inject scripts into the address fileds.

Why? Who knows I've yet to find a sucsessfull injection! I simply deleat the accounts every so often.


 

Share this post


Link to post
Share on other sites
Posted (edited)

I'm sorry, I have to rescind what I said - I am getting 2-3 a day after installing honey pot. I just had a flourish of them in a short while the other day which made me think I was getting that many. (if I sound like an idiot, in this case, I am one)

two to three ain't too bad. Blocking the countries or each single spammer's IP didn't really do anything.

Are the maybe using this process to test emails to use for spamming?

Thanks

Edited by fiodh

Share this post


Link to post
Share on other sites

On my create account page, I have a question "how did you find us" and some radio button style options. (google, bing, friend, repeat visit). When the spammers submit their accounts, this question is always blank. I assume this is because the bots/spammers are accessing the create account function script directly.

Question - Is there a way to prevent someone from creating an account if they don't provide answer to this "referral" question?  This might give the spammers an error and send them on their way?

 

 

Share this post


Link to post
Share on other sites
7 hours ago, fiodh said:

Are the maybe using this process to test emails to use for spamming?

Someone posted a thread to an article about why this is increasing. I don't know if it was in this thread or not but the article basically said companies were paying spammers to test how to get into sites. I suspect that is the case. Honey Pot can stop all accounts, as it is written, because a spammer account is not any different than a regular account. It is possible to code it to detect certain words and stop them. I do that in my View Counter (unreleased version) and it stops 100% of them. But for now, cutting down the number of them is the best it can do.

3 hours ago, fiodh said:

Is there a way to prevent someone from creating an account if they don't provide answer to this "referral" question? 

There should be a sitting that requires the referral. I think it is in admin->Configuration->Customer Details but some versions of How Did You Hear might have it elsewhere, like in a module.

Share this post


Link to post
Share on other sites

I am really getting pounded with these, even with the honey pot add on, I am now getting 8-10 accounts a day. Doesn't seem like much until you have spend a couple minutes every morning deleting these.

Share this post


Link to post
Share on other sites
1 hour ago, fiodh said:

I am really getting pounded with these, even with the honey pot add on

Options

Add google captcha to the form. It makes a big difference


 

Share this post


Link to post
Share on other sites
3 hours ago, fiodh said:

I am now getting 8-10 accounts a day

Are the IP's different for each of them? Do the IP's repeat from day to day? What are the settings for Honey Pot?

Share this post


Link to post
Share on other sites

Yes the IPs are different for most of them, I block them and and then more arrive!  I have been a bit lazy about religiously banning every IP,  after a while I just keep deleting and deleting...

Here's the settings:

Email Addresses Allowed
False

Email Addresses Show Message
True

URL's Allowed
False

URL Show Message
True

Create Account Check
True

Create Account Count
2

Create Account Period
480

Create Account Notify
True

Share this post


Link to post
Share on other sites

Hi Jack I just want to say I don't hold you responsible for these problems  - your add on contribution has really helped tremendously. Thanks for all your work.

Share this post


Link to post
Share on other sites

Would it not be a simple solution to rename create_account.php to something else?

I know, all the files that call create_account.php should be changed also.

But if this a real problem, and you will be running your shop for 5-6 years or so, this could be a solution.

Share this post


Link to post
Share on other sites

Yes that had occurred to me, to just change the name of the file, but I wasn't sure where all the mentions of create_account.php would be and if that would mess it all up?

Unless, somehow, the spammers are accessing the database directly, as they don't seem to be using my modified page.

I've been running this shop for 15 years so far and expect to continue!

Share this post


Link to post
Share on other sites

"Agent Ransack " can be used to find the calls to create_account.php. I do not have a test environment at the moment, otherwise I could try.

Mind that you would need to change core-code.

Share this post


Link to post
Share on other sites
27 minutes ago, fiodh said:

I just want to say I don't hold you responsible for these problems

I appreciate the thought but I didn't think that was the case. :)

11 minutes ago, René H4 said:

Would it not be a simple solution to rename create_account.php to something else?

When a page on the site is visited, the name of the file is displayed in url so how would changing the name help? Initially the scripts would fail since they are looking for create_account.php but they most likely use link checkers to search for all pages with forms so I doubt it would work for long.

Share this post


Link to post
Share on other sites

Woke up this morning to 60 honey pot messages, but only 3 fake accounts made.

Share this post


Link to post
Share on other sites

Now getting about 12 account in an 8 hour period.

I had google captcha for a while on there but it didn't do anything. I think because captcha wasn't properly installed with the authentication codes set on the server side. It's a bit out of my league at this time.   Honestly I am also loathe to hand over my customer data to Google - they get notified every time someone uses that captcha.

My Referral question doesn't appear to be sourced from "How Did You Hear" as I can't find any setting for it as a module in my admin.

Any other ideas?

Share this post


Link to post
Share on other sites

@fiodhRecaptcha will only help if the accounts are being created with a script, and then maybe only. If accounts are being created as normal, the only way to stop them is to find some common thing, like the company name set to google, and block that. You might want to check the IP for the countries they are for. If they all, or many, are from one country then block that country. Or, in the least, block the range of IP's for the given IP (it's listed on most WhoIs sites).

I don't understand what you mean about the referral addon but if you are saying you can't find settings for it, the older versions had settings in My Store, or somewhere in Configuration. There should be a setting requiring the question to be answered. If that is set and accounts are still being created, then the spammers are most likely using scripts. 

Share this post


Link to post
Share on other sites

I have blocked hundreds if not thousands of IP ranges from Russia, Estonia, Romania, etc.

In regards to the referral question I wonder if the consultant I hired to install it just hard coded it in, instead of an add-on.

 

Share this post


Link to post
Share on other sites
Posted (edited)

I guess both blocking individual IPs (IP ranges) and Google Re-Captcha are no 100% guarantee.  We have made good experiences by combining multiple approaches though, e.g. blocking certain IP (ranges), certain freemail accounts thad had been abused regularly, and instead of blocking IPs after incidents happened you can bĺock a whole bunch of IPs that are coming from TOR network in advance! You can obtain the IP list here: https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1 

Edited by franky303

Share this post


Link to post
Share on other sites

Some good ideas there.  Doesn't seem like they are all using particular spam emails.  In fact some of these emails look quite valid, like they are US emails that the spammers are testing to see if they get bounced. 

 

Share this post


Link to post
Share on other sites
2 hours ago, franky303 said:

you can bĺock a whole bunch of IPs that are coming from TOR network in advance! You can obtain the IP list here: https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1 

Edited 1 hour ago by franky303

This sounds like a good idea so I wrote the code to have Honey Pot check those IP's. See the Honey Pot thread for instructions.

Share this post


Link to post
Share on other sites

One pattern I have noticed with these accounts is that 99% of them have at least the same first 5 characters of each of their first and last names. Maybe we could make a filter that checked for that and prevented them?  Here's a screenshot of the latest batch I've got yesterday.

 

fakecustomers.jpg.4f370813c9d7982070f597b15f7d5a97.jpg

 

It would mean though, that poor "Frank Franklin" and "David Davidson" wouldn't be able to create an account...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×