Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Flood Of Spam/fake Registrations - Should We Be Concerened? Rate Topic   - - - - -

 
  • grafis
  • Junior Member
  • Members
  • Join Date: 12-Jan 11
  • 136 posts

Posted 28 February 2017 - 02:12 PM #1

I manage a site that requires registration to view prices or purchase, and registration requires admin approval. Starting yesterday morning we've received 40+ "fake" registrations and they're still coming, apparently human or a robot that's figured out how to get past captcha. We're within 1 dot release of the latest CS-Cart version and using the Ez Auto Mail add-on for all new registrations (if approved). Should we be concerned? Any actions to take?


CS-Cart 4.4.3


 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3,372 posts

Posted 28 February 2017 - 03:26 PM #2

Use google recaptcha.



 
  • grafis
  • Junior Member
  • Members
  • Join Date: 12-Jan 11
  • 136 posts

Posted 28 February 2017 - 06:07 PM #3

Use google recaptcha.

 

I see that as a component of 4.4.3 - will look to upgrade.


CS-Cart 4.4.3


 
  • eComLabs
  • CS-Cart Expert
  • Authorized Reseller
  • Join Date: 27-Jan 14
  • 13,710 posts

Posted 01 March 2017 - 07:23 AM #4

I see that as a component of 4.4.3 - will look to upgrade.

 

There are several free solutions on the marketplace for old CS-Cart versions


GET A FREE QUOTE | CS-Cart Add-ons | CS-Cart Licenses | CS-Cart Development | CS-Cart Design | Server Configuration

Certified CS-Cart RU Developer | Сертифицированный разработчик на CS-Cart Русская Версия

 
  • grafis
  • Junior Member
  • Members
  • Join Date: 12-Jan 11
  • 136 posts

Posted 01 March 2017 - 12:56 PM #5

There are several free solutions on the marketplace for old CS-Cart versions

 

Saw that when looking up reCaptcha - went ahead and upgraded from 4.4.2 to 4.4.3 and Spam sign ups have ceased in the 10hrs since, we'll see if that sticks. Not very nice for users but is what it is. I am not a robot.... 

 

And  - I believe the reCaptcha in the CS-Cart core only works for stock responsive themes (cant find exact reference now but read it last night), and speed wise reCaptcha vs captcha dropped us four points on the Yslow scale - site is a 94/80 without 94/76 with reCaptcha according to GTMetrix. 


CS-Cart 4.4.3


 
  • remoteone
  • Member
  • Members
  • Join Date: 06-Oct 09
  • 571 posts

Posted 02 March 2017 - 01:40 AM #6

Not very nice for users

 

100% agree. reCaptcha is going to drive customers to distraction.

I wonder how many CAPTCHA-less Security Approaches are currently employed in the CSCart code.

I think there needs to be some auto-banning functions. 

Maybe there could be a 3rd party addon that addresses some of the Filter, Validate, Escape and Honypot techniques suggested in the link above.?



 
  • Alafoss
  • Member
  • Trial users
  • Join Date: 12-Feb 13
  • 20 posts

Posted 14 March 2017 - 12:21 PM #7

I am seeing tons of spam .ru registrations as well.

 

However, I'm having a little difficulties installing Google recaptcha on my cs-cart website.

 

 

I have installed the add-on and added the key and secret key to the add-on.

 

The 'I am a robot' appears on site, but when trying to log in - an error of 'Incorrect or missing confirmation code' appears and not able to log in.

 

What is missing in the installation?

 

Thanks for your help :)



 
  • eComLabs
  • CS-Cart Expert
  • Authorized Reseller
  • Join Date: 27-Jan 14
  • 13,710 posts

Posted 14 March 2017 - 01:04 PM #8

I am seeing tons of spam .ru registrations as well.

 

However, I'm having a little difficulties installing Google recaptcha on my cs-cart website.

 

 

I have installed the add-on and added the key and secret key to the add-on.

 

The 'I am a robot' appears on site, but when trying to log in - an error of 'Incorrect or missing confirmation code' appears and not able to log in.

 

What is missing in the installation?

 

Thanks for your help :)

 

What version do you use? Note what reCaptcha is built-in module in the latest versions


GET A FREE QUOTE | CS-Cart Add-ons | CS-Cart Licenses | CS-Cart Development | CS-Cart Design | Server Configuration

Certified CS-Cart RU Developer | Сертифицированный разработчик на CS-Cart Русская Версия

 
  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 2,831 posts

Posted 14 March 2017 - 01:32 PM #9

Maybe you could use this

 

http://marketplace.c...on-by-mail.html


4.5.2 SP2


 
  • Alafoss
  • Member
  • Trial users
  • Join Date: 12-Feb 13
  • 20 posts

Posted 14 March 2017 - 05:37 PM #10

Got it to work - thanks for your help :)



 
  • Bill G.
  • Member
  • Members
  • Join Date: 06-Feb 08
  • 54 posts

Posted 18 March 2017 - 03:53 PM #11

Our 2.2.5 cart has been under attack as well recently with fake user accounts being created 24/7. At least 1-3 fake accounts are being created every hour or so. What's interesting is that in every one of the fake submissions the "Company" field is filled in with "google" and of course we all know that Google is not doing this. So WHY are the fake accounts being created? That is the question. The 2.2.5 image verification is worthless against this. Also, every-now-and-then the fake account is allowed to be created even though the address fields are left blank. So for sure it appears to be a cart vulnerability. Yes, we are getting ready to turn on the newest 4.xx version. But, like someone else said, WHAT is the objective of those fake accounts being created? One of the support guys at wiredtree.com stated that the purpose is most likely so our cart IP address gets banned from other servers around the world when those servers see the continual fake emails being sent to non-existing email addresses. Could it possible be a former disgruntled cs-cart employee doing this so as to make it appear that cs-cart has vulnerabilities? Just a wild guess at best.



 
  • mazter
  • Senior Member
  • Members
  • Join Date: 04-Apr 12
  • 204 posts

Posted 20 March 2017 - 01:01 PM #12

We are in the same boat. This addon is able to stop for awhile then the attackers continue to post spam. Really big problem.



 
  • Ed Newman
  • Advanced Member
  • Members
  • Join Date: 02-Mar 13
  • 112 posts

Posted 20 March 2017 - 08:19 PM #13

Same here.  Just turned on image verification for creating a new customer.


Ed Newman
Dark Storm Industries
Parts and Accessories for AR-15 Rifles
www.dark-storm.com

 
  • remoteone
  • Member
  • Members
  • Join Date: 06-Oct 09
  • 571 posts

Posted 21 March 2017 - 02:20 AM #14

Our v2 csc website is experiencing the same, but only a few each day.

Ive taken to blocking the IPaddress range in "Store Access" which seems to have helped.

Also, when a Bot registers, I dont delete the user, but instead disable it, thus any bot trying to register/sign in using the same email/username should get the "account disabled" message, and no email notification to the fake email address is sent.

I also change the password as an extra step, but theres always a new IPA to block the next day, so its quite time consuming.

 

We will at some point update to v4, but it would be great if CSC had some addition protection against Bots rather than just the stupid Goggle reCature.

Like an automated system that detected certain patterns:

- List of company blocked names,

- Test for duplicate text in  firstname lastname, address, etc

- Different levels of blocking. some requiring approval by admin, some automatic.

Eventually a semi-automated system would pretty much filter out the common IPAs and known email address and field text patterns that bots are using.

Also include some body text pattern detection in the Testimonials pages. We do approve all Testimonials but its time consuming to delete each spam as it comes in.

Wonder if theres already an addon that does something similar?



 
  • Magpie Don
  • Senior Member
  • Members
  • Join Date: 01-Apr 09
  • 799 posts

Posted 21 March 2017 - 05:51 AM #15

The only vulnerability I have that isn't reCaptcha protected with Image Verification is the Newsletter Subscription form and it's being attacked with 100+ sign ups a day. Many of the autoresponse Confirmation emails are bouncing back and reporting that the recipient is receiving mail at too rapid of a rate to support.

So there's that.

I had to disable the Newsletter addon. The bots should now get a 404. I'll still take a little hit on processing, but I'm not emailing unsolicited newsletter confirmation messages. If you've ever been flagged as a spammer you know it's almost impossible to get off some of the black lists.


CS-Cart Ultimate ver 4.3.5


 

Posted 22 March 2017 - 11:28 AM #16

Hello everybody,

my CS-Cart 2.2.5 is attacked with fake user accounts being created . For this version of cart can I find a reCAPTCHA V2 addon ?

I search on marketplace but the earlier version for cart is 3.01 .



 
  • Bill G.
  • Member
  • Members
  • Join Date: 06-Feb 08
  • 54 posts

Posted 22 March 2017 - 11:51 AM #17

Regarding our 2.2.5 cart, after reading this article 2 days ago (https://www.colbyte....hich-is-better/) we are having Simtech create a honeypot bot trap instead of using Google reCAPTCHA. I HOPE the honeypot solves the problem.



 

Posted 01 April 2017 - 09:01 AM #18

I'm using V 4.3.4 and had a flood of new user profiles back in February and switched to Google ReCapture. This worked fine for a few weeks but they have started back again this week even with ReCapture on.

I've switched new profiles to now include First and Last name to at least pick the fake accounts (as it will use the same text for both form boxes) and removed the email sign up box from this page so it doesn't clog up my mailing list. Currently looking at moving the site to Magento, if it doesn't stop. Anyone have any other fixes that have worked worked for them?



 
  • remoteone
  • Member
  • Members
  • Join Date: 06-Oct 09
  • 571 posts

Posted 04 April 2017 - 11:22 AM #19

@InspiredInsanity

Seems as though bot programmers may have worked out how easy reCapture is to crack... using googles own Voice recognition api.

 

@Bill G.

I wish CSCART would take a more sophisticated approach to this rather than relying on the (horrible) Google reCapture.

The HoneyPot is just one strategy.

Would you be prepared to share your code for the Honeypot mod?

As I understand its just a case of disabling the form lodgement if the honeypot text field is non-blank.

Maybe also automatically add the IPA of the offender to a list that can easily be approved to be "blocked" by the Admin>Store Access page?



 
  • poppedweb
  • Advanced Member
  • Members
  • Join Date: 02-Aug 16
  • 103 posts

Posted 04 April 2017 - 01:01 PM #20

@InspiredInsanity

Seems as though bot programmers may have worked out how easy reCapture is to crack... using googles own Voice recognition api.

 

@Bill G.

I wish CSCART would take a more sophisticated approach to this rather than relying on the (horrible) Google reCapture.

The HoneyPot is just one strategy.

Would you be prepared to share your code for the Honeypot mod?

As I understand its just a case of disabling the form lodgement if the honeypot text field is non-blank.

Maybe also automatically add the IPA of the offender to a list that can easily be approved to be "blocked" by the Admin>Store Access page?

 

 You guys are doing this way to difficult, there was a new release of the google recaptcha, though this one is INVISIBLE. (Mind = Blown). Here is an example https://www.google.c...?invisible=true. So no more clicking pictures I suppose!

 

You can ask for an API code here: https://www.google.c...cha/admin#beta 

You can see the documentation here: https://developers.g...docs/invisible 

 

It would be great of some third party developer (or maybe just cs-cart themselves) could create some sort of add-on for this as this indeed is a very interesting thing that has come to light!

 

Do mind that I do not take any responsibility in failures of this implementation as the invisible captcha still has a status of 'beta'.