Flood Of Spam/fake Registrations - Should We Be Concerened?

I manage a site that requires registration to view prices or purchase, and registration requires admin approval. Starting yesterday morning we've received 40+ "fake" registrations and they're still coming, apparently human or a robot that's figured out how to get past captcha. We're within 1 dot release of the latest CS-Cart version and using the Ez Auto Mail add-on for all new registrations (if approved). Should we be concerned? Any actions to take?

Use google recaptcha.

Use google recaptcha.

I see that as a component of 4.4.3 - will look to upgrade.

I see that as a component of 4.4.3 - will look to upgrade.

There are several free solutions on the marketplace for old CS-Cart versions

There are several free solutions on the marketplace for old CS-Cart versions

Saw that when looking up reCaptcha - went ahead and upgraded from 4.4.2 to 4.4.3 and Spam sign ups have ceased in the 10hrs since, we'll see if that sticks. Not very nice for users but is what it is. I am not a robot....

And - I believe the reCaptcha in the CS-Cart core only works for stock responsive themes (cant find exact reference now but read it last night), and speed wise reCaptcha vs captcha dropped us four points on the Yslow scale - site is a 94/80 without 94/76 with reCaptcha according to GTMetrix.

Not very nice for users

100% agree. reCaptcha is going to drive customers to distraction.

I wonder how many CAPTCHA-less Security Approaches are currently employed in the CSCart code.

I think there needs to be some auto-banning functions.

Maybe there could be a 3rd party addon that addresses some of the Filter, Validate, Escape and Honypot techniques suggested in the link above.?

I am seeing tons of spam .ru registrations as well.

However, I'm having a little difficulties installing Google recaptcha on my cs-cart website.

I have installed the add-on and added the key and secret key to the add-on.

The 'I am a robot' appears on site, but when trying to log in - an error of 'Incorrect or missing confirmation code' appears and not able to log in.

What is missing in the installation?

Thanks for your help :)

I am seeing tons of spam .ru registrations as well.

However, I'm having a little difficulties installing Google recaptcha on my cs-cart website.

I have installed the add-on and added the key and secret key to the add-on.

The 'I am a robot' appears on site, but when trying to log in - an error of 'Incorrect or missing confirmation code' appears and not able to log in.

What is missing in the installation?

Thanks for your help :)

What version do you use? Note what reCaptcha is built-in module in the latest versions

Maybe you could use this

http://marketplace.cs-cart.com/add-ons/site-management/user-actviation-by-mail.html

Got it to work - thanks for your help :)

Our 2.2.5 cart has been under attack as well recently with fake user accounts being created 24/7. At least 1-3 fake accounts are being created every hour or so. What's interesting is that in every one of the fake submissions the "Company" field is filled in with "google" and of course we all know that Google is not doing this. So WHY are the fake accounts being created? That is the question. The 2.2.5 image verification is worthless against this. Also, every-now-and-then the fake account is allowed to be created even though the address fields are left blank. So for sure it appears to be a cart vulnerability. Yes, we are getting ready to turn on the newest 4.xx version. But, like someone else said, WHAT is the objective of those fake accounts being created? One of the support guys at wiredtree.com stated that the purpose is most likely so our cart IP address gets banned from other servers around the world when those servers see the continual fake emails being sent to non-existing email addresses. Could it possible be a former disgruntled cs-cart employee doing this so as to make it appear that cs-cart has vulnerabilities? Just a wild guess at best.

We are in the same boat. This addon is able to stop for awhile then the attackers continue to post spam. Really big problem.

Same here. Just turned on image verification for creating a new customer.

Our v2 csc website is experiencing the same, but only a few each day.

Ive taken to blocking the IPaddress range in "Store Access" which seems to have helped.

Also, when a Bot registers, I dont delete the user, but instead disable it, thus any bot trying to register/sign in using the same email/username should get the "account disabled" message, and no email notification to the fake email address is sent.

I also change the password as an extra step, but theres always a new IPA to block the next day, so its quite time consuming.

We will at some point update to v4, but it would be great if CSC had some addition protection against Bots rather than just the stupid Goggle reCature.

Like an automated system that detected certain patterns:

- List of company blocked names,

- Test for duplicate text in firstname lastname, address, etc

- Different levels of blocking. some requiring approval by admin, some automatic.

Eventually a semi-automated system would pretty much filter out the common IPAs and known email address and field text patterns that bots are using.

Also include some body text pattern detection in the Testimonials pages. We do approve all Testimonials but its time consuming to delete each spam as it comes in.

Wonder if theres already an addon that does something similar?

The only vulnerability I have that isn't reCaptcha protected with Image Verification is the Newsletter Subscription form and it's being attacked with 100+ sign ups a day. Many of the autoresponse Confirmation emails are bouncing back and reporting that the recipient is receiving mail at too rapid of a rate to support.

So there's that.

I had to disable the Newsletter addon. The bots should now get a 404. I'll still take a little hit on processing, but I'm not emailing unsolicited newsletter confirmation messages. If you've ever been flagged as a spammer you know it's almost impossible to get off some of the black lists.

Hello everybody,

my CS-Cart 2.2.5 is attacked with fake user accounts being created . For this version of cart can I find a reCAPTCHA V2 addon ?

I search on marketplace but the earlier version for cart is 3.01 .

Regarding our 2.2.5 cart, after reading this article 2 days ago (https://www.colbyte.com/honeypot-vs-captcha-which-is-better/) we are having Simtech create a honeypot bot trap instead of using Google reCAPTCHA. I HOPE the honeypot solves the problem.

I'm using V 4.3.4 and had a flood of new user profiles back in February and switched to Google ReCapture. This worked fine for a few weeks but they have started back again this week even with ReCapture on.

I've switched new profiles to now include First and Last name to at least pick the fake accounts (as it will use the same text for both form boxes) and removed the email sign up box from this page so it doesn't clog up my mailing list. Currently looking at moving the site to Magento, if it doesn't stop. Anyone have any other fixes that have worked worked for them?

@InspiredInsanity

Seems as though bot programmers may have worked out how easy reCapture is to crack... using googles own Voice recognition api.

@Bill G.

I wish CSCART would take a more sophisticated approach to this rather than relying on the (horrible) Google reCapture.

The HoneyPot is just one strategy.

Would you be prepared to share your code for the Honeypot mod?

As I understand its just a case of disabling the form lodgement if the honeypot text field is non-blank.

Maybe also automatically add the IPA of the offender to a list that can easily be approved to be "blocked" by the Admin>Store Access page?

@InspiredInsanity

Seems as though bot programmers may have worked out how easy reCapture is to crack... using googles own Voice recognition api.

@Bill G.

I wish CSCART would take a more sophisticated approach to this rather than relying on the (horrible) Google reCapture.

The HoneyPot is just one strategy.

Would you be prepared to share your code for the Honeypot mod?

As I understand its just a case of disabling the form lodgement if the honeypot text field is non-blank.

Maybe also automatically add the IPA of the offender to a list that can easily be approved to be "blocked" by the Admin>Store Access page?

You guys are doing this way to difficult, there was a new release of the google recaptcha, though this one is INVISIBLE. (Mind = Blown). Here is an example https://www.google.com/recaptcha/api2/demo?invisible=true. So no more clicking pictures I suppose!

You can ask for an API code here: https://www.google.com/recaptcha/admin#beta

You can see the documentation here: https://developers.google.com/recaptcha/docs/invisible

It would be great of some third party developer (or maybe just cs-cart themselves) could create some sort of add-on for this as this indeed is a very interesting thing that has come to light!

Do mind that I do not take any responsibility in failures of this implementation as the invisible captcha still has a status of 'beta'.