What is the motive behind continuous cart spamming on Shopify?

sebastian502
Visitor
3 0 1

For about 5 weeks now I have had one person coming to the site directly to a product page, adding one item to the cart, going to checkout using a different email address each time.  This is occurring dozens of time s a day.

 

What I know is:

 

  • Only adds one item to cart each visit
  • Always uses the same name of John Smith
  • Email is always a variation of johnsmithxxxx@gmail.com but a different email each time
  • address entered is always googles corporate address in California
  • Only active between apprx 10:00 am through 2:00 am eastern time.  Always a gap at night
  • With the gap at night, maybe indicating an actual person, or just doing that to hide a bot pattern
  • Ip address is 72.14.199.0  which comes back as as google registered IP 
  • They are removing or not allowing cookies as tracking software assigns a unique id on each visit
  • Each time spends 4-8 minutes on the site but only visits landing product page, cart page, checkout page.
  • Occurred over 300 times in 3 weeks.  Started slowly with 2 or 3 visits initially and increasing visits each day
  • Mostly random products but occasionally an item is repeated.
  • No indication they are coming from paid advertising from our internal tracking software and monitoring

A screen shot  below is from part of today.

 

I've eliminated shopify support doing this due to an open ticket.   Doesn't seem to be trying to click fraud advertising.   Someone mentioned a facebook pixel workaround to test product sales but removed pixel several days ago and no change in behavior.

 

Any ideas what is occurring and why?  What would be the the end goal to add items to cart?

 

Screenshot 2019-10-16 20.48.39.png

 

Replies 19 (19)

EmmanuelFlossie
Shopify Partner
2956 221 711

If you are using advertising, for example Google Merchant Center, then the review team, will check your products for accuracy. They will add it to the card and view the checkout to see if your shipping price is accurate too.

 

This is very normal and is not strange.

Get in touch with Emmanuel: a Google Shopping Specialist, Google Ads Diamond Product Expert, and also a a Google Product Expert Education 2021 & Tailwind 2023 Award winner.
Need Google Merchant Center or Google Shopping support?.
Domakis
Excursionist
21 0 10

I think it is. As long it ruins your cart to checkout rate, abandonment rate and finally conversion rate.

sebastian502
Visitor
3 0 1

It has pretty much made those stats worthless at this point.       It's still occurring and i really don't understand the point even if it is google checking pricing, data accuracy etc to be going on so long.   Everything is totally in line with zero issues showing in google merchant center.  Its not a new store, operating over 20 years.

Domakis
Excursionist
21 0 10

I found just one solution so far. Exclude the IP range at least from google analytics and just track your analytics there. + bonus, exclude all other countries which you are not selling on. Sure, there are few apps on Shopify where you can exclude IP's but we don't want to exclude google services completely from our website, right? So it looks like the only solution so far - Use GA for data analysis and use filters in GA to exclude specific IP range ( I guess it should be from 72.14.199.0 to 72.14.199.255).

 

Btw, maybe you recently applied for Google product reviews on the merchant center?

 

Best regards,

Domas

 

timsamuels1971
Visitor
1 0 0

The only problem you will run into is that Google changes the IP Address ranges all the time Like my John Smith right now is IP 66.249.92.54 and 66.249.92.56 But it will change so you constantly have to up date, other then that it seems to be the only option at this point.

Domakis
Excursionist
21 0 10

Just try to exclude all range of this IP's... you see, the beginning of the IP is the same. 66.249.x.x

And guys, think out of the box - Why Google should do these totally NOT SMART actions on their customer's websites? 🙂 It's just noobish to ruin people's data.

I don't think this is Google. 

 

But what I really don't understand why Shopify doesn't take any action?? We can't control or filter any incoming traffic in our stores and it's really not good. Some simple primitive apps will not help to sort out this problem...

Shop007
Shopify Partner
3 0 5

Tried that and the honeypot method. They do not work. Shopify doesn't seem to care as well. 

Shop007
Shopify Partner
3 0 5

Also, this isn't google. It just a bot which uses a google's address as it's billing address.  

ebir909
New Member
4 0 0

@Domakis wrote:

I found just one solution so far. Exclude the IP range at least from google analytics and just track your analytics there. + bonus, exclude all other countries which you are not selling on. Sure, there are few apps on Shopify where you can exclude IP's but we don't want to exclude google services completely from our website, right? So it looks like the only solution so far - Use GA for data analysis and use filters in GA to exclude specific IP range ( I guess it should be from 72.14.199.0 to 72.14.199.255).

 

Btw, maybe you recently applied for Google product reviews on the merchant center?

 

Best regards,

Domas

 


Thanks this may help me.

Bill_Ghai
Visitor
2 0 0

How can we be sure that is is Google doing this an not a spammer or web scraper harvesting pricing information

Sean_Kenney
Shopify Partner
8 1 5

I have traced them by IP.  They all trace back to Google.  Is it Google who is always controlling them?  I don't know and I wonder.

Teeno
Tourist
5 0 2

Same here, I see between 10–15 abandonned checkout per day from John Smith. When I export my abandonned checkouts this is total 428 of 615 which equals roughly 70%. Pretty annoying I must admit.

Sean_Kenney
Shopify Partner
8 1 5

Are you enrolled in Google Shopping Actions?

 

I would not recommend excluding these IPs from your site.  You can exclude in GA, which you should.  This IS Google.  Also, blocking IPs from other countries can cause problems as well.  You don't want to block google ip ranges.  Many of these come out of India.

Domakis
Excursionist
21 0 10

Yes, we do Google Shopping. And I was thinking to ask other people as well who have the same problem. Maybe it's something related with Google? Because recently we applied for a merchant program to show sellers rating reviews stars, so it can be the issue as well. I'm not sure, but it is one of the theories. I was thinking maybe Google bots are checking the feeds or something like that. But on the other hand, it would be so stupid from google to do like this. Yes, Shopify can't do anything about that. Just technically it's not possible to do that (to prevent bots). That's why they telling nonsense things when calling them and asking for help. The only solution right now to watch sales and other data in Google Analytics and then do some country, bot and other exclusions there... 

 

Sean_Kenney
Shopify Partner
8 1 5

We have implemented google ReCaptcha with success resolving the issue.  We were getting hundreds of these a week.  They were related to the re-process schedule of our google shopping feeds.  These spam carts were specifically a result of being enrolled in Google Shopping Actions.

 

Regarding the implementation of ReCaptcha: This may conflict with active apps on your storefront, such as pop up apps that already include a built-in captcha.  You have to make sure there is no conflict or speak with app dev to remove conflict within the app.

 

I am still shocked that Google is doing something just SO damaging to us and it is right in front of our faces.  Just terrible, there must be a better way for them to do this...

Domakis
Excursionist
21 0 10

What You Exactly mean by saying "Google Shopping Actions"? Could you confirm that this is Google?

Sean_Kenney
Shopify Partner
8 1 5

Yes, this is Google.  Shopping Actions is a program only available in certain countries.

https://support.google.com/merchants/answer/7679273

 

But, the spam carts can also be related to "automatic updates" within Google Merchant Center.  This can be turned off if you are confident that this will not result in Google disapproving your products due to incorrect data or identifiers.  Go to the wrench icon, then automatic improvements then you can opt-out of automatic updates.

https://support.google.com/merchants/answer/6098372

TyVEC
Visitor
1 0 1

I know this is an old post, but I wanted to add some info for someone that may come across it. This type of spammer typically runs a browser-level script to test stolen card numbers to see what works and then will often go on to other sites to use the cards for larger purchases. Typically through digital products like Gift Cards or similar where geo-blocking is not useful. Pretty annoying and challenging to stop on Shopify. I have tested Google captcha activation, and there is no way to implement a Honeypot technique on the cart (as far I as I could test). For forms, sure, but not on the checkout process. A workaround is to switch your Payment capture option from "automatic" to "manual" under Settings > Payments (Payment Capture option at the top on the right-hand side). You now need to capture the payment manually after reviewing the order. The next step is to implement an automated workflow that applies rules to the order to test against fraud and if it passes, then action the order for capture payment. These can be any custom rules based on triggers. A new feature in Shopify, Shopify Advanced and Shopify Plus plans (not Basic) allows you to build a custom workflow using Shopify Flow (available in the app store). It takes some time to work out the triggers, conditions, criteria, and actions, but it can be done. Another way to implement a workflow like this is through an app such as Spotrisk. They can do a custom workflow if this is needed. (I'm not affiliated with them, but I know it is possible and maybe through others as well). So it is possible to run "manual payment capture" but still have it automated to pass through a set of rules to reduce the fraudulent order attempts before the payment capture attempt. This is the best way I could find to mitigate these types of issues. It would be good to hear from anyone with similar or other solutions to this issue. 

KatKat1
Tourist
7 0 0

My goodness! This explanation makes sense. I have over 300 ad to carts in the last 24 hours and it's still ongoing. There goes my ad data...out the window. so annoying.