How to stop bot from placing fake orders?

Steve82
Excursionist
39 0 46

We just had a bot place 20 fake orders (I believe within the same second). It went after some hidden $0 products or products set on shopify to $0 but instead had variations/prices controlled through an app. Is there a way to stop this?

 

Screen Shot 02-13-24 at 06.50 PM.JPG

 

I see someone else posted a reply on another topic that is the same issue 11 hours ago. https://community.shopify.com/c/shopify-discussions/bot-placing-abandoned-orders/td-p/2433368

Fine Art Landscapes - Sawusch Photography - USScenics.com
Replies 34 (34)

emmak18
Visitor
3 0 0

We are having the exact same issue. They even got into a password protected page. Shopify said they are working on it but no estimated time frame of when it will be resolved. We've had about 150 bot orders today.

cna_az
Shopify Expert
14 0 9

@emmak18 can you check the fake customers and see if they all have the same domain in their email address? Ours all use the same email domain.

Steve82
Excursionist
39 0 46

All same domain rtremail .com. It was registered a little over a week ago. They are using a catch all for their mail server so the emails dont bounce.

Fine Art Landscapes - Sawusch Photography - USScenics.com
emmak18
Visitor
3 0 0

Yes they are all coming from the rtremail like Steve mentioned. We just received more as of a few minutes ago. Trying to change all items at $0 to a cent. But they are still getting into our password protected pages. 

shamsulhuda
Shopify Partner
17 4 2

For your store, utilize reCAPTCHA v3. My client just experienced similar problem, which we resolved with reCAPTCHA.

You can use this on product page as well as cart page before checkout.

Shopify Developer
Need any help for your store?
Drop me an email: shamsulhuda310@gmail.com

Web: portfolio-msh.netlify.app
cna_az
Shopify Expert
14 0 9

Can you add Recaptcha v3 to the settings > customer accounts > URL link?

Steve82
Excursionist
39 0 46

How did you do the server side verification?

Fine Art Landscapes - Sawusch Photography - USScenics.com
cna_az
Shopify Expert
14 0 9

@shamsulhuda There is no option to add reCAPTCHA v3 to the Customer Account URL (direct link) which is how the bot is creating new accounts on our client's store.

Aaron2024
Tourist
20 0 1

How can you add captcha to check out if you aren't on plus. I have bots testing credit cards but no way to stop them on Shopify.  Contacted Shopify 4 times for assistance they don't really care. Their app is just a flow to cancel high risk orders.  What a joke. Shopify is highly negligent and seems to be affecting many stores. On Magento we had invisible Google captchas and never had issues. I don't understand why shopify just doesn't fix this. 

AnnaNy
Shopify Partner
1 0 0

Hi, we unfortunately had exact same issue. Luckily we were able to cancel all orders. 

 

Steve did you experience the same thing happening again? Or would you have any suggestion how to prevent it. Unfortunately Shopify support is not helpful.

 

Thanks,

Anna

AnnaNy_0-1707907127872.png

 

Steve82
Excursionist
39 0 46

No fix yet. This is a server side issue. I dont think we can fix it. This is the 2nd part of their attack. The next phase is going to be the real problem. I can see many paths forward where they can cause major damage.

Fine Art Landscapes - Sawusch Photography - USScenics.com
Steve82
Excursionist
39 0 46

More waves keep coming. 109 orders so far and noticed over 5,300 abandoned shopping carts since 1/26.

Fine Art Landscapes - Sawusch Photography - USScenics.com
emmak18
Visitor
3 0 0

Were you able to move the orders out of unfulfilled? I hate to cancel but still have them sitting as unfulfilled orders 

cna_az
Shopify Expert
14 0 9

Shopify Partner Support said their dev team asked to keep the fake accounts and orders in our store while they investigate. I would really like to delete them but have not heard anything from them in two days.

I filed a complaint here with NameCheap.com where the rtremail.com domain is registered. I know they can always register another domain but I figured it was worth the 3 minutes it took to report the abuse.

Please contact Shopify support and ask them to disable the Customer Account URL — that is how the bot is able to create accounts on our client's private store.

Acct-URL.jpg

studioz
Visitor
2 0 1

HI there, I having the same issue with the bots creating fake customers in every min. Does shopify help you to disable this link and does it work for you? I am still discussing with shopify advisor to see how to solve this, but this is crazy issue! 

cna_az
Shopify Expert
14 0 9

@studioz Shopify does not have a way to disable this link. When you talk to customer support, please request this feature.

cna_az
Shopify Expert
14 0 9

Same problem here with one of our clients' stores: 700+ orders in about 3 hours by 95 fake accounts. After testing, we think the culprit is the direct account link found in settings > customer accounts > URL and it looks something like this: https://shopify.com/XXXXXXXXXX/account witht he Xs being your account store ID.
This is a new link added by Shopify last year that allows anyone to create an account without recaptcha. Store owners and developers like us don't have the ability to customize, edit or disable that link.

What is really needed is for Shopify to give merchants the ability to disable the customer accounts > URL link.

We are still testing but short of changing the $0 products to $0.01, there is nothing that has stopped these fake orders from coming in. We even turned off Shopify payments and disabled the checkout button on the cart temporarily. As far as we can tell, these attacks are coming in through the back end, not through anything that merchants have access to.

FrameUp
Visitor
2 0 0

We have the same situation - hundreds of fake orders on zero-dollar amounts.  They look the same as yours.  Shopify hasn't been much help.  We are trying apps right now - but haven't found an answer.  If anyone has suggestions, would sure appreciate it.  

cna_az
Shopify Expert
14 0 9

UPDATE from Shopify partner support:

 

"While it is not possible to block customers from creating accounts or placing orders, I would recommend that you install the Flow app from the app store. This is Shopify's free automation app which will allow you to create workflows that can automatically cancel orders and delete customer accounts coming from the domain @rtremail.com. You can find more details about how the Flow app works from the help center here: Shopify Help Center | Shopify Flow, and I want to share these particular triggers: Cancel order and Delete customer to understand more. Once the app is installed, you will have access to either create your own custom workflows or install templates for these actions directly from the app. Please let me know if you decide to use Flow and I can guide you further on getting these workflows set up."

 

So far, the best solution I've received.

Moutasim1
Shopify Partner
3 0 1

is this solution working ? have you tried it ?

 

cna_az
Shopify Expert
14 0 9

@Moutasim1 This and the other two steps we tool are working but still require monitoring since they will work as long as the bot doesn't create a new account or uses a new domain name.

Here is what we did, one of these steps or all together have been working for us:

  1. Implemented the Flow app option described in my comment above
  2. Tagged fake accounts and added code to block customers from logging in as described in this post
  3. Set up an alias Domain without SSL to show a warning for the Customer Account URL form—Click "learn more" for instructions

 

Screenshot 2024-02-21 at 11.05.27 AM.png

 

Hope this helps.

Moutasim1
Shopify Partner
3 0 1

Thanks @cna_az ill try these 

Steve82
Excursionist
39 0 46

That is just a band-aid. If they start doing the same thing with another domain, you play whack a mole. If they start doing it with a gmail or other big provider, we are screwed.

Fine Art Landscapes - Sawusch Photography - USScenics.com
cna_az
Shopify Expert
14 0 9

@Steve82  Which is why we need the ability to deactivate this link from the Shop Admin AND Shopify needs to add ReCaptcha to the form. Please ask Shopify support to pass this request urgently to the Shopify Dev tem.

dwhitehouse87
Visitor
1 0 0

Can anyone share a screenshot of this workflow? Having trouble with the syntax to call the customer account for deletion.

njswingsets
Visitor
2 0 1

We are having the same issue. This really needs to be corrected on shopify's end. These are scripts going through a backend,  not through any UI.

cna_az
Shopify Expert
14 0 9

Tagging everyone one who commented here @FrameUp @Steve82 @studioz @njswingsets @Moutasim1 to ask Shopify for added security which would have helped us block this attack more easily:

Feature Request: Add ReCaptcha, Toggle On/Off Option To "Customer Account URL"

 

Having the added security would have helped us block the bot more easily. 

Eliran_Milo
Shopify Expert
6 0 1

Suffering from the same issue. Shopify support has no helpful answers.

Anyone found a solution for both having 0 products and preventing this BOT from creating these orders?

 

Eliran Milo
Q-Biz | eCommerce Agency
https://q-biz.co.il
CC_Ardmoor
Tourist
7 0 4

I  am having the same issue.  I added an app to try and Block the IP address but that has not worked.  The app came back to suggest the below - which I've not tried yet - but I'm about to:-

 

After a through investigation we suspect that these accounts are being created from outside of the online store scope, and that is why Blocky is not blocking them.
However, there is a simple solution to that that our other users have toggled, that only requires minor settings change:

Go to the Settings and turn on Shopify's new customers account features from here: https://admin.shopify.com/store/ardmoor.myshopify.com/settings/customer_accounts Click on the blue ""Edit"" button and then choose the ""New Customers Accounts"" option, then click Save.

Then, please go to https://admin.shopify.com/store/ardmoor.myshopify.com/settings/checkout and tick the ""Require the customer to log in to their account before checkout"".
These 2 settings will terminate the attack, and you can switch back the settings afterwards. :$"

Aaron2024
Tourist
20 0 1

This does work but will kill conversions. It won't be worth staying on Shopify because your conversions will be so low because customers will abandoned check out.

Ankit_Thakur
Shopify Partner
76 1 8

Hi @Steve82 If you are still looking for a soltuion to this, you can try using the Checkout Guardian App, where in you can block all the orders based on the cart value. For Example we can set a rule to block checkout if the cart value is USD 0, which means a person wont be able to checkout if his cart value is 0. Apart from it it offer various conditions to block checkout from these fake orders. 

You can have a look at it here Checkout Guardian App.

Shopify Developer/Consultant
If my suggestions are useful, please let me know by giving it a like or marking it as a solution.
And if you want to customize or develop new feature on Theme or App.
Skype:-ankit.thakur_5
Eliran_Milo
Shopify Expert
6 0 1
Or simply do the same with Shopify flow, without a need for an external plugin..:)
Eliran Milo
Q-Biz | eCommerce Agency
https://q-biz.co.il
Steve82
Excursionist
39 0 46

Or to pay more money to "fix" it. This should not be a fix that costs money, shopify should fix it. Looking at @Ankit_Thakur posts, they are just promoting/spamming that plugin and another one via copy and paste. I'll pass on even looking at that.

Fine Art Landscapes - Sawusch Photography - USScenics.com

Aaron2024
Tourist
20 0 1

Shopify needs to add a Captcha on the check out page. I've contacted them 4 times and they haven't done anything.  They are really negligent in the matter and we all need to get together and demand action. Bots target shopify stores because nothing is being done about it. I have a bot that's testing credit cards. Only thing I can do is require customers to log in before check out which is terrible for conversions.  Luckily I'm not sending any traffic.