I think someone is trying to hack my store

I think someone is trying to hack my store

Darylsheets1
Visitor
3 0 1

Hi all,

I know the title of this post sounds a bit harsh but I'll try to summarize what's going on and hopefully someone could help. I've had my store for over 3 years now, and yesterday I noticed for the first time zero sales but 21 add to carts. This was very odd because I've never had such a large ratio of add to cart/zero sales. My FB ads manager showed me that there were 5 purchases wherein I had none on Shopify. I contacted Shopify support and they said that there wasn't anything wrong on my stores backend.

I looked up some of the most recent traffic in the past few days (this issue started 2 days ago) and it was showing that the majority of traffic came from one location - Clifton, NJ. Not sure if this means anything and what I can do with this info, but I'm really hoping someone could help me figure what to do.

I'm going to be pausing my ad's until I know what's happening because if someone is trying to hack me, it seems like they are throwing off a lot of data to trick the system. 

Replies 21 (21)

Rufus413
Tourist
6 0 3

I'm having the same issue with Clifton, NJ and it appears my traffic is significantly higher than yours was when you posted.  Since June 23rd, Clifton accounts for 7500+ sessions in my store and 14,800+ pageviews, all to products I've used as landing pages with Facebook ads.

I've tried the Traffic Blocker app from the Shopify store, and while it's showing blocks and redirects, the traffic is still getting through somehow.  Each time I get a "bot" hit from Clifton it performs multiple add to carts and pageviews.  On average, each session lasts around 3 minutes.

My concern is that this is killing my search engine ranking, analytics reporting, and pixel data (used for Facebook ads).  Since this has occurred I've noticed a significant drop in the effectiveness of my ad campaigns and suspect that the large amount of traffic is tricking Facebook into continually serve my ads to these bots rather than legitimate customers.

As of this time, Shopify has provided me with no solutions on their end other than apps, so if anyone has input I'd appreciate it.

Veronica15
Tourist
9 0 1

Hi,

My store is also facing the same issue of getting high traffic with a number of ATC and checkouts coming from Clifton, NJ.  It comprises almost 50% of my overall store traffic, and they keep visiting every hour daily and sometimes a few times within the hour like clockwork.  My store analytics and metrics are badly skewed because of it.  Wonder if you managed to find a solution eventually to stop this bot traffic.  I really need some help in this.  Thanks!

Darylsheets1
Visitor
3 0 1
Hi,

Unfortunately I was never able to find a fix. I added a few apps to block
IP addresses but that only works to a certain extent. Shopify was/has been
unable to figure out what's the reason behind this.
Veronica15
Tourist
9 0 1

HI,

Are you saying that the peculiar traffic still persists? Did you try pausing your ads to find out if it helps to stop the traffic from coming to your store?  I'm getting very concerned this fake traffic is gonna ruin my pixel data if this continues.

Rufus413
Tourist
6 0 3

Pausing the ads will eventually stop the traffic, but it isn't a fix.  As soon as you start running ads again the bots will latch back on and continue to hit the site.

I've put a lot of work into this and have a combination of three apps that I use.  The bots are blocked from actually getting into my site (which means they can't add to cart or purchase) but about half of the visits still get recorded by Shopify (so you're conversion metrics will still be skewed).  I do however believe my solution has helped on running ads though, as since I've instituted it I've gotten much better engagement and more purchases.

I use three apps.  Be aware that they will slow the site down some but I think that's better than the alternative.  Also, implementing will probably take some time.  You'll need to go back, figure out when they started hitting your site and then go from there.  The 3 apps I use are: IP Log (allows you to sort IP addresses by location and keep a log of them), Blockade (allows you to block individual IP addresses), and Loop CyberSecurity Bot Protect (attempts to stop ads from being served to bots on Facebook).

My advice would be to download the IP log and search by location (I recommend checking both Clifton, NJ and Newark, NJ as they both seem to generate heavy bot traffic).  Copy and paste each address from those locations into Blockade, and then create a profile on the IP log so you can tell which you've blocked already.  I have two logs, one for each location.  To date, I've blocked +430 individual IP addresses.

Then you can install Loop CyberSecurity Bot Protect.  So far I've used this with minimal success, as bots are still getting through, but the developers have been gracious to allow me two separate test periods and seem to be willing to customize it if need be.  I'm hopeful that continued contact with them will help improve the software and provide a better long term solution.


Hope that helps.

noControlz
Excursionist
11 0 5

The exact same thing is happening to our site.  It started happening a few days ago.  We're using Lucky Orange, so I'm able to see the actual bot traffic and the ATC happening.  It's not all just Digital Ocean, but other networks as well.  Same city though, Clifton, NJ.  I'm wondering if when this occurred to you guys, did you have any recent customer complaints?

Veronica15
Tourist
9 0 1

Thanks for sharing such detailed explanation on how you have been dealing with this bot traffic.  May I know if you installed and implemented all 3 apps at the same time or one after another.  I'm not very tech-savvy, is it relatively easy to install and navigate them? The bot traffic started hitting my store since a week ago.  But I'm seeing an increase in traffic and ATCs which is very frustrating.  It's true that pausing the ads is not a long-term solution as we need store traffic for conversion.  I'm even thinking now if I should use a different ad account to run my ad campaigns.  Have you tried switching to a different ad account for your campaigns.  Please share your outcome if you did.  Thanks.

noControlz
Excursionist
11 0 5

Interestingly, we started seeing this after we launched ads in one of our old ad accounts a couple days ago.  I'm going to try flipping to one of our other ad accounts now and let you know if we see anything different.

noControlz
Excursionist
11 0 5

We tried switching ad accounts but still no luck, the bot traffic continues.  I’ve installed Loop, and it doesn’t block the bot traffic by itself.  I’ll try what Rufus suggested and let you know how it goes.  Unfortunately I haven’t been able to find an app that effectively blocks entire IP ranges, so if you know of one, please let us know.

Rufus413
Tourist
6 0 3

Loop CyberSecurity Bot Protect is just one of three steps I used.  It is not intended to block the traffic from hitting the site, but it attempts to prevent your Facebook ads from being shown to bots in the future.  If you leave it installed, it also provides you with the ability to create a Custom Audience in Ads Manager with the "Loop" tag.  If you use this, you can take the data it's collected and create an audience that you can exclude when creating your ad campaigns.

I recommend also getting an IP Log app and using Blockade.  The IP log lets you see each IP address that hits your site by location and you can start pinpointing the Clifton traffic.  You can then take that information into Blockade and put the specific IP address into a block list.  I also block Newark, NJ as I find a lot of similar bot traffic coming from there (and geographically the two are right next to each other).  It's time consuming to do it one by one (which is what I did) but it can be done and is worth it if you want to keep quality traffic to your site.  To date I've blocked roughly 440 IP addresses.

Keep in mind, the bot traffic may still register as a visit, but they are being redirected away from your site within a second of hitting it (meaning they can't perform Add to Carts or any other actions that may skew your pixel data).

noControlz
Excursionist
11 0 5

Thanks for the clarification Rufus.  I was able to find the Easy Country Blocker app which allows the ability to block by specific IP as well as IP ranges https://apps.shopify.com/country-blocker-1

Since I use Lucky Orange, I can already filter and export the respective IPs, so I just imported them directly into Easy Country Blocker and setup the block page.  It seems to block quicker than Blockade.  Not sure if you’ve tried that app, but it may be worth a look considering the 440+ IPs you’re currently trying to manage.  Might be easier to establish/manage the ranges.

I didn’t know about the audiences for the Loop app, thanks for the tip!  I’ll need to read the docs.

noControlz
Excursionist
11 0 5

Well, looks like the bot is still hitting the site from the same IPs.  It must be ignoring JavaScript, because the block page isn’t working.  We need a way on Shopify to block this bot traffic at the network level rather than application level.

Rufus413
Tourist
6 0 3

The bots will still register a visit in about 75% of cases with Blockade, but they're immediately redirected off your site onto an error page (held by Blockade).  The bot traffic used to generate a huge number of Add To Carts (sometimes 15-20 at one time) and now that I've been able to redirect they're unable to do that. 

I agree that something should be done at the network level, but as Dylan (the developer of Blockade) pointed out in his app description, Shopify will not allow them to do any backend adjustments with the apps - everything has to happen on the frontend once the site has been launched.  I've reached out to Shopify about 7 times regarding this issue and while their customer service was polite, they were not overly helpful in coming up with any solutions.  Bot issues, while not this specific one, have been an issue for a few years now and Shopify has not replied to any of the posts to offer up a solution or even acknowledge that they're aware of it. 

 

noControlz
Excursionist
11 0 5

I've mitigated it temporarily, but I'm going to be looking into using a Web Application Firewall and proxying all my traffic through another cloud service provider.  This should allow me to block all malicious traffic that I see coming through at the network level.

I tried using Cloudflare, but since Shopify already implements it as part of their solution, they won't allow me to re-proxy traffic that's already running through them.  So on to other services.  I'll let you know what I figure out.

Rufus413
Tourist
6 0 3

Let me know if you find a solution that doesn't break the bank.  I tried CloudFlare as well for about a month until I realized it wasn't doing anything to block traffic.  The only way it integrates with Shopify is if you're on their top tier enterprise plan for $2000 / month.

I've spoken with a few others as well but the price points all seem similar ($1500+), which just seems way to high to pay for something that I feel Shopify should already be addressing on their end. 

noControlz
Excursionist
11 0 5

Yes, EXACTLY the problem...  The expense is too high to justify.  Shopify should simply allow us to use the WAF features, but I understand there's tremendous complexity at the merchant level to enable that type of filtering.

I'm looking into AWS to see if I can get services setup in front of my storefront, and run traffic through their WAF.  I'll report back if I find success.

Shiv2021
Tourist
8 0 3

Have you guys figured out a solid solution for this issue? We're experiecing the same in 2024 with ADTC about 20 at a time. Messing with our ad tracking and more. 

noControlz
Excursionist
11 0 5

OK, after struggling with AWS firewalls and ACLs for a bit, I've come to determine there is no easy way to block it using my own AWS VPC.  However, I HAVE GREAT NEWS!

I was able to get it to work using a reverse proxy service called Fastly (https://www.fastly.com).  The initial setup and testing was actually pretty quick, I was able to test it out and upload the IP ranges into the ACL blocklist pretty quickly.  The trickier part was when I was ready to actually onboard with them and put it into production, it took some back and forth with their support to figure out the SSL cert I needed to deploy.

Inevitably I was able to request a wildcard certificate for my shopify hosted domain, adjust a few DNS records, and now I'm live!  The network ACLs are enabled fairly quickly, so you can add them on the fly and have them take effect within 30 seconds.

The cost of the service depends on the amount of traffic you have per month.  Expense is variable (paid by traffic volume) with the minimum being $50/month.  I'll have to monitor, but I think I'll probably come in at the minimum.  Totally worth it for the caching and additional layer of security!!!

Rufus413
Tourist
6 0 3

Let me know how it goes after you monitor it a bit - and if there are any integration issues with Shopify.  While my method is a bit more pieced together, it is working for me right now (although it does affect my overall sight speed score). 

If it's still working after a week or two for you (and you notice the bots are no longer getting through) let me know and I may follow your lead and sign up for the same service.

 

Shiv2021
Tourist
8 0 3

Would love to know where you're at with this issue today! We're experiencing the same thing and no one seems to have a solid solution online. It's getting rough with the ADTC volume and crazy session spikes recently!

Veronica15
Tourist
9 0 1

Hi both, @Rufus413 @noControlz ,

I haven't done anything on my side to block or stop the bot traffic, although I have been keeping an eye on them.  It looks like they have stopped visiting my store and they haven't shown up in my Shopify analytics since 3 days ago.  Do you still get them in your store these days?