Discuss and resolve questions on Liquid, JavaScript, themes, sales channels, and site speed enhancements.
Hi, folks.
As most people know Google and Facebook will both place automated test orders to verify shipping and other details. The names are fairly well-known and they always abandon before finalizing checkout.
We have a new friend showing up in our logs by the name of James James. The email address sfj9usfhuios@gmail.com and location is San Antonio, California 94105. This bot is trying to check out 4-5 times per day with some of our free digital printables but abandons before going through with it. I have no idea why this might be happening because these particular products are not in the direct feeds going to FB and Google, though I know the page for the product still resides in Google.
Anyway, just wondering if anyone else has had this particular name/email combo come up in their abandoned cart logs.
Thanks!
Jamie
Hi Jamie, I have these many times. A lot. Have you found any other information? Is it safe?
I haven't found any additional information myself. I assume it is safe, but it seems like something worth watching. ArrowsAim below has a new wrinkle with many additional names.
We've had 97 abandoned checkouts from James of San Antonio, CA since Jan 25th. This morning, James-bot started completing purchases for one of our free ($0.00) items, completing 14 checkouts in 12 minutes under names like "Will Will", "Tyler Tyler" and "Yezeus Yezeus". Each order has a different IP address, name, address, and phone number.
This seems to have escalated from abandoned checkout, but I'm wondering to what end? Is there anything particularly compromising about the situation? They can't be blocked because they never create an acct and the IP is different every time. Shopify has been no help.
Ugh! That is awful! We are still seeing 10-20 of these a day on our site. Hopefully more people will report this because the more eyeballs things like this get the more attention Shopify will give it. I'm going to @tobi on Twitter. Sometimes that raises attention behind the scenes.
I got hit with this today.
138 Abandoned Checkouts by James James.
35 customer listings created with different rtremail.com emails.
2 orders placed for $0 items; customers "Naveen Naveen" and "Lincoln Lincoln"
James James account gives a fake address for San Antonio CA (no such address shows up in google maps) and a 415 area code phone number.
Lincoln Lincoln account gives a Lady Lake, FL address and a 510 area code phone number.
Naveen Naveen gives a Little Elm, TX address with a 916 area phone number.
I cancelled the orders.
I deleted all the bogus accounts.
I archived all the abandoned carts.
Is there anything else I can do to prevent this from happening again? Has anyone found a solution?
@Shopify @Victor This seems to be a growing problem that many people are experiencing despite reCaptcha, and we shouldn't have to pay for additional services to protect our businesses. Are there other things we can do to prevent ourselves from being targeted again?
Were the items in your abandoned shopping carts $0.00 as well?
Yes. And "James James" returned again twice more tonight, for a total of over 450 abandoned carts in the last 12 hours or so.
I am currently speaking with a shopify advisor via chat, and they seem to be taking this seriously. If I learn anything useful, I will share it. Hopefully they an get to the bottom of this issue and block these bots/scammers.
Are you saying that the price of the item itself -not just within the sale, but in the individual product profile- was edited to ZERO after a James James & Co. checkout?
That sounds like a HIGH ALERT issue that needs to be on Shopify's radar asap.
Ugh. That is all terrifying. On the day when I got targeted, the abandoned carts came in 3 waves.
Round 1: 12:43pm - 1:10pm
Round 2: 6:52pm - 7:24pm
Round 3: 10:40pm - 11:14pm
I caught Round 3 WHILE it was happening, and I immediately started putting all my $0 items into draft mode, and the abandoned carts stopped immediately, and I haven't had anymore since.
I have been in touch with Shopify customer service, and they have told me they are taking this seriously and are working with their developers on the issue. They recommended some of the issues we have seen others post (reCaptcha, third party apps, etc), but I told them that this thread (and the reviews for the apps they recommended) clearly show that people are not having success with those.
I am currently in the process of changing all of my $0 listings so that they now have a price of some kind. This is a huge and frustrating task, but I'm not sure what else to do.
However, now I am concerned that even if I remove all the $0 items, I could get targeted in the way AppMerc describes above. But, my formerly $0 items do NOT have a shipping cost attached, so I'm not sure if that makes a difference or not.
I'm checking my abandoned carts multiple times a day now, and nothing since 2/24, so I'm hoping I am past the attack. And I hope Shopify can figure out a way to end this once and for all so that no one else has to deal with this.
I changed my $.0 products to $.01 and it appears to block James James currently, however I absolutely need these $0.00 products. Has anyone found that after James James goes away and stays away it I change back products to $0.00?
Using the (excellent) app Matrixify, you can run a report showing your prices.
Hi @pwforaker and @AppMerc
You sure can use the Matrixify app to see all your product variant prices.
Using our app, export Products with Basic Columns and Inventory/Variants. In the exported file you will see the `Variant Price` column with a price for each variant.
However, note that also Shopify native admin export should contain the same field so you could do regular Shopify Products export and it should show what products have what price set.
I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.
I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.
I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.
We have this same problem and have spoken to Shopify Support several times over the past few weeks. We updated our $.00 products to $.01 and waiting to see if this temporarily took care of this bot, however we REQUIRE some of our prPify told us to download an app but we are on the Starter plan and it tells us the app is not compatiable with our version. So they are expecting us to buy a more expensive plan AND then buy a 3rd party app!!! In the meanwhile they are doing nothing and my customers are not happy having to call us directly. They said they'd put our "Vote" in for Shopify Developer Team to fix this in "The Future"!!!! Seriously???? Maybe time to drop Shopify?
So your real customers are paying one cents now?
I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your online store.
I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.
I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.
No news to report on this yet, but I did post to Twitter for visibility. Believe it or not, constructive posts to @tobi really do end up getting eyeballs at Shopify. Hopefully that will be the base here too
I appreciate you casting the net, Jamie! Here are other threads I've found regarding the same bot/issue:
https://community.shopify.com/c/shopify-discussions/bot-placing-abandoned-orders/m-p/2433368#M419438
I'll stop littering this thread unless I come up with any revelations. Best of luck, y'all!
I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.
Same problem here! Looks like we have been getting James James abandoned carts since January. (barely noticed them today, ugh!) Trying to contact Shopify support with no luck! I'm on their chat but not getting anywhere. I'm getting solutions for stuff that I didn't even ask for. LOL.
Responses from chat support. 1. delete customer 2. download Locksmith. See screenshots....then I accidently closed the chat box.
It sounds like this could work for James James' abandoned checkouts, which look to be created using recurring credentials. Unfortunately, the related orders made in my store were all placed with different email addresses, from different IPs, using different names, etc. These orders do share a common domain, but I imagine it's no problem for whoever is behind this to use a different one, making it difficult to prevent future orders with Locksmith (because we can't anticipate future domains to create the key conditions that would prevent orders from flowing in the first place). If I see more orders come in from @rtremail.com I might give it a shot, but it's not a viable long term fix.
You and I are definitely battling the same bot. I got all those rtremail.com spam accounts a few days ago and interestingly, James James (same email as yours too) signed up on Jan 25th as well. I read in a thread about a similar issue a mention that a hacked app could be the culprit. Below is a list of every app I have installed on my store. I'd be interested to know which ones we have in common if you're willing to share.
Installed Apps:
Collabs
Etsy Inventory Integration
Parcel Panel
Rewind Backups
Fileflare DDA Digital Download
Order Printer
Stock Sync: Inventory Sync
Hextom: Bulk Product Edit
AfterSell
Usage fees
Google & YouTube
Amped: Email & SMS Popups
Collective (Retailer)
Hextom: Bulk Image Edit & SEO
Email
Tidio ‑ Live Chat & Chatbots
Shop
RetentionX
Usage fees
Statlas
Klickly Connector
Stamped Loyalty & Referrals
Pinterest
Inbox
Privacy & Compliance
Twitter
Klaviyo: Email Marketing & SMS
Fraud Filter
Interesting! We don't have any common apps (besides the default Shopify email app), but that doesn't mean we don't have common app developers. I'm not able to do a deep dive on that at the moment, but here are the apps we currently have installed:
Alert Me! Restock Alerts
Cozy AntiTheft
Event Calendar by Elfsight
Instafeed
Quicky
Seal Subscriptions
Sendle Dashboard Shipping
SPOD Print-on-Demand
Tipo Appointment Booking
The commonality I'm finding is $0 items, both hidden and explicitly listed, which you, I, and the OP mentioned (as well as others in threads linked above). Is it possible this bot is targeting @Shopify hosted stores, isolating websites containing $0 products, and using them to test platform vulnerability without risking/exhausting actual payment methods?
TEMP FIX: I've set my $0 items to "draft" and haven't seen the James James bot since. This is a temporary fix as far as I'm concerned and I don't plan on settling for removing those items from my shop permanently. I'd love to know if anyone else has found ways to pause engagement with this issue.
I don't see any common apps.
We have
Variant Option Product Options
POWR Contact Form
Shopify Theme tool
I just found this community discussion after....yup....James James hit my site today. I just sync'd my site with the Google & YouTube as you have up there and I am wondering if this is how he found me. Sync was done last week. Poor James didn't want to pay shipping charges on the free product, so he abandoned checkout. He must have a way to find things that are free. I had uploaded some fabric (I have a quilt shop) and mistakenly didn't put the price in. If nothing else, he helped me find that I hadn't put the price in.
I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.
In my experience, deleting the customer does not stop them from leaving more abandoned carts. All it does is remove the customer name/address/email from the abandoned carts list... but the row with the abandoned cart still stays on the list and the bot continues to leave new abandoned carts.
I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.
I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.
I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.
This is a simple and elegant solution. Love it!
ME too! I get a few abandoned checkouts a day from "James James", no use in deleting the customer as it just gets recreated every time. The people behind the chat support have basic knowledge at best and read off a script it seems, so they will have no clue on how to fix something like an advanced bot attack. This seems like a BIN attack, testing different credit card numbers until they get any that go through. I just can't believe shopify doesn't actively do something to look into this and block them.
For us, the bot is going crazy on our zero dollar items, so there's no payment gateway exposed for the bot to test, right? Sounds like you know more about this stuff than I do. I posted a list of apps I have installed above. I'd be interested to know if we have any in common in the event one of them is the culprit.
I’m going by what I’ve been told by all the “ship protector” apps I’ve been talking to for help on this. The bots find a way. There’s got to be a reason why it’s looking for free products. But I’m lost too.
As far as your apps the only ones we have in common are rewind and klaviyo. And doubt it’s any of those…. Seems like it’s a Shopify vulnerability. And it started on Jan 25 for me too. Oh, and if it’s targeting free products maybe we need to price these products at $.01 to get rid of James James?
Hey guys, did anyone find the solution for this? i tried checkout ui extensions to block user based on email or cart and checkout function to block customer if cart total cost is zero but in both cases it does not stop the bot from creating an abandoned checkout. because shopify marks the checkout abandoned once the customer is on checkout and enters its details, does not depend on either be block it or not
is there any way we could implement some solution for Shopify plus store using apis or something
TEMP FIX: I've set my $0 items to "draft" and haven't seen the James James bot since [02/13]. This is a temporary fix as far as I'm concerned and I don't plan on settling for removing those items from my shop permanently. I'd love to know if anyone else has found ways to pause engagement with this issue.
We recently spoke with Zopi developers @Zopi about how dropshipping businesses can enha...
By JasonH Oct 23, 2024A big shout out to all of the merchants who participated in our AMA with 2H Media: Holi...
By Jacqui Oct 21, 2024We want to take a moment to celebrate the incredible ways you all engage with the Shopi...
By JasonH Oct 15, 2024