Re: James James and the world of Automated Abandoned Cart Robots

James James and the world of Automated Abandoned Cart Robots

Jamie_Grove
Excursionist
35 0 53

Hi, folks.

 

As most people know Google and Facebook will both place automated test orders to verify shipping and other details. The names are fairly well-known and they always abandon before finalizing checkout.

 

We have a new friend showing up in our logs by the name of James James. The email address sfj9usfhuios@gmail.com and location is San Antonio, California 94105. This bot is trying to check out 4-5 times per day with some of our free digital printables but abandons before going through with it. I have no idea why this might be happening because these particular products are not in the direct feeds going to FB and Google, though I know the page for the product still resides in Google.

 

Anyway, just wondering if anyone else has had this particular name/email combo come up in their abandoned cart logs.

 

Thanks!

 

Jamie

 

Replies 137 (137)

yanninoyola
Visitor
1 0 1

Hi Jamie, I have these many times. A lot. Have you found any other information? Is it safe? 

Jamie_Grove
Excursionist
35 0 53

I haven't found any additional information myself. I assume it is safe, but it seems like something worth watching. ArrowsAim below has a new wrinkle with many additional names.

ArrowsAim
Excursionist
20 0 27

We've had 97 abandoned checkouts from James of San Antonio, CA since Jan 25th. This morning, James-bot started completing purchases for one of our free ($0.00) items, completing 14 checkouts in 12 minutes under names like "Will Will", "Tyler Tyler" and "Yezeus Yezeus". Each order has a different IP address, name, address, and phone number.

 

This seems to have escalated from abandoned checkout, but I'm wondering to what end? Is there anything particularly compromising about the situation? They can't be blocked because they never create an acct and the IP is different every time. Shopify has been no help.

 

Screenshot (349).png

Jamie_Grove
Excursionist
35 0 53

Ugh! That is awful! We are still seeing 10-20 of these a day on our site. Hopefully more people will report this because the more eyeballs things like this get the more attention Shopify will give it. I'm going to @tobi on Twitter. Sometimes that raises attention behind the scenes.

AmyShop
Tourist
4 0 8

I got hit with this today.  

 

138 Abandoned Checkouts by James James.

35 customer listings created with different rtremail.com emails.

2 orders placed for $0 items; customers "Naveen Naveen" and "Lincoln Lincoln"

 

James James account gives a fake address for San Antonio CA (no such address shows up in google maps) and a 415 area code phone number.

Lincoln Lincoln account gives a Lady Lake, FL address and a 510 area code phone number.

Naveen Naveen gives a Little Elm, TX address with a 916 area phone number.

 

I cancelled the orders.

I deleted all the bogus accounts.

I archived all the abandoned carts.

 

Is there anything else I can do to prevent this from happening again? Has anyone found a solution?

 

@Shopify @Victor  This seems to be a growing problem that many people are experiencing despite reCaptcha, and we shouldn't have to pay for additional services to protect our businesses.  Are there other things we can do to prevent ourselves from being targeted again?

 

 

AppMerc
Tourist
8 0 4

Were the items in your abandoned shopping carts $0.00 as well?

AmyShop
Tourist
4 0 8

Yes. And "James James" returned again twice more tonight, for a total of over 450 abandoned carts in the last 12 hours or so.

AmyShop
Tourist
4 0 8

I am currently speaking with a shopify advisor via chat, and they seem to be taking this seriously.  If I learn anything useful, I will share it. Hopefully they an get to the bottom of this issue and block these bots/scammers.

AppMerc
Tourist
8 0 4
It now appears that he is able to change the sell price on items to $0.00.  His abandoned carts have items that used to have a cost attached.  Our default shipping rate hits all orders that are not put in as a pick up on site.  This is why he hasn't completed any sales.
Another thing I am finding is that the 'cycle' hitting our site is around every four hours.
Yvy616
Excursionist
35 0 46
Hmmm so I wonder if he IS testing credit card numbers. I know that free items don’t need payment info entered for a customer but maybe the connection this bot has does allow him to test. And the $0 items is a way to avoid detection while testing. If a card number does end up being valid and it shows, well…he got what he wanted.

Just a theory I have.
AppMerc
Tourist
8 0 4
I think he is hacking all the way around.  Imagine if he was able to hack Shopify's cc system - the sales dollars from just one day via cc's.  I do know that the item he ordered at 2:41 today DID have a price and now does not.  I had to go in and fix it.
ArrowsAim
Excursionist
20 0 27

Are you saying that the price of the item itself -not just within the sale, but in the individual product profile- was edited to ZERO after a James James & Co. checkout?

 

That sounds like a HIGH ALERT issue that needs to be on Shopify's radar asap.

AppMerc
Tourist
8 0 4
Yes.  It appears so on this last one.  I'm literally going through every item on our site right now to ensure there are no more 0.00 items.  (We have nothing on there that should have a price of 0.00.)  Once I have checked them all, I will have a better handle on it and can alert Shopify.  I wish there was a report I could run that showed pricing.
AmyShop
Tourist
4 0 8

Ugh. That is all terrifying.  On the day when I got targeted, the abandoned carts came in 3 waves.

Round 1: 12:43pm - 1:10pm

Round 2: 6:52pm - 7:24pm

Round 3: 10:40pm - 11:14pm

 

I caught Round 3 WHILE it was happening, and I immediately started putting all my $0 items into draft mode, and the abandoned carts stopped immediately, and I haven't had anymore since.  

 

I have been in touch with Shopify customer service, and they have told me they are taking this seriously and are working with their developers on the issue. They recommended some of the issues we have seen others post (reCaptcha, third party apps, etc), but I told them that this thread (and the reviews for the apps they recommended) clearly show that people are not having success with those.

 

I am currently in the process of changing all of my $0 listings so that they now have a price of some kind.  This is a huge and frustrating task, but I'm not sure what else to do.

 

However, now I am concerned that even if I remove all the $0 items, I could get targeted in the way AppMerc describes above.  But, my formerly $0 items do NOT have a shipping cost attached, so I'm not sure if that makes a difference or not.

 

I'm checking my abandoned carts multiple times a day now, and nothing since 2/24, so I'm hoping I am past the attack. And I hope Shopify can figure out a way to end this once and for all so that no one else has to deal with this.

AppMerc
Tourist
8 0 4
I went through EVERYTHING in our online store.  There is nothing with a $0.00 price on it now.  (If I were you I would put $0.01 on them.)  So far....I have ran him off.  He was hitting about once every 4 hours.  If he hits again, I will be 100% sure that he was, in fact, able to change the price.
Ben12341
Excursionist
15 0 10

I changed my $.0 products to $.01 and it appears to block James James currently, however I absolutely need these $0.00 products.  Has anyone found that after James James goes away and stays away it I change back products to $0.00?

 

pwforaker
Visitor
2 0 2

Using the (excellent) app Matrixify, you can run a report showing your prices. 

Renars
Shopify Partner
307 32 365

Hi @pwforaker and @AppMerc 

You sure can use the Matrixify app to see all your product variant prices.

Using our app, export Products with Basic Columns and Inventory/Variants. In the exported file you will see the `Variant Price` column with a price for each variant.

However, note that also Shopify native admin export should contain the same field so you could do regular Shopify Products export and it should show what products have what price set.

Matrixify | Bulk Import Export Update | https://apps.shopify.com/excel-export-import | https://matrixify.app
Rahul
Excursionist
19 1 1

I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From  > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.                   

Rahul
Excursionist
19 1 1

I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From  > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.     

Rahul
Excursionist
19 1 1

I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From  > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.    

Ben12341
Excursionist
15 0 10

We have this same problem and have spoken to Shopify Support several times over the past few weeks.  We updated our $.00 products to $.01 and waiting to see if this temporarily took care of this bot, however we REQUIRE some of our prPify told us to download an app but we are on the Starter plan and it tells us the app is not compatiable with our version.  So they are expecting us to buy a more expensive plan AND then buy a 3rd party app!!!  In the meanwhile they are doing nothing and my customers are not happy having to call us directly.  They said they'd put our "Vote" in for Shopify Developer Team to fix this in "The Future"!!!!  Seriously????  Maybe time to drop Shopify?

 

AppMerc
Tourist
8 0 4
I got rid of the bot by simply making all items .01 instead of .00    It looks for free items.  No additional app or upgrading plan....
MJComputerGeek
Not applicable
1 0 0

So your real customers are paying one cents now?

Rahul
Excursionist
19 1 1

I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From  > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your online store.

Rahul
Excursionist
19 1 1

I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From  > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.   

Rahul
Excursionist
19 1 1

I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From  > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.

Jamie_Grove
Excursionist
35 0 53

No news to report on this yet, but I did post to Twitter for visibility. Believe it or not, constructive posts to @tobi really do end up getting eyeballs at Shopify. Hopefully that will be the base here too

 

https://twitter.com/jamiegrove/status/1757431038056312909

Rahul
Excursionist
19 1 1

I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From  > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.                                                  

LazerLadies
Visitor
3 0 0

Same problem here! Looks like we have been getting James James abandoned carts since January. (barely noticed them today, ugh!) Trying to contact Shopify support with no luck! I'm on their chat but not getting anywhere. I'm getting solutions for stuff that I didn't even ask for. LOL. 

 

 

Checkout.png 

LazerLadies
Visitor
3 0 0

Responses from chat support. 1. delete customer 2. download Locksmith. See screenshots....then I accidently closed the chat box.

 

 

 locksmith.pngCompromised answer.pngdelete customer.png

ArrowsAim
Excursionist
20 0 27

It sounds like this could work for James James' abandoned checkouts, which look to be created using recurring credentials. Unfortunately, the related orders made in my store were all placed with different email addresses, from different IPs, using different names, etc. These orders do share a common domain, but I imagine it's no problem for whoever is behind this to use a different one, making it difficult to prevent future orders with Locksmith (because we can't anticipate future domains to create the key conditions that would prevent orders from flowing in the first place). If I see more orders come in from @rtremail.com I might give it a shot, but it's not a viable long term fix.

 

Fraud names with IPs.png

adfuel
Excursionist
19 0 12

You and I are definitely battling the same bot.  I got all those rtremail.com spam accounts a few days ago and interestingly, James James (same email as yours too) signed up on Jan 25th as well.  I read in a thread about a similar issue a mention that a hacked app could be the culprit.  Below is a list of every app I have installed on my store.  I'd be interested to know which ones we have in common if you're willing to share.
Installed Apps:
Collabs
Etsy Inventory Integration
Parcel Panel
Rewind Backups
Fileflare DDA Digital Download
Order Printer
Stock Sync: Inventory Sync
Hextom: Bulk Product Edit
AfterSell
Usage fees
Google & YouTube
Amped: Email & SMS Popups
Collective (Retailer)
Hextom: Bulk Image Edit & SEO
Email
Tidio ‑ Live Chat & Chatbots
Shop
RetentionX
Usage fees
Statlas
Klickly Connector
Stamped Loyalty & Referrals
Pinterest
Inbox
Privacy & Compliance
Twitter
Klaviyo: Email Marketing & SMS
Fraud Filter

 

ArrowsAim
Excursionist
20 0 27

Interesting! We don't have any common apps (besides the default Shopify email app), but that doesn't mean we don't have common app developers. I'm not able to do a deep dive on that at the moment, but here are the apps we currently have installed: 

 

Alert Me! Restock Alerts

Cozy AntiTheft

Email

Event Calendar by Elfsight

Instafeed

Quicky

Seal Subscriptions

Sendle Dashboard Shipping

SPOD Print-on-Demand

Tipo Appointment Booking

 

The commonality I'm finding is $0 items, both hidden and explicitly listed, which you, I, and the OP mentioned (as well as others in threads linked above). Is it possible this bot is targeting @Shopify hosted stores, isolating websites containing $0 products, and using them to test platform vulnerability without risking/exhausting actual payment methods?

 

TEMP FIX: I've set my $0 items to "draft" and haven't seen the James James bot since. This is a temporary fix as far as I'm concerned and I don't plan on settling for removing those items from my shop permanently. I'd love to know if anyone else has found ways to pause engagement with this issue.

LazerLadies
Visitor
3 0 0

I don't see any common apps. 

We have

Variant Option Product Options

POWR Contact Form

Shopify Theme tool

AppMerc
Tourist
8 0 4

I just found this community discussion after....yup....James James hit my site today.  I just sync'd my site with the Google & YouTube as you have up there and I am wondering if this is how he found me.  Sync was done last week.  Poor James didn't want to pay shipping charges on the free product, so he abandoned checkout.  He must have a way to find things that are free.  I had uploaded some fabric (I have a quilt shop) and mistakenly didn't put the price in.  If nothing else, he helped me find that I hadn't put the price in.

Rahul
Excursionist
19 1 1

I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From  > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store. delete customer.png

bros
Visitor
2 0 5

In my experience, deleting the customer does not stop them from leaving more abandoned carts. All it does is remove the customer name/address/email from the abandoned carts list... but the row with the abandoned cart still stays on the list and the bot continues to leave new abandoned carts. 

Rahul
Excursionist
19 1 1

I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From  > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store. delete customer.png

Steve82
Explorer
42 0 51
Rahul
Excursionist
19 1 1

I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From  > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store. delete customer.png

Rahul
Excursionist
19 1 1

I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From  > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.                                                                

Jamie_Grove
Excursionist
35 0 53

This is a simple and elegant solution. Love it!

Yvy616
Excursionist
35 0 46

ME too! I get a few abandoned checkouts a day from "James James", no use in deleting the customer as it just gets recreated every time. The people behind the chat support have basic knowledge at best and read off a script it seems, so they will have no clue on how to fix something like an advanced bot attack. This seems like a BIN attack, testing different credit card numbers until they get any that go through. I just can't believe shopify doesn't actively do something to look into this and block them. 

adfuel
Excursionist
19 0 12

For us, the bot is going crazy on our zero dollar items, so there's no payment gateway exposed for the bot to test, right?  Sounds like you know more about this stuff than I do.  I posted a list of apps I have installed above.  I'd be interested to know if we have any in common in the event one of them is the culprit.

Yvy616
Excursionist
35 0 46

I’m going by what I’ve been told by all the “ship protector” apps I’ve been talking to for help on this. The bots find a way. There’s got to be a reason why it’s looking for free products. But I’m lost too.
As far as your apps the only ones we have in common are rewind and klaviyo. And doubt it’s any of those…. Seems like it’s a Shopify vulnerability. And it started on Jan 25 for me too. Oh, and if it’s targeting free products maybe we need to price these products at $.01 to get rid of James James?

Moutasim1
Shopify Partner
4 0 1

Hey guys, did anyone find the solution for this? i tried checkout ui extensions to block user based on email or cart and checkout function to block customer if cart total cost is zero but in both cases it does not stop the bot from creating an abandoned checkout. because shopify marks the checkout abandoned once the customer is on checkout and enters its details, does not depend on either be block it or not  

is there any way we could implement some solution for Shopify plus store using apis or something

ArrowsAim
Excursionist
20 0 27

TEMP FIX: I've set my $0 items to "draft" and haven't seen the James James bot since [02/13]. This is a temporary fix as far as I'm concerned and I don't plan on settling for removing those items from my shop permanently. I'd love to know if anyone else has found ways to pause engagement with this issue.