Discuss and resolve questions on Liquid, JavaScript, themes, sales channels, and site speed enhancements.
Hi, folks.
As most people know Google and Facebook will both place automated test orders to verify shipping and other details. The names are fairly well-known and they always abandon before finalizing checkout.
We have a new friend showing up in our logs by the name of James James. The email address sfj9usfhuios@gmail.com and location is San Antonio, California 94105. This bot is trying to check out 4-5 times per day with some of our free digital printables but abandons before going through with it. I have no idea why this might be happening because these particular products are not in the direct feeds going to FB and Google, though I know the page for the product still resides in Google.
Anyway, just wondering if anyone else has had this particular name/email combo come up in their abandoned cart logs.
Thanks!
Jamie
Just to help others out here.
@Jamie_Grove @MJComputerGeek @elizaRAFTP @sassybadge @capecalikim
I too was hit with hundreds of abandoned carts almost overnight from "James James"
After investigations and reaching out to visitors who have been taking advantage of this I have intelligence to suggest this is what's happening:
I've coded some additional bits to prevent this on my own site but I won't detail here to avoid giving info anywhere for bots to update. + My setup case will be different to other stores.
But I thought I'd post the above here so people have more of an understanding about why this is happening.
Thanks for looking into this. Our “free” products are locked to the public and only approved customers with logins can access them. James James never actually reaches checkout, only abandoned orders. If the bot is posting links to our free products on Discord, people should still not be able to get access to them unless they are also somehow bypassing our store like the bot. The bot is not “visiting the store” like a normal customer they are somehow getting into the back end and adding products to a cart directly, there is no way they could have access to otherwise. Nothing we have tried to block this bot from doing this has worked so far.
The bot won't visit the store like a normal user, they will be scanning (iterating through) your Shopify site's directory trees and product listings en-mass. Especially since 90% of Shopify sites use the same core product hierarchy..
Then it will drop A link direct to the product itself which (speculating now) is likely a variation of the abandon-cart url the James James bot picked up upon it's cart loading of products and it'll likely replace a product ID with one of the free one's it's found on your site enabling visitors to bypass going via the front page of the site entirely.
It doesn't matter if they are "locked to the public' or not, if the product is LIVE (ie not in Draft) it will have a shopify handle and url attached to it which is what the bot is exploiting.
Forget any notion of a bot scrolling through your site like a normal human - that's not what's happening here.
What would happen if we create a draft order for James James with an actual paid-for product (I appreciate the bot has multiple email addresses but it is only using one on our site) When it goes to the cart page the cart will not be empty and it will have to process the draft order first. Could this be a temporary fix?
I think it' unlikely to work since cookie for abandon cart is stored on users machine via browser so (AFAIK) there's no easy way to force a custom session (what your suggestion essentially is) back to the user session cookie without some hackery.
This issue has also affected items with a value over $0 (this did not happen to me, I disabled my $0 items when actual orders first started coming through). From another thread on this same topic:
Hi, we would all be so greatful if you would share your coding fix with Shopify since they cannot seem to figure it out themselves.
Hi it's been a bit quiet but wanted to share a new experience. Though I have not seen James James abandoning checkout since I turned the free item into draft mode. Since last Wednesday, I am now seeing a lot of abandoned orders for my next cheaper product (around $13) About 3 a day, all with same fake address "Street 10 Apt 2" with different cities/states. In this case the name does not equal last name, they "Seem" legit at first.
Anyone else? This is a never ending battle...Names all seem Portuguese (or Brazilian, I don't know)
One thing I did just notice: I had disabled Shop Pay a couple of months ago for other reasons. Still use shopify payments but not the "ShopPay" (that helps speed checkout). I just turned it back on Tuesday, end of day, and this started Wednesdsay morning. Either it's a coincidence, or this activity is linked to ShopPay.
[User Deleted Post]
If payment has been attempted you'll see some red text along the lines of [Unable to process a payment for $13.00 USD using a CreditCard info here]
Oh I had checked there, it does show a failed attempt (invalid card umber, insufficient funds, card expired) on a fewof them, but shows nothing at all on the rest of them.
Are they attempting payment on these?
Could be rogue user (or bot) attempts to verify stolen / fraudulent CCs before making larger payment amounts or enabling them to sell-on the CC information as "Verified working" which commands a higher price on the black market.
Using the lowest priced item is a way to avoid red flags on stolen CC's as banks often immediately stop one off unusually high payment amounts AND/OR a way to verify stolen CC information where small purchase amount is likely to fly under the real owners radar on bank statements thus preventing real owner cancelling card/reporting to their bank.
our shop started experiencing a spike in bot/fake abandoned cart checkouts mid-February 2024. I installed the app Blocky to block countries and IP addresses, which only goes so far since the abandoned carts don't have IP addresses associated. We get about 20/day of fake/abandoned checkouts with 1-2 credit card attempts. One checkout actually went through but was fraudulent, we had to cancel and refund, which we then incur processing fees on! The bots are creating customer accounts with fake email and home addresses. It's absolutely shocking to us how this is happening all of a sudden and doesn't seem to stop. Where is Shopify's help?!
It appears shopify does not want to put out the fire until the house is fully engulfed in flames. It is not like everyone could obviously see that this bot was just the start with more nefarious intent coming at a later time. FIX IT SHOPIFY!!
Hi, how is it now on your store? dose the robot stop? Thanks. The robots visits our store for about a week and left lots of ATC and abandoned checkout, and Shopify support can't do anything to help.
Our store is currently being plagued with bot generated abandoned baskets.
We currently get roughly 1 every minute so it's a big problem.
I've spoken with Shopify multiple times about it and there isn't anything they can do other than say 'We will add it to the feature requests' or 'here is an app' neither of which are helpful.
Our abandoned carts are all for priced products and have rubbish@yopmail.com as the email address.
The worrying thing here is these cause problems in other areas that we have to mitigate.
We use klaviyo and these abandoned carts have created 50,000 fake profiles that we have had to suppress via a segment but this isn't ideal as it's can't be automated.
Furthermore, and this is my biggest problem at the moment, is that Shopify have confirmed to me that that these bot abandoned checkouts are being counted as a session (in shopify analytics) by them so that will be pulling conversion rate down for anyone with the issue.
I've not confirmed if they are being passed into GA4 but I think that is the only hope of segregating them although I'm not sure how at this moment.
Poor show Shopify.
Thanks for the advice. I'll take a look but I think because the email address is always a random string in front of the @yopmail.com then I won't be able to block the customer email.
Worth a play though!
Ok even with a random email address for each checkout? Did you then block that specific email?
We are getting too many to create draft orders each time and if I create an draft order for 123@yopmail.com how will that stop abc@yopmail.com ?
Thanks for your help.
Yeah my problem is slightly more troublesome it seems. Unless I can do something that prevents @yopmail.com then it won't work. I was thinking about seeing if I could create a flow of some description to mange them but abandoned cart data isn't available in Flows but that still wouldn't work as the next bot cart is always on a new email.
Shopify utterly useless.
The only wauy to stop this is activate log in required before check out. Ive spoke to Shopify 7 times and they are clueless and not doing anything about it. Its a joke, so frustrating... Im ready to leave the platform.
Does anyone know the rationale for doing this. I have the same as well and have to block via fraud filter but each time its a new ip and or email. So argavating
It is testing the system, trying to find holes or there are going to be additional waves as a variation that are nefarious. Need to think like a hacker.
- Trying to find holes where they can access/intercept financial data
- If you have a bot network, you could try to ddos the shopify network
- If you have a large list of stolen credit cards, you can test them this way (and sites would have to pay the cc fees)
- Foreign country trying to put a economic hit on a country that use shopify (mostly the US) by running a ton of fake transactions and having the sites refund/cancel but have to eat the cc fees. This can put companies out of business if they can do it at a large enough scale. I am firmly against cc fees no longer being refunded.
- Massively short the stock, attack shopify, make the news, stock price drops, make millions
Dont forget, this is an election year in the US. There are countries working on digitally harming the US.
Wow, I just did a search for James James and found this group. I am using BoostMark to try and block this bot. If anyone wants to try it, I hope it helps. I was going to just leave "him" alone until I found this group, and now I've blocked both the name and the email address. You can even go as granular as the IP address if you want with this app. Hope this info helps, and I really hope Shopify will take this seriously and get that bot shut down.
Shopify platform is taking a big hit. Now the issue is with bots testing credit cards. If you are a Shopify site you are a sitting duck because Shopify is doing absolutely nothing to stop this. They are definitely negligent I'm the matter and not taking steps to combat this illegal fraud. You can change check out to require the customer to log in before check out which will stop the bot but will kill conversions. I've spoke to Shopify 4 times and they offer no options except they are working on it. I'd probably never set up on Shopify if I knew about this. I had Magento with invisible Google captchas and never had an issue. What a joke!
Looks like a temporary fix has been rolled out to Shopify Plus stores. It's obviously impacting sales as they are suggesting you run it for an hour during a flash sale 😆 https://help.shopify.com/en/manual/checkout-settings/bot-protection
I'm sure they will roll it out to everyone in due course. Probably makes sense to sort the highest paying customers first. From what I can see it is only a 1 hour fix, not a permanent fix. Sounds like they still have some way to go. Not sure why they don't just roll back this create account URL which seems to be at the route of the issue. It sounds like a security nightmare.
This is correct. Alot of bots are credit card testing. So they are testing to see if credit cards work on Shopify stores since there isn't much we can do except require customer to log in before checkout which is terrible for conversions. Bots are automated so Google captchas usually stop them. Shopify can implement captcha at check out from what I understand but only for Plus customers. Shopify is becoming a worse option for new stores and I would recommend looking for a platform with better security options or you can control the check out code.
They need to add a captcha option at check out. Otherwise bots will keep targeting all shopify stores. I will not recommend Shopify to any one until this is fixed. Bots are credit card testing now this not only ruins your metrics but Google may see it as abandoned cart transactions which may go against your rankings etc. Shopify is absolutely doing nothing to fix it. It's also possible you can lose your merchant account (credit card processing) for allowing this to occur. It's really frustrating you can't reach any one at Shopify that actually has a clue and their phone reps just tell you the same script.
I don't think this will help the issue being discussed here. This feature is meant to protect stores with limited drops from scalpers that are actually checking out, not spamming customer account forms.
I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.
We want to take a moment to celebrate the incredible ways you all engage with the Shopi...
By JasonH Oct 15, 2024Starting a B2B store is a big undertaking that requires careful planning and execution. W...
By JasonH Sep 23, 2024By investing 30 minutes of your time, you can unlock the potential for increased sales,...
By Jacqui Sep 11, 2024