Re: James James and the world of Automated Abandoned Cart Robots

James James and the world of Automated Abandoned Cart Robots

Jamie_Grove
Excursionist
35 0 53

Hi, folks.

 

As most people know Google and Facebook will both place automated test orders to verify shipping and other details. The names are fairly well-known and they always abandon before finalizing checkout.

 

We have a new friend showing up in our logs by the name of James James. The email address sfj9usfhuios@gmail.com and location is San Antonio, California 94105. This bot is trying to check out 4-5 times per day with some of our free digital printables but abandons before going through with it. I have no idea why this might be happening because these particular products are not in the direct feeds going to FB and Google, though I know the page for the product still resides in Google.

 

Anyway, just wondering if anyone else has had this particular name/email combo come up in their abandoned cart logs.

 

Thanks!

 

Jamie

 

Replies 137 (137)

BackInTimez
Tourist
5 0 9

Just to help others out here. 

 

@Jamie_Grove  @MJComputerGeek  @elizaRAFTP @sassybadge  @capecalikim  

 

I too was hit with hundreds of abandoned carts almost overnight from "James James"

 

After investigations and reaching out to visitors who have been taking advantage of this I have intelligence to suggest this is what's happening:

 

  • There're "FREE PRODUCT" discords set up, which use bots to scan Shopify stores en-mass for free products denoted by any product with $0.00.

 

  • Test orders attempts then placed by the bot which has the default James James and associated address details stored within it.

 

  • From the order attempts confirming free products are available they are then categorised and listed within the Discord servers/chats as links to the free products whereby members of said discord community can browse the various industry 'categories' to find "free" products they're interested in.

 

  • Whilst some of these discord members are just interested in legitimately free products I suspect the bots and service users are also trying to capitalize on $0.00 product listing errors by site admins in the hope to grab a valuable "free" product.

I've coded some additional bits to prevent this on my own site but I won't detail here to avoid giving info anywhere for bots to update. + My setup case will be different to other stores.

 

But I thought I'd post the above here so people have more of an understanding about why this is happening.

 

elizaRAFTP
Tourist
10 0 16

Thanks for looking into this. Our “free” products are locked to the public and only approved customers with logins can access them.  James James never actually reaches checkout, only abandoned orders. If the bot is posting links to our free products on Discord, people should still not be able to get access to them unless they are also somehow bypassing our store like the bot. The bot is not “visiting the store” like a normal customer they are somehow getting into the back end and adding products to a cart directly, there is no way they could have access to otherwise. Nothing we have tried to block this bot from doing this has worked so far. 

BackInTimez
Tourist
5 0 9

The bot won't visit the store like a normal user, they will be scanning (iterating through) your Shopify site's directory trees and product listings en-mass. Especially since 90% of Shopify sites use the same core product hierarchy.. 

 

Then it will drop A link direct to the product itself which (speculating now) is likely a variation of the abandon-cart url the James James bot picked up upon it's cart loading of products and it'll likely replace a product ID with one of the free one's it's found on your site enabling visitors to bypass going via the front page of the site entirely.

 

It doesn't matter if they are "locked to the public' or not, if the product is LIVE (ie not in Draft) it will have a shopify handle and url attached to it which is what the bot is exploiting. 

 

Forget any notion of a bot scrolling through your site like a normal human - that's not what's happening here.

ApplecrossGal
Tourist
7 0 1

What would happen if we create a draft order for James James with an actual paid-for product (I appreciate the bot has multiple email addresses but it is only using one on our site) When it goes to the cart page the cart will not be empty and it will have to process the draft order first. Could this be a temporary fix?

 

 

BackInTimez
Tourist
5 0 9

I think it' unlikely to work since cookie for abandon cart is stored on users machine via browser so (AFAIK) there's no easy way to force a custom session (what your suggestion essentially is) back to the user session cookie without some hackery.

 

ArrowsAim
Excursionist
20 0 27

This issue has also affected items with a value over $0 (this did not happen to me, I disabled my $0 items when actual orders first started coming through). From another thread on this same topic: 

 

1000016068.jpg

 

Ben12341
Excursionist
15 0 10

Hi, we would all be so greatful if you would share your coding fix with Shopify since they cannot seem to figure it out themselves.  

Yvy616
Excursionist
35 0 46
Thank you!!!! That makes so much sense and sheds light on this. Now if only Shopify would prevent this…so I can put the product live again.

Yvy616
Excursionist
35 0 46

Hi it's been a bit quiet but wanted to share a new experience. Though I have not seen James James abandoning checkout since I turned the free item into draft mode. Since last Wednesday, I am now seeing a lot of abandoned orders for my next cheaper product (around $13) About 3 a day, all with same fake address "Street 10 Apt 2" with different cities/states. In this case the name does not equal last name, they "Seem" legit at first.

Anyone else? This is a never ending battle...Names all seem Portuguese  (or Brazilian, I don't know)

Yvy616_0-1713209855912.png

One thing I did just notice: I had disabled Shop Pay a couple of months ago for other reasons. Still use shopify payments but not the "ShopPay" (that helps speed checkout). I just turned it back on Tuesday, end of day, and this started Wednesdsay morning. Either it's a coincidence, or this activity is linked to ShopPay.

 

Stakeholder
Excursionist
23 0 4

[User Deleted Post]

Yvy616
Excursionist
35 0 46
I don’t know if they are attempting payment (how can I see if they’ve gone that far in checkout?) yes it most likely is credit card number checking, but I found curious is they may be using shoppay as their means to attempt this.
BackInTimez
Tourist
5 0 9
  • Go into the abandoned order/cart section of orders.
  • Go into the abandoned order in question
  • At the bottom of that page will have a timeline of events.

 

If payment has been attempted you'll see some red text along the lines of  [Unable to process a payment for $13.00 USD using a CreditCard info here]

Yvy616
Excursionist
35 0 46

Oh I had checked there, it does show a failed attempt (invalid card umber, insufficient funds, card expired) on a fewof them, but shows nothing at all on the rest of them.

BackInTimez
Tourist
5 0 9

Are they attempting payment on these? 

 

Could be rogue user (or bot) attempts to verify stolen / fraudulent CCs before making larger payment amounts or enabling them to sell-on the CC information as "Verified working" which commands a higher price on the black market. 

 

Using the lowest priced item is a way to avoid red flags on stolen CC's as banks often immediately stop one off unusually high payment amounts AND/OR a way to verify stolen CC information where small purchase amount is likely to fly under the real owners radar on bank statements thus preventing real owner cancelling card/reporting to their bank.

BrittanyC
Visitor
2 0 4

our shop started experiencing a spike in bot/fake abandoned cart checkouts mid-February 2024. I installed the app Blocky to block countries and IP addresses, which only goes so far since the abandoned carts don't have IP addresses associated.  We get about 20/day of fake/abandoned checkouts with 1-2 credit card attempts. One checkout actually went through but was fraudulent, we had to cancel and refund, which we then incur processing fees on! The bots are creating customer accounts with fake email and home addresses. It's absolutely shocking to us how this is happening all of a sudden and doesn't seem to stop. Where is Shopify's help?!

Steve82
Explorer
43 0 51

It appears shopify does not want to put out the fire until the house is fully engulfed in flames. It is not like everyone could obviously see that this bot was just the start with more nefarious intent coming at a later time. FIX IT SHOPIFY!!

Fine Art Landscapes - Sawusch Photography - USScenics.com
ALexDEWEN
Visitor
1 0 0

Hi, how is it now on your store? dose the robot stop? Thanks.   The robots visits our store for about a week and left lots of ATC and abandoned checkout, and Shopify support can't do anything to help.

MDPC
Tourist
4 0 1

Our store is currently being plagued with bot generated abandoned baskets. 

We currently get roughly 1 every minute so it's a big problem.

I've spoken with Shopify multiple times about it and there isn't anything they can do other than say 'We will add it to the feature requests' or 'here is an app' neither of which are helpful.

 

Our abandoned carts are all for priced products and have rubbish@yopmail.com as the  email address. 

 

The worrying thing here is these cause problems in other areas that we have to mitigate.

 

We use klaviyo and these abandoned carts have created 50,000 fake profiles that we have had to suppress via a segment but this isn't ideal as it's can't be automated.

 

Furthermore, and this is my biggest problem at the moment, is that Shopify have confirmed to me that that these bot abandoned checkouts are being counted as a session (in shopify analytics) by them so that will be pulling conversion rate down for anyone with the issue.

 

I've not confirmed if they are being passed into GA4 but I think that is the only hope of segregating them although I'm not sure how at this moment.

 

Poor show Shopify.

ApplecrossGal
Tourist
7 0 1
Try creating a draft order will a full priced product in the basket of the bots email address. It will block their ability to checkout or leave a zero priced product abandoned cart.
MDPC
Tourist
4 0 1

Thanks for the advice. I'll take a look but I think because the email address is always a random string in front of the @yopmail.com then I won't be able to block the customer email. 

 

Worth a play though!

ApplecrossGal
Tourist
7 0 1
It worked for us.
MDPC
Tourist
4 0 1

Ok even with a random email address for each checkout? Did you then block that specific email? 

 

We are getting too many to create draft orders each time and if I create an draft order for 123@yopmail.com how will that stop abc@yopmail.com ?

 

Thanks for your help.

ApplecrossGal
Tourist
7 0 1
We had the abandon carts from only one james james email address. We thought more addresses would follow but we created the draft order for the single email and we had no more trouble. I appreciate it might not work for you but if you can fill the malevolent bots’ baskets you can disable them. It might help you to come up with a lateral thinking solution.
MDPC
Tourist
4 0 1

Yeah my problem is slightly more troublesome it seems. Unless I can do something that prevents @yopmail.com then it won't work. I was thinking about seeing if I could create a flow of some description to mange them but abandoned cart data isn't available in Flows but that still wouldn't work as the next bot cart is always on a new email. 

 

Shopify utterly useless.

ApplecrossGal
Tourist
7 0 1
Shopify needs to block these bots. Keep agitating
Aaron2024
Excursionist
20 0 18

The only wauy to stop this is activate log in required before check out. Ive spoke to Shopify 7 times and they are clueless and not doing anything about it. Its a joke, so frustrating... Im ready to leave the platform. 

lsafy09
New Member
5 0 0

Does anyone know the rationale for doing this. I have the same as well and have to block via fraud filter but each time its a new ip and or email. So argavating

 

Steve82
Explorer
43 0 51

It is testing the system, trying to find holes or there are going to be additional waves as a variation that are nefarious. Need to think like a hacker.

- Trying to find holes where they can access/intercept financial data

- If you have a bot network, you could try to ddos the shopify network

- If you have a large list of stolen credit cards, you can test them this way (and sites would have to pay the cc fees)

- Foreign country trying to put a economic hit on a country that use shopify (mostly the US) by running a ton of fake transactions and having the sites refund/cancel but have to eat the cc fees. This can put companies out of business if they can do it at a large enough scale. I am firmly against cc fees no longer being refunded.

- Massively short the stock, attack shopify, make the news, stock price drops, make millions

Dont forget, this is an election year in the US. There are countries working on digitally harming the US.

 

Fine Art Landscapes - Sawusch Photography - USScenics.com

KristenDScott
Excursionist
35 1 54

Wow, I just did a search for James James and found this group. I am using BoostMark to try and block this bot. If anyone wants to try it, I hope it helps. I was going to just leave "him" alone until I found this group, and now I've blocked both the name and the email address. You can even go as granular as the IP address if you want with this app. Hope this info helps, and I really hope Shopify will take this seriously and get that bot shut down.

Aaron2024
Excursionist
20 0 18

Shopify platform is taking a big hit. Now the issue is with bots testing credit cards. If you are a Shopify site you are a sitting duck because Shopify is doing absolutely nothing to stop this. They are definitely negligent I'm the matter and not taking steps to combat this illegal fraud. You can change check out to require the customer to log in before check out which will stop the bot but will kill conversions. I've spoke to Shopify 4 times and they offer no options except they are working on it. I'd probably never set up on Shopify if I knew about this. I had Magento with invisible Google captchas and never had an issue. What a joke!

ApplecrossGal
Tourist
7 0 1

Looks like a temporary fix has been rolled out to Shopify Plus stores. It's obviously impacting sales as they are suggesting you run it for an hour during a flash sale 😆 https://help.shopify.com/en/manual/checkout-settings/bot-protection

 

Yvy616
Excursionist
35 0 46
So they’re only looking to help Shopify Plus….?
ApplecrossGal
Tourist
7 0 1

I'm sure they will roll it out to everyone in due course. Probably makes sense to sort the highest paying customers first. From what I can see it is only a 1 hour fix, not a permanent fix. Sounds like they still have some way to go. Not sure why they don't just roll back this create account URL which seems to be at the route of the issue. It sounds like a security nightmare. 

Yvy616
Excursionist
35 0 46
Not sure if that will work as a lot of these bots don’t create an account at the create account url but go straight to checkout and the account just gets created as a byproduct of the checkout attempt.
Aaron2024
Excursionist
20 0 18

This is correct. Alot of bots are credit card testing. So they are testing to see if credit cards work on Shopify stores since there isn't much we can do except require customer to log in before checkout which is terrible for conversions. Bots are automated so Google captchas usually stop them. Shopify can implement captcha at check out from what I understand but only for Plus customers.  Shopify is becoming a worse option for new stores and I would recommend looking for a platform with better security options or you can control the check out code. 

Aaron2024
Excursionist
20 0 18

They need to add a captcha option at check out. Otherwise bots will keep targeting all shopify stores. I will not recommend Shopify to any one until this is fixed. Bots are credit card testing now this not only ruins your metrics but Google may see it as abandoned cart transactions which may go against your rankings etc. Shopify is absolutely doing nothing to fix it. It's also possible you can lose your merchant account (credit card processing) for allowing this to occur. It's really frustrating you can't reach any one at Shopify that actually has a clue and their phone reps just tell you the same script. 

adfuel
Excursionist
19 0 12

I don't think this will help the issue being discussed here.  This feature is meant to protect stores with limited drops from scalpers that are actually checking out, not spamming customer account forms.

Rahul
Excursionist
19 1 1

I think We Found out the Solution, Just Open > Customers Section in Shopify tab, For Example the Customer Name is James James and Customer Mail is sfj9usfhuios@gmail.com Simply delete the Customer From  > Customers Section ( on Shopify Dashboard ) Now Open your website go on Log in & Register Section, Simply Register with same name ( James James ) and same gmail ( sfj9usfhuios@gmail.com ) ( of that bot is using to create Abandoned Checkouts ), and create a Strong Password, Now you'll see the bot is failed to place Abandoned Checkouts on your store.