James James and the world of Automated Abandoned Cart Robots

Jamie_Grove
Excursionist
30 0 31

Hi, folks.

 

As most people know Google and Facebook will both place automated test orders to verify shipping and other details. The names are fairly well-known and they always abandon before finalizing checkout.

 

We have a new friend showing up in our logs by the name of James James. The email address sfj9usfhuios@gmail.com and location is San Antonio, California 94105. This bot is trying to check out 4-5 times per day with some of our free digital printables but abandons before going through with it. I have no idea why this might be happening because these particular products are not in the direct feeds going to FB and Google, though I know the page for the product still resides in Google.

 

Anyway, just wondering if anyone else has had this particular name/email combo come up in their abandoned cart logs.

 

Thanks!

 

Jamie

 

Replies 55 (55)

yanninoyola
Visitor
1 0 1

Hi Jamie, I have these many times. A lot. Have you found any other information? Is it safe? 

Jamie_Grove
Excursionist
30 0 31

I haven't found any additional information myself. I assume it is safe, but it seems like something worth watching. ArrowsAim below has a new wrinkle with many additional names.

ArrowsAim
Excursionist
16 0 10

We've had 97 abandoned checkouts from James of San Antonio, CA since Jan 25th. This morning, James-bot started completing purchases for one of our free ($0.00) items, completing 14 checkouts in 12 minutes under names like "Will Will", "Tyler Tyler" and "Yezeus Yezeus". Each order has a different IP address, name, address, and phone number.

 

This seems to have escalated from abandoned checkout, but I'm wondering to what end? Is there anything particularly compromising about the situation? They can't be blocked because they never create an acct and the IP is different every time. Shopify has been no help.

 

Screenshot (349).png

Jamie_Grove
Excursionist
30 0 31

Ugh! That is awful! We are still seeing 10-20 of these a day on our site. Hopefully more people will report this because the more eyeballs things like this get the more attention Shopify will give it. I'm going to @tobi on Twitter. Sometimes that raises attention behind the scenes.

AmyShop
Tourist
4 0 1

I got hit with this today.  

 

138 Abandoned Checkouts by James James.

35 customer listings created with different rtremail.com emails.

2 orders placed for $0 items; customers "Naveen Naveen" and "Lincoln Lincoln"

 

James James account gives a fake address for San Antonio CA (no such address shows up in google maps) and a 415 area code phone number.

Lincoln Lincoln account gives a Lady Lake, FL address and a 510 area code phone number.

Naveen Naveen gives a Little Elm, TX address with a 916 area phone number.

 

I cancelled the orders.

I deleted all the bogus accounts.

I archived all the abandoned carts.

 

Is there anything else I can do to prevent this from happening again? Has anyone found a solution?

 

@Shopify @Victor  This seems to be a growing problem that many people are experiencing despite reCaptcha, and we shouldn't have to pay for additional services to protect our businesses.  Are there other things we can do to prevent ourselves from being targeted again?

 

 

AppMerc
New Member
6 0 0

Were the items in your abandoned shopping carts $0.00 as well?

AmyShop
Tourist
4 0 1

Yes. And "James James" returned again twice more tonight, for a total of over 450 abandoned carts in the last 12 hours or so.

AmyShop
Tourist
4 0 1

I am currently speaking with a shopify advisor via chat, and they seem to be taking this seriously.  If I learn anything useful, I will share it. Hopefully they an get to the bottom of this issue and block these bots/scammers.

AppMerc
New Member
6 0 0
It now appears that he is able to change the sell price on items to $0.00.  His abandoned carts have items that used to have a cost attached.  Our default shipping rate hits all orders that are not put in as a pick up on site.  This is why he hasn't completed any sales.
Another thing I am finding is that the 'cycle' hitting our site is around every four hours.
Yvy616
Excursionist
25 0 27
Hmmm so I wonder if he IS testing credit card numbers. I know that free items don’t need payment info entered for a customer but maybe the connection this bot has does allow him to test. And the $0 items is a way to avoid detection while testing. If a card number does end up being valid and it shows, well…he got what he wanted.

Just a theory I have.
AppMerc
New Member
6 0 0
I think he is hacking all the way around.  Imagine if he was able to hack Shopify's cc system - the sales dollars from just one day via cc's.  I do know that the item he ordered at 2:41 today DID have a price and now does not.  I had to go in and fix it.
ArrowsAim
Excursionist
16 0 10

Are you saying that the price of the item itself -not just within the sale, but in the individual product profile- was edited to ZERO after a James James & Co. checkout?

 

That sounds like a HIGH ALERT issue that needs to be on Shopify's radar asap.

AppMerc
New Member
6 0 0
Yes.  It appears so on this last one.  I'm literally going through every item on our site right now to ensure there are no more 0.00 items.  (We have nothing on there that should have a price of 0.00.)  Once I have checked them all, I will have a better handle on it and can alert Shopify.  I wish there was a report I could run that showed pricing.
AmyShop
Tourist
4 0 1

Ugh. That is all terrifying.  On the day when I got targeted, the abandoned carts came in 3 waves.

Round 1: 12:43pm - 1:10pm

Round 2: 6:52pm - 7:24pm

Round 3: 10:40pm - 11:14pm

 

I caught Round 3 WHILE it was happening, and I immediately started putting all my $0 items into draft mode, and the abandoned carts stopped immediately, and I haven't had anymore since.  

 

I have been in touch with Shopify customer service, and they have told me they are taking this seriously and are working with their developers on the issue. They recommended some of the issues we have seen others post (reCaptcha, third party apps, etc), but I told them that this thread (and the reviews for the apps they recommended) clearly show that people are not having success with those.

 

I am currently in the process of changing all of my $0 listings so that they now have a price of some kind.  This is a huge and frustrating task, but I'm not sure what else to do.

 

However, now I am concerned that even if I remove all the $0 items, I could get targeted in the way AppMerc describes above.  But, my formerly $0 items do NOT have a shipping cost attached, so I'm not sure if that makes a difference or not.

 

I'm checking my abandoned carts multiple times a day now, and nothing since 2/24, so I'm hoping I am past the attack. And I hope Shopify can figure out a way to end this once and for all so that no one else has to deal with this.

AppMerc
New Member
6 0 0
I went through EVERYTHING in our online store.  There is nothing with a $0.00 price on it now.  (If I were you I would put $0.01 on them.)  So far....I have ran him off.  He was hitting about once every 4 hours.  If he hits again, I will be 100% sure that he was, in fact, able to change the price.

Jamie_Grove
Excursionist
30 0 31

No news to report on this yet, but I did post to Twitter for visibility. Believe it or not, constructive posts to @tobi really do end up getting eyeballs at Shopify. Hopefully that will be the base here too

 

https://twitter.com/jamiegrove/status/1757431038056312909

LazerLadies
Visitor
3 0 0

Same problem here! Looks like we have been getting James James abandoned carts since January. (barely noticed them today, ugh!) Trying to contact Shopify support with no luck! I'm on their chat but not getting anywhere. I'm getting solutions for stuff that I didn't even ask for. LOL. 

 

 

Checkout.png 

LazerLadies
Visitor
3 0 0

Responses from chat support. 1. delete customer 2. download Locksmith. See screenshots....then I accidently closed the chat box.

 

 

 locksmith.pngCompromised answer.pngdelete customer.png

ArrowsAim
Excursionist
16 0 10

It sounds like this could work for James James' abandoned checkouts, which look to be created using recurring credentials. Unfortunately, the related orders made in my store were all placed with different email addresses, from different IPs, using different names, etc. These orders do share a common domain, but I imagine it's no problem for whoever is behind this to use a different one, making it difficult to prevent future orders with Locksmith (because we can't anticipate future domains to create the key conditions that would prevent orders from flowing in the first place). If I see more orders come in from @rtremail.com I might give it a shot, but it's not a viable long term fix.

 

Fraud names with IPs.png

adfuel
Excursionist
18 0 10

You and I are definitely battling the same bot.  I got all those rtremail.com spam accounts a few days ago and interestingly, James James (same email as yours too) signed up on Jan 25th as well.  I read in a thread about a similar issue a mention that a hacked app could be the culprit.  Below is a list of every app I have installed on my store.  I'd be interested to know which ones we have in common if you're willing to share.
Installed Apps:
Collabs
Etsy Inventory Integration
Parcel Panel
Rewind Backups
Fileflare DDA Digital Download
Order Printer
Stock Sync: Inventory Sync
Hextom: Bulk Product Edit
AfterSell
Usage fees
Google & YouTube
Amped: Email & SMS Popups
Collective (Retailer)
Hextom: Bulk Image Edit & SEO
Email
Tidio ‑ Live Chat & Chatbots
Shop
RetentionX
Usage fees
Statlas
Klickly Connector
Stamped Loyalty & Referrals
Pinterest
Inbox
Privacy & Compliance
Twitter
Klaviyo: Email Marketing & SMS
Fraud Filter

 

ArrowsAim
Excursionist
16 0 10

Interesting! We don't have any common apps (besides the default Shopify email app), but that doesn't mean we don't have common app developers. I'm not able to do a deep dive on that at the moment, but here are the apps we currently have installed: 

 

Alert Me! Restock Alerts

Cozy AntiTheft

Email

Event Calendar by Elfsight

Instafeed

Quicky

Seal Subscriptions

Sendle Dashboard Shipping

SPOD Print-on-Demand

Tipo Appointment Booking

 

The commonality I'm finding is $0 items, both hidden and explicitly listed, which you, I, and the OP mentioned (as well as others in threads linked above). Is it possible this bot is targeting @Shopify hosted stores, isolating websites containing $0 products, and using them to test platform vulnerability without risking/exhausting actual payment methods?

 

TEMP FIX: I've set my $0 items to "draft" and haven't seen the James James bot since. This is a temporary fix as far as I'm concerned and I don't plan on settling for removing those items from my shop permanently. I'd love to know if anyone else has found ways to pause engagement with this issue.

LazerLadies
Visitor
3 0 0

I don't see any common apps. 

We have

Variant Option Product Options

POWR Contact Form

Shopify Theme tool

AppMerc
New Member
6 0 0

I just found this community discussion after....yup....James James hit my site today.  I just sync'd my site with the Google & YouTube as you have up there and I am wondering if this is how he found me.  Sync was done last week.  Poor James didn't want to pay shipping charges on the free product, so he abandoned checkout.  He must have a way to find things that are free.  I had uploaded some fabric (I have a quilt shop) and mistakenly didn't put the price in.  If nothing else, he helped me find that I hadn't put the price in.

Steve82
Excursionist
32 0 35

Yvy616
Excursionist
25 0 27

ME too! I get a few abandoned checkouts a day from "James James", no use in deleting the customer as it just gets recreated every time. The people behind the chat support have basic knowledge at best and read off a script it seems, so they will have no clue on how to fix something like an advanced bot attack. This seems like a BIN attack, testing different credit card numbers until they get any that go through. I just can't believe shopify doesn't actively do something to look into this and block them. 

adfuel
Excursionist
18 0 10

For us, the bot is going crazy on our zero dollar items, so there's no payment gateway exposed for the bot to test, right?  Sounds like you know more about this stuff than I do.  I posted a list of apps I have installed above.  I'd be interested to know if we have any in common in the event one of them is the culprit.

Yvy616
Excursionist
25 0 27

I’m going by what I’ve been told by all the “ship protector” apps I’ve been talking to for help on this. The bots find a way. There’s got to be a reason why it’s looking for free products. But I’m lost too.
As far as your apps the only ones we have in common are rewind and klaviyo. And doubt it’s any of those…. Seems like it’s a Shopify vulnerability. And it started on Jan 25 for me too. Oh, and if it’s targeting free products maybe we need to price these products at $.01 to get rid of James James?

Moutasim1
Shopify Partner
3 0 1

Hey guys, did anyone find the solution for this? i tried checkout ui extensions to block user based on email or cart and checkout function to block customer if cart total cost is zero but in both cases it does not stop the bot from creating an abandoned checkout. because shopify marks the checkout abandoned once the customer is on checkout and enters its details, does not depend on either be block it or not  

is there any way we could implement some solution for Shopify plus store using apis or something

ArrowsAim
Excursionist
16 0 10

TEMP FIX: I've set my $0 items to "draft" and haven't seen the James James bot since [02/13]. This is a temporary fix as far as I'm concerned and I don't plan on settling for removing those items from my shop permanently. I'd love to know if anyone else has found ways to pause engagement with this issue.

Yvy616
Excursionist
25 0 27
That’s exactly what I did and it’s quieted since. But I also need that product active and is a temporary fix.
adfuel
Excursionist
18 0 10

We've set all our $0 products to $1 for now and that seems to have gotten rid James James for now.

Billherb
Visitor
1 0 0

We also had a run in with James James. We use omnisend and it showed how several times a day James James is logging in straight to checkout. Shopify needs to fix this threat. Ours started Jan 15

ArrowsAim
Excursionist
16 0 10

I have tried everything I can to escalate this with Shopify: multiple cs chats. calls, & twitter. I keep being advised to either activate captcha (which I already had) or install an app. Unfortunately, from what I'm hearing in other threads (linked above), apps designed to solve similar issues are effectively being circumnavigated and developers are telling folks that this isn't something they can fix.

azulinahome
Visitor
1 0 0

We are having the same exact issue. James James conducting abandoned checkouts 2-3x a day on all our free $0 items. I just set them all to Draft, hoping that's a temp fix.

 

Also reached out to the help desk and the best they could do was offer that I download an App. I saw the visits were mostly coming from India and Indonesia, so I blocked those countries, but James James bot persists.

 

I will note that this all started around the time we went live with our Google ads.

Jamie_Grove
Excursionist
30 0 31

Update of sorts!

 

Per several suggestions in the thread, we deleted the James James account from our system, AND we deactivated the free digital download product they were trying to purchase. So far, we haven't had a recurrence of this particular abandoned cart bot. We did NOT install any other apps so it is possible they'll be back. Either way, Shopify really needs to address this since it is happening to so many people.

joseph96
Shopify Partner
7 0 2

There is currently no specific solution to this problem, but you can try the Blockify app on the app store to minimize this.

joseph96
Shopify Partner
7 0 2
elizaRAFTP
Tourist
6 0 0

Your app does not work to block this bot. 

joseph96
Shopify Partner
7 0 2

Hi ElizaRAFTP
Recently, I researched how to prevent these types of bots, and found that many of the stores that are being spammed to create customers have in common the use of Klavio. We're actively working with Shopify to find the best solution to prevent this issue

elizaRAFTP
Tourist
6 0 0

I don’t use that app. 

ArrowsAim
Excursionist
16 0 10

Klavio is not the commonality between shops who are being targeted by this particular bot. What each of us have experienced is that it finds shops with $0 items, hidden and visible, and goes from there. 

 

If you're serious about trying to figure this out, THAT is where you need to start.

adfuel
Excursionist
18 0 10

This isn’t a place to promote your app. 

tecques
Visitor
2 0 0

I've just joined this tech help community, I do best asking questions of real humans who know more than I. Sadly, Shopify's live help line was taken away, which I strongly feel serves them, but not us. Regardless, I wanted to share my experience with visits by James James since around 1-25,  same date others have mentioned. I have no apps, and from what you all say, they prove useless anyway.  Usually 2-4 vists each day, random times, all focused on in my case, an item listed as "price on request" (no value specified), as I'm an art dealer. This continued until last Sunday. The artwork JJ placed in the cart and visited roughly 50 times I decided to attach a significant real price to, and JJ within hours switched to another item which was price on request. about 10 viits later I gave a real price to that one, and they have not pestered me since.  My fear is that they may be exploiting a vulnerability or placing some virus / malware which will be activated at a later date. Shopify should thoroughly be on this, and while the live chat tech guy I finally got tried to be helpful, it did not sound like they were committing full resources to going after this bot. Why doesn't Shopify contact it's customer base to let them know what they are doing to safeguard our paid for presence on their platform? I was born & grew up here, but it seems like American companies regularly pass the buck and do not fully support the services they sell to us. I'd really like an answer to what Shopify knows and what they are doing about JJ and others similar attacks I personally have gotten in the past which are always under double names like JJ.....Thoughts anyone?

Yvy616
Excursionist
25 0 27
I completely agree! The Shopify is Canadian, it’s the same thing really. I believe the customer service personnel are either low wage or just don’t care, or don’t know and just read from a script. Sometimes I feel like I’m speaking to a brick wall when contacting their support.
If enough people make a stink of this, and go to social media, or other news platforms, maybe they will respond?

L_Meeks
Visitor
1 0 1

We had the same exact issue as everyone else. James James has been gone since the 15th of February Wonder, has anybody else seen a decline or drop in sales since the start of James James?

Michael_Alon
Visitor
2 0 1

Same issue, STEP UP SHOPIFY! Shut this down

Kary4
Visitor
2 0 1

Same thing happened to me today. Reached out to Shopify and basically they said this

 

“Thank you for your patience as we worked to investigate the issue you reported involving orders with zero totals on your shop. A select group of stores reported a similar issue. Upon investigation, it was observed that these stores had certain products listed as publicly available at no cost. It appears that a third party with potentially malicious intent discovered these free/no cost products and placed orders for them, utilizing the standard checkout process as any customer would. This third party took advantage of the information that was publicly accessible online, and there is no evidence suggesting these individuals had any unauthorized access to your store.” 

 

and also added that I need to remove any items that are classed as free as the only way to “resolve the issue”

tecques
Visitor
2 0 0

Thanks for contacting Shopify about this and sharing their updated response with us. I hope they are gone, but worry that they have left something behind since they were obviously poking around 3-4 times a day, every single day for 2-3 weeks! What would logically be the point to it...I hope some "action" does not get triggered down the line and we are left unfunctional saying "I told you so"!  I'm not particularly "tech minded", but is what I say unreasonable to be concerned about?