As most people know Google and Facebook will both place automated test orders to verify shipping and other details. The names are fairly well-known and they always abandon before finalizing checkout.
We have a new friend showing up in our logs by the name of James James. The email address sfj9usfhuios@gmail.com and location is San Antonio, California 94105. This bot is trying to check out 4-5 times per day with some of our free digital printables but abandons before going through with it. I have no idea why this might be happening because these particular products are not in the direct feeds going to FB and Google, though I know the page for the product still resides in Google.
Anyway, just wondering if anyone else has had this particular name/email combo come up in their abandoned cart logs.
We’ve had 97 abandoned checkouts from James of San Antonio, CA since Jan 25th. This morning, James-bot started completing purchases for one of our free ($0.00) items, completing 14 checkouts in 12 minutes under names like “Will Will”, “Tyler Tyler” and “Yezeus Yezeus”. Each order has a different IP address, name, address, and phone number.
This seems to have escalated from abandoned checkout, but I’m wondering to what end? Is there anything particularly compromising about the situation? They can’t be blocked because they never create an acct and the IP is different every time. Shopify has been no help.
I haven’t found any additional information myself. I assume it is safe, but it seems like something worth watching. ArrowsAim below has a new wrinkle with many additional names.
Ugh! That is awful! We are still seeing 10-20 of these a day on our site. Hopefully more people will report this because the more eyeballs things like this get the more attention Shopify will give it. I’m going to @tobi on Twitter. Sometimes that raises attention behind the scenes.
No news to report on this yet, but I did post to Twitter for visibility. Believe it or not, constructive posts to @tobi really do end up getting eyeballs at Shopify. Hopefully that will be the base here too
Same problem here! Looks like we have been getting James James abandoned carts since January. (barely noticed them today, ugh!) Trying to contact Shopify support with no luck! I’m on their chat but not getting anywhere. I’m getting solutions for stuff that I didn’t even ask for. LOL.
It sounds like this could work for James James’ abandoned checkouts, which look to be created using recurring credentials. Unfortunately, the related orders made in my store were all placed with different email addresses, from different IPs, using different names, etc. These orders do share a common domain, but I imagine it’s no problem for whoever is behind this to use a different one, making it difficult to prevent future orders with Locksmith (because we can’t anticipate future domains to create the key conditions that would prevent orders from flowing in the first place). If I see more orders come in from @rtremail.com I might give it a shot, but it’s not a viable long term fix.
ME too! I get a few abandoned checkouts a day from “James James”, no use in deleting the customer as it just gets recreated every time. The people behind the chat support have basic knowledge at best and read off a script it seems, so they will have no clue on how to fix something like an advanced bot attack. This seems like a BIN attack, testing different credit card numbers until they get any that go through. I just can’t believe shopify doesn’t actively do something to look into this and block them.
You and I are definitely battling the same bot. I got all those rtremail.com spam accounts a few days ago and interestingly, James James (same email as yours too) signed up on Jan 25th as well. I read in a thread about a similar issue a mention that a hacked app could be the culprit. Below is a list of every app I have installed on my store. I’d be interested to know which ones we have in common if you’re willing to share.
Installed Apps:
Collabs
Etsy Inventory Integration
Parcel Panel
Rewind Backups
Fileflare DDA Digital Download
Order Printer
Stock Sync: Inventory Sync
Hextom: Bulk Product Edit
AfterSell
Usage fees
Google & YouTube
Amped: Email & SMS Popups
Collective (Retailer)
Hextom: Bulk Image Edit & SEO
Email
Tidio ‑ Live Chat & Chatbots
Shop
RetentionX
Usage fees
Statlas
Klickly Connector
Stamped Loyalty & Referrals
Pinterest
Inbox
Privacy & Compliance
Twitter
Klaviyo: Email Marketing & SMS
Fraud Filter
For us, the bot is going crazy on our zero dollar items, so there’s no payment gateway exposed for the bot to test, right? Sounds like you know more about this stuff than I do. I posted a list of apps I have installed above. I’d be interested to know if we have any in common in the event one of them is the culprit.
I’m going by what I’ve been told by all the “ship protector” apps I’ve been talking to for help on this. The bots find a way. There’s got to be a reason why it’s looking for free products. But I’m lost too.
As far as your apps the only ones we have in common are rewind and klaviyo. And doubt it’s any of those…. Seems like it’s a Shopify vulnerability. And it started on Jan 25 for me too. Oh, and if it’s targeting free products maybe we need to price these products at $.01 to get rid of James James?
Interesting! We don’t have any common apps (besides the default Shopify email app), but that doesn’t mean we don’t have common app developers. I’m not able to do a deep dive on that at the moment, but here are the apps we currently have installed:
Alert Me! Restock Alerts
Cozy AntiTheft
Email
Event Calendar by Elfsight
Instafeed
Quicky
Seal Subscriptions
Sendle Dashboard Shipping
SPOD Print-on-Demand
Tipo Appointment Booking
The commonality I’m finding is $0 items, both hidden and explicitly listed, which you, I, and the OP mentioned (as well as others in threads linked above). Is it possible this bot is targeting @Shopify_77 hosted stores, isolating websites containing $0 products, and using them to test platform vulnerability without risking/exhausting actual payment methods?
TEMP FIX: I’ve set my $0 items to “draft” and haven’t seen the James James bot since. This is a temporary fix as far as I’m concerned and I don’t plan on settling for removing those items from my shop permanently. I’d love to know if anyone else has found ways to pause engagement with this issue.
Hey guys, did anyone find the solution for this? i tried checkout ui extensions to block user based on email or cart and checkout function to block customer if cart total cost is zero but in both cases it does not stop the bot from creating an abandoned checkout. because shopify marks the checkout abandoned once the customer is on checkout and enters its details, does not depend on either be block it or not
is there any way we could implement some solution for Shopify plus store using apis or something
We also had a run in with James James. We use omnisend and it showed how several times a day James James is logging in straight to checkout. Shopify needs to fix this threat. Ours started Jan 15
TEMP FIX: I’ve set my $0 items to “draft” and haven’t seen the James James bot since [02/13]. This is a temporary fix as far as I’m concerned and I don’t plan on settling for removing those items from my shop permanently. I’d love to know if anyone else has found ways to pause engagement with this issue.
I have tried everything I can to escalate this with Shopify: multiple cs chats. calls, & twitter. I keep being advised to either activate captcha (which I already had) or install an app. Unfortunately, from what I’m hearing in other threads (linked above), apps designed to solve similar issues are effectively being circumnavigated and developers are telling folks that this isn’t something they can fix.
