Support » Plugin: WooCommerce » Failed Orders – Fake Information

  • Resolved mywebmaestro

    (@mywebmaestro)


    This morning I had several clients report they’ve been seeing “failed orders” in their stores, where the payment failed and the info was obviously fake. (See below.) I haven’t found any reference to this online yet, but wanted to know if there’s a way to determine if this is a general software spam attack against woocommerce stores overall, or something specific to sites on my server. Has anyone else here seen this? Or is there some way I can determine more information and/or protect against it?

    Order info:
    bbbbb bbbbb
    bbbbb
    74 xxxxxxx Rd
    xxxxxxx
    EX14 5HN
    United Kingdom (UK)
    xxx xxxx xxxx
    xxxxx@abbuzz.com (another one used xxxxx@abbuzz.com)

Viewing 15 replies - 121 through 135 (of 159 total)
  • celsta

    (@celsta)

    Another thanks here @wigster

    But could you please tell us how to add more emails or order names if we want to block more fake orders from different email addresses ?

    thanks again for your help !

    ewing1440

    (@ewing1440)

    Yes, thanks mywebmaestro for the post with the detail, I’ve had multiple such “failed” transactions with the same bogus info. Thanks also to the folks who have posted suggestions.

    wigster

    (@wigster)

    @celsta Currently there’s no extra functionality in my plugin for that kind of thing.
    I will try and update it manually for the moment if the spam orders change. When the WordPress team have accepted my plugin into their official plugin network I will begin adding further dynamic functionality.

    @mvenkadesan those settings will allow account creation, some of us here have all those options unchecked and still got user accounts created.

    wpstack92

    (@wpstack92)

    @madjax

    Thanks for the Link on how to find the logs… I got it but don’t want to make it public here. Is there a way to PM or e-mail you the relevant part?

    Thanks!

    @wpstack92 you can email me here – https://jacksonwhelan.com/contact/ – and send a link to Dropbox, google drive – whatever to download.

    wpstack92

    (@wpstack92)

    @madjax

    Done.

    mvenkadesan

    (@mvenkadesan)

    @madjax : Thank you for the clarification. One question: how do I find logs for an AWS LightSail Bitnami instance of WordPress?

    mvenkadesan

    (@mvenkadesan)

    @wigster : I would suggest the following modified code of your plugin so that it can block domains in a case-insensitive manner and also allow the easy addition of multiple domains as an array.

    if ( ! defined( 'ABSPATH' ) ) {
        exit; // Exit if accessed directly
    }
    /**
     * Check if WooCommerce is active
     **/
    if ( in_array( 'woocommerce/woocommerce.php', apply_filters( 'active_plugins', get_option( 'active_plugins' ) ) ) ) {
        add_action( 'woocommerce_after_checkout_validation', 'block_spam_checkout', 10, 2 );
    
        function block_spam_checkout( $fields , $errors) {
            $blacklisted_domains = array (
                "abbuzz.com",
                "example.com"
            );
            $is_bad = !(empty(
                array_filter($blacklisted_domains, function($list) use ($fields) {
                return stripos($fields[ 'billing_email' ] , $list);
            })));
            if ($is_bad ) {
                $errors->add( 'validation', 'Spam attempt.' );
            }
        }
    }

    @wpstack92 got it thanks – it looks like they were hitting /my-account/ – but you’re saying you had all these settings unchecked at the time?

    WP Settings > General
    “Anyone can register” ?

    WooCommerce Settings > Accounts & Privacy
    “Allow customers to create an account during checkout” ?
    “Allow customers to create an account on the “My account” page” ?

    Alberto

    (@albiob)

    @madjax

    I have all those settings unchecked, but they successfully managed to create the fake order and the fake user.

    Carike

    (@carike)

    I have read about half of the pages on this thread, so I may have missed things.
    I suspect that reCAPTCHA may not protect against this issue.
    Until the source of the issue is found, I would recommend restricting shipping addresses to places that the websites actually ship to. Of course, this would not help people who ship world-wide, or who want to sell digital goods anywhere, but it should help a significant percentage of sites.

    @carike I agree, wish I was able to recreate it

    davetgreen

    (@davetgreen)

    Just FYI, I posted a bit of an analysis further back here:
    https://wordpress.org/support/topic/failed-orders-fake-information/page/8/#post-13611713

    it was initially held for moderation, but seems to have been approved now.

    tapaway

    (@tapaway)

    Does anyone know the IP#(s) that is being used?

Viewing 15 replies - 121 through 135 (of 159 total)
  • The topic ‘Failed Orders – Fake Information’ is closed to new replies.