vistagrande

Forum Replies Created

Viewing 3 replies - 1 through 3 (of 3 total)
  • Forum: Plugins
    In reply to: [WooCommerce] Phishing — probably card number via PayPal
    Thread Starter vistagrande

    (@vistagrande)

    5 months, 4 weeks ago

    Per your suggestions:

    • The bogus orders are not coming fast enough to worry about rate limiting. They tend to be 5 to 20 minutes apart.
    • I see no way to identify IPs for blocking. The attempts come from many different IPs.
    • WooCommerce and Plugins are up to date
    • Selling location is US only. The bogus attacks have fake US addresses. The IPs however all seem to be non-US according to ARIN.

    So these go not generate failed orders, but they do create fake customers. (How do I delete these?)

    Here is a similar set of requests after the reCAPTCHA where it gets the 500 HTTP response:

    193.202.15.202 – – [05/Oct/2025:07:16:23 -0500] “GET /wp-json/wc/store/products?stock_status=instock&order=asc&orderby=price&min_price=100&max_price=5000&type=simple&page=1&per_page=100 HTTP/2” 200 31326 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15”
    193.202.15.202 – – [05/Oct/2025:07:16:26 -0500] “GET /wp-json/wc/store/cart HTTP/2” 200 413 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15”
    193.202.15.202 – – [05/Oct/2025:07:16:27 -0500] “POST /wp-json/wc/store/cart/add-item HTTP/2” 201 1113 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15”
    193.202.15.202 – – [05/Oct/2025:07:16:27 -0500] “POST /wp-json/wc/store/cart/update-customer HTTP/2” 200 1306 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15”
    193.202.15.202 – – [05/Oct/2025:07:16:28 -0500] “POST /wp-json/wc/store/cart/select-shipping-rate HTTP/2” 200 1306 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15”
    193.202.15.202 – – [05/Oct/2025:07:16:28 -0500] “GET /checkout HTTP/2” 301 0 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15”
    193.202.15.202 – – [05/Oct/2025:07:16:29 -0500] “GET /checkout/ HTTP/2” 200 26636 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15”
    193.202.15.202 – – [05/Oct/2025:07:16:30 -0500] “POST /?wc-ajax=ppc-data-client-id HTTP/2” 200 447 “https://gems.vistagrande.com/checkout” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15”
    193.202.15.202 – – [05/Oct/2025:07:16:31 -0500] “POST /?wc-ajax=ppc-create-order HTTP/2” 200 114 “https://gems.vistagrande.com/checkout” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15”
    193.202.15.202 – – [05/Oct/2025:07:16:35 -0500] “POST /?wc-ajax=ppc-approve-order HTTP/2” 200 20 “https://gems.vistagrande.com/checkout” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15”
    193.202.15.202 – – [05/Oct/2025:07:16:36 -0500] “POST /wp-json/wc/store/checkout HTTP/2” 500 142 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15”

    Basically this is the same, except that it is not allowed to go to PayPal. Good as far as the card phishing. Still annoying from my perspective.

    Forum: Plugins
    In reply to: [WooCommerce] I assume a phishing scam with woo orders?
    vistagrande

    (@vistagrande)

    6 months ago

    I can confirm that on my site, the reCAPTCHA addition has stopped the orders from being submitted to PayPal. However, they still come and end up with a 500 error code instead when they try to finalize the order.

    It would be better to have them forbidden to use this sort of access to the site. Right now, it is just a nuisance. But I am concerned that it might eventually turn into a security issue. This seems like a bug.

    Forum: Plugins
    In reply to: [WooCommerce] I assume a phishing scam with woo orders?
    vistagrande

    (@vistagrande)

    6 months ago

    I started seeing similar frequent failed logins yesterday morning. Over 60 by today. Added the Google reCaptcha and that appears to have stopped the ordering.

    Some details. Obviously a distributed bot. Assorted IPs, none of those I checked were North American. The buyers were all supposed to be US addresses, Of course, they didn’t exist, nor do the email addresses that were used.

    Each of these entered the site with a request that is not a normal entry

    GET /wp-json/wc/store/products?stock_status=instock&order=asc&orderby=price&min_price=100&max_price=5000&type=simple&page=1&per_page=100

    They then picked the least expensive item, added to cart and proceeded to checkout which they try using PayPal.

    Ideally, this sort of entry into the site should not be allowed. Is there some way to do that?

Viewing 3 replies - 1 through 3 (of 3 total)