Random letter fake customer registration - what do they try to achieve with that? - put Captcha - SOLVED

[sumsel]

Hi community,

I see a lot of new fake customer registrations in my shop. They are obviously fake, easily detectable due to random letter combinations instead of names. e.g. First Name: gHnfJCZoaIQ Last Name: ANKFDgUmTHJ and then some real-looking email address, like somebody stole an email address book and registered every email in my shop.

So far I believe nothing negative has come about for me or my shop, and this has been going on for a while now. I just manually clean my customer database every now and then and go about my business. It's not something I have been worried about, and it's easier to keep things clean by hand than trying to find a module which takes care of this I think.

But it makes me wonder:

Why would anyone bother? Why is there somebody, or someone's bot, who populates my shop with fake customer accounts? What can they possibly get out of this? I just can't think of anything sensible right now. Thanks for opinions on this 🙂

Cheers

 

Edited May 11, 2020 by sumsel
added "solved" to the title. (see edit history)

[joseantgv]

They send SPAM from your store.

You may install one of these modules https://addons.prestashop.com/en/429-website-security-access

Edited April 2, 2020 by joseantgv (see edit history)

[doekia]

Truthfully what are they trying to do?

Exposure of the full case will help finding a solution.

[sumsel]

Thank you @joseantgv and @doekia.

How can they send spam from my shop? The only email they would be able to generate should be the welcome message upon registration, or do I overlook something?

The previously linked post from doekia looks good https://www.prestashop.com/forums/topic/981159-securite-spam-customer-account-solution-13-15/

@doekia which details would you like to know?

I don't really plan on spending much time in solving this, also I don't want to make customer registration more difficult (I strongly dislike captchas) i'm mainly curious what people would want to get out of this.

[doekia]

il y a 17 minutes, sumsel a dit :

@doekia which details would you like to know?

I don't really plan on spending much time in solving this, also I don't want to make customer registration more difficult (I strongly dislike captchas) i'm mainly curious what people would want to get out of this.

What are the entire information the created account contains.

[joseantgv]

@doekia

But with your patch you check:

...
preg_match(Tools::cleanNonUnicodeSupport('/www|http/ui'),$name))
...
preg_match(Tools::cleanNonUnicodeSupport('/^[^0-9!\[\]<>,;?=+()@#"°{}_$%:\/\\\*\^]*$/u'), $name)
...

So it won't work with this:

First Name: gHnfJCZoaIQ
Last Name: ANKFDgUmTHJ

That's why I recommended captcha module.

[doekia]

il y a 3 minutes, joseantgv a dit :

@doekia

But with your patch you check:

...
preg_match(Tools::cleanNonUnicodeSupport('/www|http/ui'),$name))
...
preg_match(Tools::cleanNonUnicodeSupport('/^[^0-9!\[\]<>,;?=+()@#"°{}_$%:\/\\\*\^]*$/u'), $name)
...

So it won't work with this:

First Name: gHnfJCZoaIQ
Last Name: ANKFDgUmTHJ

That's why I recommended captcha module.

I did not mean the opposite. But since those firstname and lastname deserve no purpose apparently, I assume some other portion of the registration have some slick benefices for the hacker.

Address ?

City?

Phone?

email?

[sumsel]

The only information I can see associated with the new customer account is Gender, First name, Last name and Email address. No phone or address etc. - also no referrer, seems to have directly opened the shop URL and opened a fake account. I checked the addresses folder in backend, this customer has no associated addresses. The "last email" is the automatic welcome message for account creation. I really don't see any purpose. Newsletters can't be registered (I removed that option from registration), and birthdate can't be entered (removed the fields from registration). So really just the bare minimum to register an email address in the shop's database was entered. I'm puzzled. Can't even see an IP address. For real accounts, I usually see the IP address for last connection.

 

Edited April 3, 2020 by sumsel (see edit history)

[sumsel]

I did notice now that some of the fake accounts also seem to create carts which then appear as abandoned carts but with no products inside. Still no idea what benefit they might have from doing so. If they were looking for weaknesses in the shop, then I would assume they try, succeed or fail, and move on. But not try again every day. If they were trying to spam the email addresses which they register, there is exactly one mail from the shop upon registration, as I don't even have newsletters.

 

 

Edited April 23, 2020 by sumsel (see edit history)

[doekia]

From the date, identify the ip address within your apache log file. With this IP, watch what sneaky they are doing. It may well be the tip of the iceberg.

[Verlonimo]

Hi,

 

It's just bots submiting your form.... There is nothing they can do to your website. Some bad bots use random letters, some can try to insert a link to your inputs and submit the form. You can try to ban these by IP address from your server log but it wont help much cause usually IP is different next day... The only way is to use Google recaptcha and forget it.

 

You can read more about is as example here from the first search on google https://elasticemail.com/blog/marketing_tips/how-to-prevent-bots-from-spamming-your-sign-up-forms

 

Thanks

[joseantgv]

hace 8 horas, Verlonimo dijo:

Hi,

 

It's just bots submiting your form.... There is nothing they can do to your website. Some bad bots use random letters, some can try to insert a link to your inputs and submit the form. You can try to ban these by IP address from your server log but it wont help much cause usually IP is different next day... The only way is to use Google recaptcha and forget it.

 

You can read more about is as example here from the first search on google https://elasticemail.com/blog/marketing_tips/how-to-prevent-bots-from-spamming-your-sign-up-forms

 

Thanks

But which is the aim of these bots?

[Verlonimo]

2 hours ago, joseantgv said:

But which is the aim of these bots?

The main aim is to leave backlink to they content. But sometimes it can be even worst like: SEO-damaging backlink injections, user-deceiving injected redirects, and even severe SQL injections designed to take down your site or steal your user data. Usually The bigger you are the more you get.

I have seen some big websites where bots trying to submit thousands forms per day or even per hour.

 

Thanks

[joseantgv]

You mean that probably they were trying to hack the site but apparently they can't? And in these attacks they try to find holes while creating a customer, for example?

[Verlonimo]

Hi,

To both of your questions the answer is YES.

I would't call "they tracking to hack" in this case. As far as i can see from screenshots, it's just bots submitting form with intend to add backlinks into one of the inputs. Server logs should say more i guess...

 

Not all bots are bad tho. Google is also using crawling bots which even can add products to cart if shop configured wrong....

Thanks

[sumsel]

Thank you for your comments guys!

From the log I checked the last 4 account creations and found the same pattern for those. Within like 25 seconds they check the login pages in all 5 language versions, and in the end they create an account. As if they had a stolen email address database and attempt try to find out if this email has a registered account in the shop, and then if not, create one. Guess if they can create a customer they know it hasn't been registered before.

Posting one of the results here.

 

2020-05-08 14:50:01Access117.241.96.43 301 GET / HTTP/1.0208Apache access

2020-05-08 14:50:05Access117.241.96.43 301 GET / HTTP/1.0717Apache access

2020-05-08 14:50:07Access117.241.96.43 301 GET / HTTP/1.0396Apache access

2020-05-08 14:50:07Access117.241.96.43 200 GET /en/ HTTP/1.08.10 KApache access

2020-05-08 14:50:08Access117.241.96.43 302 GET /en/my-account HTTP/1.0392Apache access

2020-05-08 14:50:09Access117.241.96.43 200 GET /en/login?back=my-account HTTP/1.010.3 KApache access

2020-05-08 14:50:10Access117.241.96.43 200 POST /en/login?back=my-account HTTP/1.09.6 KApache access

2020-05-08 14:50:10Access117.241.96.43 200 POST /en/login?back=my-account HTTP/1.09.6 KApache access

2020-05-08 14:50:11Access117.241.96.43 200 GET /de/anmeldung?back=my-account HTTP/1.010.3 KApache access

2020-05-08 14:50:12Access117.241.96.43 200 POST /de/anmeldung?back=my-account HTTP/1.09.8 KApache access

2020-05-08 14:50:12Access117.241.96.43 200 POST /de/anmeldung?back=my-account HTTP/1.09.8 KApache access

2020-05-08 14:50:13Access117.241.96.43 200 GET /fr/connexion?back=my-account HTTP/1.010.4 KApache access

2020-05-08 14:50:14Access117.241.96.43 200 POST /fr/connexion?back=my-account HTTP/1.09.9 KApache access

2020-05-08 14:50:15Access117.241.96.43 200 POST /fr/connexion?back=my-account HTTP/1.09.9 KApache access

2020-05-08 14:50:15Access117.241.96.43 200 GET /it/login?back=my-account HTTP/1.010.3 KApache access

2020-05-08 14:50:16Access117.241.96.43 200 POST /it/login?back=my-account HTTP/1.09.9 KApache access

2020-05-08 14:50:17Access117.241.96.43 200 POST /it/login?back=my-account HTTP/1.09.9 KApache access

2020-05-08 14:50:18Access117.241.96.43 200 GET /es/iniciar-sesion?back=my-account HTTP/1.010.4 KApache access

2020-05-08 14:50:19Access117.241.96.43 200 POST /es/iniciar-sesion?back=my-account HTTP/1.09.9 KApache access

2020-05-08 14:50:19Access117.241.96.43 200 POST /es/iniciar-sesion?back=my-account HTTP/1.09.9 KApache access

2020-05-08 14:50:20Access117.241.96.43 200 GET /en/password-recovery HTTP/1.06.87 KApache access

2020-05-08 14:50:21Access117.241.96.43 200 POST /en/password-recovery HTTP/1.06.20 KApache access

2020-05-08 14:50:22Access117.241.96.43 200 POST /en/password-recovery HTTP/1.06.20 KApache access

2020-05-08 14:50:22Access117.241.96.43 200 GET /en/login?create_account=1 HTTP/1.09.8 KApache access

2020-05-08 14:50:23Access117.241.96.43 302 POST /en/login?create_account=1 HTTP/1.01.56 KApache access

2020-05-08 14:50:24Access117.241.96.43 301 GET /en/ HTTP/1.0237Apache access

2020-05-08 14:50:25Access117.241.96.43 200 GET /en/ HTTP/1.07.09 KApache access

2020-05-08 14:50:26Access117.241.96.43 302 POST /en/login?create_account=1 HTTP/1.0381Apache access

2020-05-08 14:50:26Access117.241.96.43 200 GET /en/my-account HTTP/1.06.30 KApache access

 

 

[sumsel]

I have found and installed a free captcha module now. Hope this will protect the existing customer accounts against being spied upon by the attacker.

https://github.com/nenes25/eicaptcha/releases/tag/2.0.4

Seems to work, at least it didn't break the account creation process for humans - hope I can follow the advice and just forget about this issue.

Cheers

Edited May 8, 2020 by sumsel (see edit history)

[doekia]

Il y a 5 heures, sumsel a dit :

2020-05-08 14:50:08Access117.241.96.43 302 GET /en/my-account HTTP/1.0392Apache access

 

Il y a 5 heures, sumsel a dit :

2020-05-08 14:50:26Access117.241.96.43 200 GET /en/my-account HTTP/1.06.30 KApache access

It seems weird your server respond on HTTP/1.0 ... what does exactly the column means ?

[sumsel]

To my knowledge this is just the info with which version of HTTP the Apache server responds. The detailed workings are beyond the depth of my knowledge about Apache Servers. I left the Apache configuration on default as set by my hosting provider.

[doekia]

Your log is driven by the settings. Here it seems some formating is missing and I have no clue what your log format is.

Natural apache log is as follow:
207.46.13.28 - - [09/May/2020:00:01:16 +0200] "GET /modules/feeder/rss.php?id_category=4685&orderby=position&orderway=asc HTTP/1.1" 200 6002 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)

With format configured like this:
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

 

 

[sumsel]

I copied the log display from my plesk user interface in my previous post.

Is checking the meaning of the http 1.0 result still related to the original topic?

But I found the raw log also, hoping this will be more helpful. I can't see (let alone configure) the log format setting, only the results. It is set by my hosting provider. I'm happy with that because I'm no expert here.

Raw log file entry from above example:

117.241.96.43 - - [08/May/2020:14:50:01 +0200] "GET / HTTP/1.0" 301 208 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:05 +0200] "GET / HTTP/1.0" 301 717 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:07 +0200] "GET / HTTP/1.0" 301 396 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:07 +0200] "GET /en/ HTTP/1.0" 200 8295 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:08 +0200] "GET /en/my-account HTTP/1.0" 302 392 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:09 +0200] "GET /en/login?back=my-account HTTP/1.0" 200 10571 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:10 +0200] "POST /en/login?back=my-account HTTP/1.0" 200 9868 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:10 +0200] "POST /en/login?back=my-account HTTP/1.0" 200 9868 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:11 +0200] "GET /de/anmeldung?back=my-account HTTP/1.0" 200 10577 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:12 +0200] "POST /de/anmeldung?back=my-account HTTP/1.0" 200 10077 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:12 +0200] "POST /de/anmeldung?back=my-account HTTP/1.0" 200 10077 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:13 +0200] "GET /fr/connexion?back=my-account HTTP/1.0" 200 10647 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:14 +0200] "POST /fr/connexion?back=my-account HTTP/1.0" 200 10134 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:15 +0200] "POST /fr/connexion?back=my-account HTTP/1.0" 200 10133 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:15 +0200] "GET /it/login?back=my-account HTTP/1.0" 200 10595 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:16 +0200] "POST /it/login?back=my-account HTTP/1.0" 200 10094 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:17 +0200] "POST /it/login?back=my-account HTTP/1.0" 200 10093 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:18 +0200] "GET /es/iniciar-sesion?back=my-account HTTP/1.0" 200 10668 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:19 +0200] "POST /es/iniciar-sesion?back=my-account HTTP/1.0" 200 10156 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:19 +0200] "POST /es/iniciar-sesion?back=my-account HTTP/1.0" 200 10156 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:20 +0200] "GET /en/password-recovery HTTP/1.0" 200 7037 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:21 +0200] "POST /en/password-recovery HTTP/1.0" 200 6345 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:22 +0200] "POST /en/password-recovery HTTP/1.0" 200 6344 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:22 +0200] "GET /en/login?create_account=1 HTTP/1.0" 200 10027 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:23 +0200] "POST /en/login?create_account=1 HTTP/1.0" 302 1600 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:24 +0200] "GET /en/ HTTP/1.0" 301 237 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:25 +0200] "GET /en/ HTTP/1.0" 200 7258 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:26 +0200] "POST /en/login?create_account=1 HTTP/1.0" 302 381 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
117.241.96.43 - - [08/May/2020:14:50:26 +0200] "GET /en/my-account HTTP/1.0" 200 6449 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"

 

[sumsel]

Apparently I have no new fake customer registrations since adding the recaptcha to the form.

[Verlonimo]

Hi,

There is nothing wrong here. Just same bot from same location (India) visiting your site pages and trying to submit form. Use captcha and forget it... Usual day on the web...

Thanks

Edited May 11, 2020 by Verlonimo (see edit history)

[sumsel]

Yes! Had I found the free and easy solution I found now, I probably would and should have done it right from the start. I think I had experimented with this on the contact form and had no success a few years back. At the time whatever bot was working on my shop, didn't need the form in my shop to submit it and the captcha had not been configured correctly to prevent the bot from operating. This time it seems to have worked. So thanks for all the contributions 🙂

[doekia]

Personnaly on my vhost config, I add the following

SetEnvIf Request_Protocol HTTP/0.9 too_low_proto
SetEnvIf Request_Protocol HTTP/1.0 too_low_proto
Deny from env=too_low_proto

That filters a hell of old hackers libraries

[Rizzzle]

I have had this happening to one of my sites for ages. It comes in waves. I sometimes wonder why one site is being targetted in particular, when I run many sites.

Hopefully Captcha does not negatively effect conversion rate. What do you think?

[Angar]

PrestaShop 1.7.8

Create file:
/override/classes/Validate.php

add in this file the code:
 

<?php

use Egulias\EmailValidator\EmailValidator;
use Egulias\EmailValidator\Validation\MultipleValidationWithAnd;
use Egulias\EmailValidator\Validation\RFCValidation;
use PrestaShop\PrestaShop\Core\ConstraintValidator\Constraints\CustomerName;
use PrestaShop\PrestaShop\Core\ConstraintValidator\Factory\CustomerNameValidatorFactory;
use PrestaShop\PrestaShop\Core\Domain\Currency\ValueObject\NumericIsoCode;
use PrestaShop\PrestaShop\Core\Email\SwiftMailerValidation;
use PrestaShop\PrestaShop\Core\String\CharacterCleaner;
use Symfony\Component\Validator\Validation;

class Validate extends ValidateCore
{

    public static function isCustomerName($name)
    {
        $validatorBuilder = Validation::createValidatorBuilder();
        $validatorBuilder->setConstraintValidatorFactory(
            new CustomerNameValidatorFactory(new CharacterCleaner())
        );
        $validator = $validatorBuilder->getValidator();
        $violations = $validator->validate($name, [
            new CustomerName(),
        ]);

		// Custom validation: check if name contains more than 4 capital letters
		$capitalLettersCount = preg_match_all('/[A-Z]/', $name);
		$normalLettersCount = preg_match_all('/[a-z]/', $name);

		if ($capitalLettersCount > 1 && $normalLettersCount > 1) {
			if ($capitalLettersCount > 4) {
				return 0; // More than 4 capital letters, validation fails
			}
		}

        return (count($violations) !== 0) ? 0 : 1;
    }

}

If the name contains mixed letters (uppercase and lowercase letters) and more than 4 uppercase letters, registration is not possible.
This should block fake accounts for example gHnfJCZoaIQ, ANKFDgUmTHJ etc., but allow the creation of regular accounts.