Fake fraud orders

[davey]

Hi

 

Since a week or so we are receiving several fake orders. For some reason they are able to create a account (while clients must puchase a product first), order it and send a order confirmation mail. We need to aprove each order manually as extra security but this is really annoying and costs alot of time to sort it out.

 

Any suggestions to avoid this?

 

Kind regards,

Davey

[Vox]

Hi Davey,

 

Have you tried the captcha or re-captcha as referred to in this post?

 

http://forum.whmcs.com/showthread.php?92171-5-character-validation-not-deterring-spammers

[davey]

Thank you for your reaction,

 

Yes we have, to order something the customer needs to fill in the re-captcha in google code. For some reason it looks like they are able to send also the confirmation mail. The confirmation mail never sends automatically, only when a order has been approved.

 

Any idea what they are doin?

[Vox]

Thank you for your reaction,

 

Yes we have, to order something the customer needs to fill in the re-captcha in google code. For some reason it looks like they are able to send also the confirmation mail. The confirmation mail never sends automatically, only when a order has been approved.

 

Any idea what they are doin?

 

All depends on which email you mean.... do you mean order confirmation? That is just an acknowledgement that an order has been received by you. If you mean product welcome email, yes, that should be after you've approved the order (if set up in the product under module settings).

 

Typical flow would be a client signs up (during the process of placing and order) > Gets a welcome email > Gets an order confirmation email (as a result of the order being placed) > you manually approve the order/setup product > they get the product welcome email

[davey]

Yes that's correct. The order has not being processed with the status pending. This "customer" did received the product information while it is still pending. I had this once like a year ago, but this is now the second "customer" in the past 2 days. I think there is some glitch or bug in the system.

[TekStorm Inc - James]

If a product/service is being provisioned and its welcome e-mail sent out, prior to your accepting an order, check that product's automation settings at Setup >> Products/Services >> Products/Services >> Edit >> Module Settings. To not have it auto-provision before you've accepted the order, you'd want either "Automatically setup the product when you manually accept a pending order" or "Do not automatically setup this product" to be selected; anything else, and it will be provisioned before you've reviewed and/or accepted the order. Have a look here.

Edited August 18, 2014 by TekStorm Inc - James

[davey]

As said before, the automation setup is not enabled. I need to aprove each order, so a automated setup is not possible unless i approved the order (which i did not) the details of this "customer" are fake, and received the product information. This should not be possible as i need to approve each order.

[WHMCS Ryan]

To confirm:

 

You have re-captcha setup on your order forms. The service is set to 'Automatically setup the product when you manually accept a pending order' and the order itself is still pending. Yet the account is provisioned and a welcome letter is sent to the client anyway. Have you looked in the activity log for anything abnormal during the order/provisioning process?

 

Can you paste the logs in the thread as well?

 

--Thanks

[davey]

Correct, below u can see the activity log.

There is nothing abnormal what i can find.

12 hours later, (probably the same user) ordered webhosting, exactly the same thing happend. The only difference is that webhosting is not set on autocreation. Game servers is.

17/08/2014 01:46 Email Sent to bardhi gogo (New Product Information) - User ID: 107 Client 79.106.109.243
17/08/2014 01:46 Module Create Successful - Service ID: 236 Client 79.106.109.243
17/08/2014 01:46 Running Module Create on Order Client 79.106.109.243
17/08/2014 01:46 Email Sent to bardhi gogo (Order Confirmation) - User ID: 107 System 79.106.109.243
17/08/2014 01:46 Created Invoice - Invoice ID: 340 System 79.106.109.243
17/08/2014 01:46 New Order Placed - Order ID: 219 - User ID: 107 System 79.106.109.243
17/08/2014 01:46 Email Sent to bardhi gogo (Welcome) - User ID: 107 System 79.106.109.243
17/08/2014 01:46 Created Client bardhi gogo - User ID: 107 System 79.106.109.243

[WHMCS Ryan]

Short term, if the orders came from 76.106.19.243 you could ban that IP.

 

Can you take a screen shot of the module settings for the service in question and post it here.

 

--Thanks

[davey]

Yeah, i already banned that ip, but the next order aprox 12hours later came from a other server (proxy). So it keeps on goin.

In the attachment u see the COD 2 configuration (where this order is about) and the webhosting configuration (the order what came after this one)

[TekStorm Inc - James]

The "Tcadmin2_advanced" (CoD2) module is set to auto-provision immediately after ordering, without waiting for payment even, let alone order review/acceptance.

Edited August 18, 2014 by TekStorm Inc - James

[davey]

I know it would make sense for the autocreation, but not for the webhosting does it?

[WHMCS John]

Hi,

Surely you'd want to wait until after the client has paid you, or until you've had a chance to manually vet the order and accept it?

 

You could enable the Maxmind module which will help reduce the number of fake orders that make it through: http://docs.whmcs.com/MaxMind

 

But ultimately the reason the accounts are being created is because that's what you've told WHMCS to do.

[davey]

i'm not sure if it is the lack of my english or that i am not clear. The point is that the product has been created while it has not been approved, this fake client received the details of the product while it is still pending. The order is still active and has not been changed. I only banned these ip's from my WHMCS. I'm sure you have my details to login, see last support ticket.

[WHMCS John]

Hi,

Could you attach a screenshot of that please (the order being inn pending status, but the product having been provisioned)?

[davey]

In the attachment u see both orders, the call of duty server and the webhosting.

[WHMCS John]

Hi,

Thanks for that. The order status will always be "Pending" until you manually accept it - this gives you the opportunity it manually review each order that comes in.

The order's status is separate form the individual services' status - which I think is what you're confusing it with here - so everything looks to be working the way you have configured it.

 

If you don't want the account to be provisioned on the server until you manually accept the order, select that option under the product's Module Settings tab as others have suggested previously.

[davey]

Last night we've received another registration of a fake order, this might be hacking attempts.

Again a other ip address with other account details.

 

These details were filled in:

Address 1: syntaxerror

Address 2: syntaxerror

E-mail: andriroot@gmail.com

City: AES_ENCRYPT(1,1), city= (SELECT GROUP_CONCAT(0x3a3a3a3a3a,id,0x3a,username,0x3a,em ail,0x3a,password,0x3a3a3a3a3a) FROM tbladmins)

Domain: hacked-by-dm-team.com

--

 

If i'm correct this city rule is related to receive the admin details trough the database.

[SeanP]

For some reason they are able to create a account (while clients must puchase a product first), order it and send a order confirmation mail. We need to aprove each order manually as extra security but this is really annoying and costs alot of time to sort it out.

 

Neither of your products are setup to do this. You need to select "Automatically setup the product when you manually accept a pending order" on the "Module Settings" tab, for it to function as you desire (provision the service after manually accepting the order).

[lance]

had a few of these too the past few days, happened as soon as upgraded to 5.3.8

[davey]

Same here, never had these fake orders incombination with these mysql rules.

Any suggestions to prevent these? Do i need to be worried?

[SeanP]

The "AES_ENCRYPT" hack attempt was an old vulnerability that was patch several versions back. If you are running 5.3.8, you are fine. Just delete the account.

[JAz]

The "AES_ENCRYPT" hack attempt was an old vulnerability that was patch several versions back. If you are running 5.3.8, you are fine. Just delete the account.

 

Can you be specific about how many versions back??

 

I'm on 5.3.7, seeing the same attack attempts.

 

 

ty.

[davey]

Well, we still have those orders on a daily basis.

Current version: 5.3.10

 

See the attachment for more details.

Below u see the rules what they have entered in some fields:

 

AES_ENCRYPT(1,1), address2= (SELECT MAX(password) FROM tbladmins)
AES_ENCRYPT(1,1), address2= (SELECT MIN(username) FROM tblservers)
AES_ENCRYPT(1,1), city= (SELECT GROUP_CONCAT(0x3a3a3a3a3a,id,0x3a,username,0x3a,email,0x3a,password,0x3a3a3a3a3a) FROM tbladmins)
syntaxerror

 

Regards,

Davey