Huge amount of fake accounts

[JEBranch]

Hello Community Members, this is my first post I been using WHMCS 5-6 years and really never had to much a problem, I have one now, yesterday I started getting all these fake accounts, I made adjustments and still getting them over 150 and I have to delete them one at a time very time consuming, I even added Maxmind fake accounts still coming in. What else can be done I have WHMCS on Maintenance Mode so I can get a break. Here is where all this stuff is coming from (ᢓ开ᢓ户ᢓ即ᢓ送88元ᢓ现ᢓ金 ๽活๽动๽通๽道 5666Q.COM ๽易๽记๽域๽名 fuli8.tk ) I am sorry if not to put in link..

[lifewd]

Hello,

I am receiving many fake registrations on my whmcs. I have tried enabling google captcha, email verification, and the problems continues.

I woke up with nearly 100 new accounts created this morning.

I am now banning email addresses which seems to be working, however when they use a new email the problem continues.

I wouldnt even mind disabling registration all together, as I personally register 99% of my customers through the admin panel.

Can anyone offer any suggestions on how to get this issue to stop, and if not, is there a way to disable registration?

 

Thank you for reading!

[WHMCS John]

Hi,

Maxmind will help mark such spam orders as fraud automatically, but doesn't have the power to block orders or client registrations.

Have you considered a Web Application Firewall or service such as Cloudflare, which should block such bots from your website entirely?

[durrdomains]

Yes I am having that same issue aswell

[WHMCS John]

Hi,

I've drafted an article with some tips: http://help.whmcs.com/m/troubleshooting/l/878335-blocking-spam-orders

Feel free to share your hints and experience about what worked for you here in this thread.

[JacobBall]

First time poster, and I'm getting very frustrated with these spam signups as well. I've received dozens of them over the past day or two, and I've had enough.

At least I can see I'm not the only one suffering this problem.

John, that troubleshooting article doesn't help at all. They keep changing IP addresses and email addresses, so banning them in WHMCS or even the firewall on the server doesn't work. The IPs show as coming from Taiwan and China.

I've enabled Google's reCaptcha V2, that hasn't stopped them.

I've currently got my site in Maintenance mode, which seems to have put the brakes on for now - hardly an ideal solution though, is it.

[Scotty501]

Same for me, a ton of new clients overnight again - all fake.

[DamienWebb]

Wow so, I'm not the only one... about 900 of these in the past 24 hours...

WHMCS doesn't use google recaptcha v2, so I'm having to manually edit the theme I use, to use v2. It would be great if the viewcart.tplhad recaptcha enabled, before they could proceed to checkout / "Complete Order".

[durrdomains]

Adding that custom fields and Cloudflare seemed to stop orders have you tried that?

[WHMCS John]

Hi @DamienWebb,

 

5 hours ago, DamienWebb said:

WHMCS doesn't use google recaptcha v2, so I'm having to manually edit the theme I use, to use v2. It would be great if the viewcart.tplhad recaptcha enabled, before they could proceed to checkout / "Complete Order".

WHMCS has supported Google recpatcha for 2 years. If you're still seeing v1 this indicates outdated templates, so you're on the right track!

[JEBranch]

I see I'm not the only one having this issue, I didn't want to post this to soon, I tried this. In General Settings I put in Maintenance Mode, and used Maintenance Mode Redirect URL and sent it to my website home page where you can still place order but no need for account not using WHMCS after 24 hrs I switch it back to WHMCS no more fake accounts/order so far it's working...

[JEBranch]

Ok, sorry That didn't work it worked for a while..

[JEBranch]

43 minutes ago, JEBranch said:

Ok, sorry That didn't work it worked for a while..

Well after the switch I only got about 4 fake accounts in 4hrs. I was getting them every min. slow down a lot.

 

[kaybee57]

Exactly them same - I now have 1500 new users! Grrr... Any thoughts?

[bear]

Those of you getting fake account signups, are you allowing account creation without ordering something? 

[JBlossoms]

Same here! On the day I noticed, there were about 1 registration per 5 minutes, some with Cancelled Orders and some without.   With advise from my hosting company's technical team, I used "Block Visitors by Country Using Firewall" to block all IPs coming from the suspected countries.  This slowed it down considerably, but they soon used VPN sites (through other countries) to carry on this nefarious activities.  In addition I have also implemented some of the tips on WHMCS John article. For now it has stopped but I guess it is an ongoing battle.

[JEBranch]

No, customer have to order first and then signup,

 

[kaybee57]

Thank you for that and yes, I did have that ticked but now not so - also managed to remove all fake client accounts via the database so I'm back to a clean WHMCS again.

I did have associated orders with some of those dummy clients anyway so maybe that wasn't the issue?

Have also now changed all relevant passwords etc but if this is not just me, not sure that will help either?

[yaykeny]

Hi,

I have seen for the 1st time a massive registration of fake accounts. Screen shot here https://prnt.sc/j8dcon   a few hundred anyway !

I am deleting these but is there anything I should be aware of or be looking out for?

Cheers

Kenny

[kaybee57]

Whoa, just took maintenance mode off and fake clients coming in again ..... 

Have once again removed those from the database, updated WHMCS to absolute latest version, checked site files for any obscure php files and found none.

Returned to working mode (not maintenance mode)

Fake customers still coming in. Any further thoughts? I'm back in Maintenance mode again

[yaykeny]

Guys I have been reading up on this and have activated all sorts of extra security, including disabling users just registering. 

[sshVM]

I took backup of database and ran following delete query.

Quote

delete from tblclients where lastname like '%fuli8.tk' limit 225;
delete from tblclients where firstname like '%5666Q.COM' limit 225;

In issue it is win win for WHMCS. What i noticed is License automatically got upgraded.

Wondering whether WHMCS will revert the invoice after removing all these fake accounts.

[bear]

Since it looks like all those signups are using the same email domain, why not ban that? 

https://docs.whmcs.com/Security/Ban_Control#Banning_Email_Domains

[JEBranch]

5 hours ago, bear said:

Since it looks like all those signups are using the same email domain, why not ban that? 

https://docs.whmcs.com/Security/Ban_Control#Banning_Email_Domains

I tried that , I banded IPs and Email they still didn't stop...

[WHMCS John]

2 hours ago, JEBranch said:

I tried that , I banded IPs and Email they still didn't stop...

Make sure you block 5666q.com via the Setup > Other > Banned Emails page.

You might have instead blocked them from email piping into the ticket system, which would not have had the desired effect.