Jump to content
JEBranch

Huge amount of fake accounts

WHMCS ChrisD

In an effort to try to combat and prevent these orders from being successful, our team has worked to implement Google's invisible reCAPTCHA to the shopping cart checkout workflow through the use of the hooks system, please click here for more information.

Looking to Mass Delete clients? There is a guide to doing this here

Message added by WHMCS ChrisD

Recommended Posts

17 hours ago, ch-center said:

Hello everyone

Regarding this issue about fake users and orders in WHMCS.

From 4 days i have a lot of problems generated by that spammer that i see now affect a lot of colleagues.

I ask for help at WHMCSservices and finally find a way to create a module that WORKS.

I have more than 12H with no spam.  All issues solved.

I recommend to all that have this issue to install it

https://www.whmcsservices.com/stopfakeclients.php

Thanks again to WHMCS services

Thank you and anytime you need help let me know :) 

Share this post


Link to post
Share on other sites

Hi there

We first became aware of instances of the spam signups being discussed here towards the latter end of last week and since then our team has been monitoring the issue and investigating instances of it reported to us via support tickets.

We understand how receiving a large number of spam orders can be inconvenient and frustrating and so in an effort to try to combat and prevent these orders from being successful, our team has worked to implement Google's invisible reCAPTCHA to the shopping cart checkout workflow through the use of the hooks system.  This is being provided as a short term immediate solution for users affected by the recent spam order submissions until such time as we can release a product update with this functionality natively included.

What is Google Invisible reCAPTCHA?

Invisible reCAPTCHA is designed to be as inobtrusive to the regular user as possible. In most cases, users will not be prompted to solve a captcha. Only when Google detects suspicious behaviour or traffic will a captcha challenge be presented. The result is that while it may not prevent all spam signups, as soon as Google detects suspicious activity or patterns, further automated orders should be blocked. To learn more about how Invisible reCAPTCHA works, please visit https://developers.google.com/recaptcha/docs/invisible

Installation Instructions

To install the hook, follow the steps below.

1. Download the hook (attached at the bottom of this post)
2. Upload to the /includes/hooks/ directory of your WHMCS installation
3. The hook leverages the same Google reCAPTCHA configuration as defined in Setup > General Settings > Security. Therefore, please ensure the Captcha settings are configured there as follows:

Captcha Form Protection: "Always On" or "Off when logged in"
Captcha Type: reCAPTCHA (Google's reCAPTCHA system)
reCAPTCHA Site Key & Secret Key: Provided

Remember, Invisible reCAPTCHA may not block all spam submissions, but it should be effective in preventing repeated and high volume submission attempts. We're keen to hear how effective this change is at preventing the spam order submissions you’ve been experiencing recently so please let us know your experiences with the hook.

Regards,

Matt

cart_recaptcha.php

  • Like 2
  • Thanks 1

Share this post


Link to post
Share on other sites

Impressive, @Matt. It's not every day the CEO of a software company personally attends to and responds to customer issues like this. I'm truly impressed in the dedication to our community.

  • Like 3
  • LOL 1

Share this post


Link to post
Share on other sites
On 24. 04. 2018. at 3:47 PM, Tobias said:

Corrected Version:


<?php
if (!defined("WHMCS"))
    die("This file cannot be accessed directly");

function userdata_field_matches($fieldname,$value,$all_vars) {
        return (array_key_exists($fieldname,$all_vars) && preg_match("/$value/",$all_vars[$fieldname]));
}

function block_fuli8_tk($vars) {

        if (userdata_field_matches("email",     "@qq\.com",     $vars)) return "Error: Userdata validation error";
        if (userdata_field_matches("lastname",  "fuli8\.tk",    $vars)) return "Error: Userdata validation error";
        if (userdata_field_matches("firstname", "5666Q\.COM",   $vars)) return "Error: Userdata validation error";
}

add_hook("ClientDetailsValidation",1,"block_fuli8_tk");
?>

Tobias is right. Block them BEFORE they create an order.
 

 

Share this post


Link to post
Share on other sites

Hi all,

If you're looking for a way to remove clients en-mass with a common first name. We've put together a script which can be used to do this:

I hope you find it useful!

This script is provided as-is, without warranty, and in the understanding for the potential to permanently and irreversibly delete data. Before running this script, please make a database backup.

Share this post


Link to post
Share on other sites

My experience with this is as follows: When I launched my WHMCS powered website, I had a free package where users could essentially take out for free for 3 months. While that product was front-facing, I started getting a couple per day registrations and setups from users across the world who I do not market to. They both took out the free package, but something felt off about their registrations too. So I turned the free product off on the front-end, making inaccessible to anyone, humans, and bots. Then I thought of emailing the registered users to see if they are real? Just to be sure. I asked for email verification to be complete, and they never replied after a couple of days so I deleted them. I suppose there were only a couple, so I could manage the issue correctly.

I would start there. Turn off any free service or product a user can apply for, and see what happens. Not the ultimate solution, but worked for me.

Share this post


Link to post
Share on other sites

I just wanted to say "Thank you" to Matt, John, and everyone else at WHMCS that has jumped in to provide solutions to counter the sudden uptick in spam. I really appreciate the swift and direct support you are providing to me and the other members of your online community. Keep up the good work! :) 

  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites
On 4/25/2018 at 7:16 PM, Matt said:

Hi there

We first became aware of instances of the spam signups being discussed here towards the latter end of last week and since then our team has been monitoring the issue and investigating instances of it reported to us via support tickets.

We understand how receiving a large number of spam orders can be inconvenient and frustrating and so in an effort to try to combat and prevent these orders from being successful, our team has worked to implement Google's invisible reCAPTCHA to the shopping cart checkout workflow through the use of the hooks system.  This is being provided as a short term immediate solution for users affected by the recent spam order submissions until such time as we can release a product update with this functionality natively included.

What is Google Invisible reCAPTCHA?

Invisible reCAPTCHA is designed to be as inobtrusive to the regular user as possible. In most cases, users will not be prompted to solve a captcha. Only when Google detects suspicious behaviour or traffic will a captcha challenge be presented. The result is that while it may not prevent all spam signups, as soon as Google detects suspicious activity or patterns, further automated orders should be blocked. To learn more about how Invisible reCAPTCHA works, please visit https://developers.google.com/recaptcha/docs/invisible

Installation Instructions

To install the hook, follow the steps below.

1. Download the hook (attached at the bottom of this post)
2. Upload to the /includes/hooks/ directory of your WHMCS installation
3. The hook leverages the same Google reCAPTCHA configuration as defined in Setup > General Settings > Security. Therefore, please ensure the Captcha settings are configured there as follows:

Captcha Form Protection: "Always On" or "Off when logged in"
Captcha Type: reCAPTCHA (Google's reCAPTCHA system)
reCAPTCHA Site Key & Secret Key: Provided

Remember, Invisible reCAPTCHA may not block all spam submissions, but it should be effective in preventing repeated and high volume submission attempts. We're keen to hear how effective this change is at preventing the spam order submissions you’ve been experiencing recently so please let us know your experiences with the hook.

Regards,

Matt

cart_recaptcha.php

Still not working and many orders placed from the spammer!

Share this post


Link to post
Share on other sites
3 hours ago, Subwayhost said:

Still not working and many orders placed from the spammer!

Hey Subwayhost I was getting fake orders/accounts every min. I install cart_recaptcha.php , I haven't had any spam in two days...

Edited by JEBranch

Share this post


Link to post
Share on other sites
3 hours ago, JEBranch said:

Hey Subwayhost I was getting fake orders/accounts every min. I install cart_recaptcha.php , I haven't had any spam in two days...

How did you installed it

 

Do you mean you have moved the cart recaptcha.php to includes/hooks only uploading it !

 

Or what you did !

 

Thanks.

Share this post


Link to post
Share on other sites
12 hours ago, Subwayhost said:

How did you installed it

 

Do you mean you have moved the cart recaptcha.php to includes/hooks only uploading it !

 

Or what you did !

 

Thanks.

Matt and his team from WHMCS explained it best, I upload cart recaptcha.php  to includes/hooks, I went to my General Setting click  Always On (code shown to ensure human submission) reCAPTCHA (Google's reCAPTCHA system) go here  open an account and uses Invisible reCAPTCHA , you will get a reCAPTCHA Site Key  and a reCAPTCHA Secret Key  put info in box and save, it should work

Share this post


Link to post
Share on other sites
14 minutes ago, JEBranch said:

Matt and his team from WHMCS explained it best, I upload cart recaptcha.php  to includes/hooks, I went to my General Setting click  Always On (code shown to ensure human submission) reCAPTCHA (Google's reCAPTCHA system) go here  open an account and uses Invisible reCAPTCHA , you will get a reCAPTCHA Site Key  and a reCAPTCHA Secret Key  put info in box and save, it should work

General Setting (Security)

Share this post


Link to post
Share on other sites

I've whmcs 6.5.2 and Google recaptcha is V1 how can i upgrade it to V2

 

Which files should i modify there ! Any help

 

This stupid spammer can't stop his fake orders!

Share this post


Link to post
Share on other sites
1 hour ago, Subwayhost said:

I've whmcs 6.5.2 and Google recaptcha is V1 how can i upgrade it to V2

 

Which files should i modify there ! Any help

 

This stupid spammer can't stop his fake orders!

Not sure, you might have to upgrade your WHMCS to the latest version which is 7.5.1 or go to your google account https://www.google.com/recaptcha/admin/create and see if you can create a reCAPTCHA V2..

Share this post


Link to post
Share on other sites
1 hour ago, Subwayhost said:

I've whmcs 6.5.2 and Google recaptcha is V1 how can i upgrade it to V2

Which files should i modify there ! Any help

This stupid spammer can't stop his fake orders!

5

Hey @Subwayhost

You'll firstly, need to get a new ReCaptcha v2 key from https://www.google.com/recaptcha/admin/create then add this key to Setup > Security.  Please note, if you are using a custom theme you may need to have your developer update the code in the custom theme.

Lastly, I'll also note that ReCaptcha V2 was only added to ticket submission and contact form in V7.0 and later

Share this post


Link to post
Share on other sites
8 hours ago, WHMCS ChrisD said:

Hey @Subwayhost

You'll firstly, need to get a new ReCaptcha v2 key from https://www.google.com/recaptcha/admin/create then add this key to Setup > Security.  Please note, if you are using a custom theme you may need to have your developer update the code in the custom theme.

Lastly, I'll also note that ReCaptcha V2 was only added to ticket submission and contact form in V7.0 and later

Thanks Chris for your help ,

 

Can you please advise me which files should be modified to make recaptcha V2 working.

Share this post


Link to post
Share on other sites

Our solution, without leveraging reCaptcha:

Upon noticing the spam, we implemented a ClientDetailsValidation hook to block fields using chinese characters or the 5666Q.COM and fuli8.tk domains. This worked on our brand running a more recent version of WHMCS (v7.3) but not on our brand running v6.3. 

Turns out on v6.3 there's a bug where the $vars array passed to the hook doesn't get populated when register.php is called via GET with querystring params

e.g., in our server logs we saw stuff like:

"GET /register.php?register=true&firstname=%E2%AD%9F%E5%BC%80%E2%AD%9F%E6%88%B7%E2%AD%9F%E5%8D%B3%E2%AD%9F%E9%80%8188%E5%85%83%E2%AD%9F%E7%8E%B0%E2%AD%9F%E9%87%91+%EF%BC%B4%E6%B4%BB%EF%BC%B4%E5%8A%A8%EF%BC%B4%E9%80%9A%EF%BC%B4%E9%81%93+5666Q.COM&lastname=%EF%BC%B4%E6%98%93%EF%BC%B4%E8%AE%B0%EF%BC%B4%E5%9F%9F%EF%BC%B4%E5%90%8D+fuli8.tk&email=73212569%40qq.com&country-calling-code-phonenumber=61&phonenumber=2788930349&companyname=%CE%97%E9%87%91%CE%97%E6%B2%99%CE%97%E5%A8%B1%CE%97%E4%B9%90%CE%97%E5%9F%8E%CE%97&address1=BBX8V+L2RDT&address2=JV6LR&city=HGHGB&state=Victoria&postcode=166226&country=AU&password=KTWx6QSDFf&password2=KTWx6QSDFf&accepttos=on&code=sr7n9&securityqid=1&securityqans=uNLQZt96 HTTP/1.1

So in that same hook, I just dropped in a check to see if $vars is empty, and to populate it with $_REQUEST if that is the case. Then the validation works fine and blocks the registrations.

To save people time, here's the hook that solved the issue for us (place it in /includes/hooks):

<?php

add_hook('ClientDetailsValidation', 1, function ($vars) {
    $illegalPatterns = [
        '#[\x{4e00}-\x{9fa5}]+#u', //checks for chinese characters
        '#5666Q\.COM#i',
        '#fuli8\.tk#i'
    ];

    if (empty($vars)) {
        $vars = $_REQUEST;
    }

    foreach ($vars as $key=>$val) {
        if (empty($val)) {
            continue; //dont need to do regex match on empty string
        }

        foreach ($illegalPatterns as $i=>$illegalPattern) {
            if (preg_match($illegalPattern, $val)) {
                return  "[{$i}] Illegal value for " . $key;
            }
        }
    }

});

 

Best of luck!

Share this post


Link to post
Share on other sites
On 4/24/2018 at 9:47 AM, Tobias said:

Corrected Version:


<?php
if (!defined("WHMCS"))
    die("This file cannot be accessed directly");

function userdata_field_matches($fieldname,$value,$all_vars) {
        return (array_key_exists($fieldname,$all_vars) && preg_match("/$value/",$all_vars[$fieldname]));
}

function block_fuli8_tk($vars) {

        if (userdata_field_matches("email",     "@qq\.com",     $vars)) return "Error: Userdata validation error";
        if (userdata_field_matches("lastname",  "fuli8\.tk",    $vars)) return "Error: Userdata validation error";
        if (userdata_field_matches("firstname", "5666Q\.COM",   $vars)) return "Error: Userdata validation error";
}

add_hook("ClientDetailsValidation",1,"block_fuli8_tk");
?>

 

I tried the invisible captcha and was getting errors when I tried to signup, so I turned it off and used Tobuas's code.  No more spam signups.  Good job Tobias!

Share this post


Link to post
Share on other sites
On 4/30/2018 at 7:44 PM, aawebtools said:

I tried the invisible captcha and was getting errors when I tried to signup, so I turned it off and used Tobuas's code.  No more spam signups.  Good job Tobias!

 

Do you mean

 

(5 Character Verification Code)  !

Share this post


Link to post
Share on other sites

I am getting the same error.  We have received over 9k of these and it is now bogging down our server.  We are now forced to look at another tool unless this is fixed soon. :(

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

By using this site, you agree to our Terms of Use & Guidelines