Unusual order activity

[bnb]

Ok… 

The custom field “solution” is no longer working.

We are getting new registrations again even with a mandatory custom field in the order form.

My guess is that these spammers are looking on this page since it’s public and bypass all solutions here. Is there a way to turn this post private or something similar?

@WHMCS John is there any eta for hcaptcha or turnstile even as a patch to see if we can solve this permanently?

[Vander Host]

> The custom field “solution” is no longer working.

Yes agreed. We implemented the custom field "fix" on the 6th of July, and had no spam registrations up to 9 hours ago. Today we have  around 20 new ones. So the custom field "fix" only worked for around 3 weeks. Back to square one.

Annoyingly, these orders  are also bumping our WHMCS license count past the next threshold and we have to contact WHMCS to reduce it manually. They automatically bump it up to get more money, but you have to ask them to bring it down again. Not really user friendly when you are a victim of fraud.

Edited August 2 by Vander Host

[snake]

On 7/26/2024 at 8:24 PM, WHMCS John said:

Rate limiting based on IP may be of some limited benefit in situations like this. However as the discussion in this thread does point to the actions originating from a range of addresses, it might not be a panacea.

I didn't locate a request to rate limit orders or credit card attempts, so I invite you to submit that so we can start tracking demand: https://requests.whmcs.com

this won;t help as every order comes from a different IP, thus why IP blocking is not working.

[snake]

it seems problems like this could be mostly avoided if the email verification actually worked.

currently it does nothing, most customers just ignore it.
 

new customers  should be INACTIVE until they have verified their email address, and if they do not verify within x days, then the account gets auto deleted.
Being inactive until verified would also solve the issue with WHMCS auto increasing your licence fee for fraudulent registrations as well.

[snake]

9 hours ago, bnb said:

Ok… 

The custom field “solution” is no longer working.

We are getting new registrations again even with a mandatory custom field in the order form.

My guess is that these spammers are looking on this page since it’s public and bypass all solutions here. Is there a way to turn this post private or something similar?

@WHMCS John is there any eta for hcaptcha or turnstile even as a patch to see if we can solve this permanently?

same.. presumably every is using the exact same custom field with the same question/answer...

I have changed the custom field to a different question/answer, which I hope will stop them for a while.

[NetWise UK]

On 7/07/2024 at 4:49 AM, chrismfz said:

Assuming this won't continue for ever.... weeks or months, we implement this:

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Check if the User-Agent matches
    RewriteCond %{HTTP_USER_AGENT} "Mozilla/5.0 \(Windows NT 10.0; Win64; x64; rv:127.0\) Gecko/20100101 Firefox/127.0"

    # Check if the request method is POST
    RewriteCond %{REQUEST_METHOD} POST

    # Check if the URL is register.php
    RewriteCond %{REQUEST_URI} register.php$

    # Deny access by returning a 403 Forbidden status
    RewriteRule .* - [F]
</IfModule>

 

The agent is always the same, so we block it on web server layer. 

Hope it helps.

This is the only thing that worked for us. Not had a fake signup since implementing it. 

[snake]

1 hour ago, NetWise UK said:

This is the only thing that worked for us. Not had a fake signup since implementing it. 

this didn;t work for me.

I have however found this addon, which seems like it will solve the issue, since they use fake email addresss.

 

https://marketplace.whmcs.com/product/6953-email-verifier

[Mandalorian]

5 hours ago, snake said:

this didn;t work for me.

I have however found this addon, which seems like it will solve the issue, since they use fake email addresss.

 

https://marketplace.whmcs.com/product/6953-email-verifier

I tried a similar add on but the bots still are able to circumvent the verification and continue to make spam orders.

[snake]

so far changing the custom field has worked, no more fake orders since I did that

[Mandalorian]

1 hour ago, snake said:

so far changing the custom field has worked, no more fake orders since I did that

Good for you. On our site though, bots have broken the custom field barrier, and are placing spammy orders nonstop. These bots must love whmcs.

[snake]

1 hour ago, Mandalorian said:

Good for you. On our site though, bots have broken the custom field barrier, and are placing spammy orders nonstop. These bots must love whmcs.

have you actually changed the custom field to a different question/answer  as I suggested above?

[Mandalorian]

6 minutes ago, snake said:

have you actually changed the custom field to a different question/answer  as I suggested above?

Sorry I missed the "change" part.  I think the bots will soon figure that change out too just as it learns to go past the previous custom field and verification checks.  Whmcs got to sort the spam handling out in a better way.

[bear]

I can't help but wonder why they're expending this sort of energy when it's not getting them a hosting account/domain or anything of actual value. I'd consider there's another value in it, that perhaps it's being manipulated into sending spam in  some way, or just phishing for exploits (if that were the case, they could just grab a pirated version and use that to check for that possibility),

What's in it for them? If it was one attempt over many installs, fishing for exploits maybe. 
One install with many attempts, which also include manual intervention to manage the Q&A kludge, that's a concerted effort on each installation, too much for simple nuisance activity.
Something more is going on here. 

[Mandalorian]

1 hour ago, bear said:

I can't help but wonder why they're expending this sort of energy when it's not getting them a hosting account/domain or anything of actual value. I'd consider there's another value in it, that perhaps it's being manipulated into sending spam in  some way, or just phishing for exploits (if that were the case, they could just grab a pirated version and use that to check for that possibility),

What's in it for them? If it was one attempt over many installs, fishing for exploits maybe. 
One install with many attempts, which also include manual intervention to manage the Q&A kludge, that's a concerted effort on each installation, too much for simple nuisance activity.
Something more is going on here. 

Absolutely 💯 

[snake]

3 hours ago, Mandalorian said:

Sorry I missed the "change" part.  I think the bots will soon figure that change out too just as it learns to go past the previous custom field and verification checks.  Whmcs got to sort the spam handling out in a better way.

 if your not using the exact same custom field as everyone else and change it regularly then you will keep them at bay until there 

[snake]

1 hour ago, bear said:

I can't help but wonder why they're expending this sort of energy when it's not getting them a hosting account/domain or anything of actual value. I'd consider there's another value in it, that perhaps it's being manipulated into sending spam in  some way, or just phishing for exploits (if that were the case, they could just grab a pirated version and use that to check for that possibility),

What's in it for them? If it was one attempt over many installs, fishing for exploits maybe. 
One install with many attempts, which also include manual intervention to manage the Q&A kludge, that's a concerted effort on each installation, too much for simple nuisance activity.
Something more is going on here. 

somoene is likley paying some crappy * center in India to do this, and they are just hitting the same sites over and over again.

[slim]

I agree that something more is going on. The password reset attempts after registration re concerning, but I also noticed this..

 

I have two whmcs installs (two brands). Brand A allows registrations without orders. Overnight it got about 15 registrations. Brand B doesn’t - so each registration is accompanied by an order for a random domain.

I changed the config on Brand A this morning to match Brand B and within 10 minutes I had another fake order. So whatever is doing the orders is adaptive. 

 

Edited August 3 by slim
corrected image

[Davidd]

On 7/9/2024 at 2:22 AM, snake said:

is there any way to bulk delete all these fake accounts and associated users?

I was able to delete all fake clients through tblaccounts table, however all fake users still remained.

[shaqeel]

Hi,

We've been experiencing similar issues since July, but things have worsened in August. We're getting around 50 signups a day, and even when we pause signups, we're still receiving fake orders continuously.

It definitely seems like there might be some suspicious bots trying to exploit the WHMCS code or something similar.

[Richman]

18 hours ago, Davidd said:

I was able to delete all fake clients through tblaccounts table, however all fake users still remained.

I was able to delete them but manually on the clients > View/Search Clients

Then you also need to delete them from the table     tblusers

[Collin]

On 8/2/2024 at 7:55 AM, snake said:

it seems problems like this could be mostly avoided if the email verification actually worked.

currently it does nothing, most customers just ignore it.
 

new customers  should be INACTIVE until they have verified their email address, and if they do not verify within x days, then the account gets auto deleted.
Being inactive until verified would also solve the issue with WHMCS auto increasing your licence fee for fraudulent registrations as well.

Agree that this is the priority fix. Captcha isn't a one-step fix as it can be bypassed.  IP blocking... it comes from different IPs. What we need is forced actual email verification. In order to join this community, I had to verify my email address and have my first posts manually moderated. WHMCS needs to have the same for registration. Actual email verification.

[slim]

On 8/7/2024 at 10:47 AM, Collin said:

Actual email verification.

This isnt a great idea - It doesn't stop the problem of automated signups.

I noticed this in my Google Recaptcha today:

The yellow message is interesting, never seen that before!

[Richman]

4 hours ago, slim said:

This isnt a great idea - It doesn't stop the problem of automated signups.

I noticed this in my Google Recaptcha today:

The yellow message is interesting, never seen that before!

Interesting

[UXmedia]

Please FIX ASAP.

Also, WHMCS, please provide a solution for deleting the over 800 spam accounts that have been created.

[Richman]

Someone proposed this https://www.cloudflare.com/products/turnstile/

https://github.com/hybula/whmcs-turnstile

 

But you have to be on Cloudflare nameservers  I have tried all other options, and now I am switching to Cloudflare one,  for now the accounts have stopped, it's been an hour after switching