dealing with fake/spam orders

[snake]

I have been getting hundreds of fake/spam orders over the last week, and this is taking up huge amounts of my time having to go though and delete all the fake users every day.
If I don't do this and clean up all the fake user accounts, then it will affect my licence cost.

Before you say "just use fraud protection", that doesn't help with clients being created. Also no payment is ever attempted, the order is just left unpaid, so all I can do is block the order based on country mismatch. so auan again, still only cancels the order, but still leaves the fake account intact.
I need to block the client account from even being created.

Blocking IP's doesn't help, as it's a different IP every time.
I have blocked all relevant domains which were being used multiple times, but they are mostly using gmail.com, which I obviously cannot block, as it is used by real customers.

I do use cloudflare, so I could block other countries, but most of the IP's being used are from UK, so cannot block my own country.

So far every registration is using a US address and the order is for a single fake domain, with the exact same value.

This is a UK business and we only deal with UK customers, so is there any way block anyone that to register with a NON uk address?

 

Any other suggestions?

[Evolve Web Hosting]

@snake Did you see this post? Fortunately, I'm not experiencing this issue but I know a lot of others are.

 

[alaistair]

We're getting exactly the same issue. Started beginning of July and around 50 orders a day with no payment. Same domains as 'snake' mentions above.

Ideally I don't want an order or client being created if there is no payment made at the time. It takes a long time to go through and manually remove the spam clients.

I have "Allow Client Registration" disabled. All this did was make the spammers create fake orders instead of just fake client registrations.

Literally another two have just come in as I type this...

[snake]

On 7/12/2024 at 12:09 PM, alaistair said:

We're getting exactly the same issue. Started beginning of July and around 50 orders a day with no payment. Same domains as 'snake' mentions above.

Ideally I don't want an order or client being created if there is no payment made at the time. It takes a long time to go through and manually remove the spam clients.

I have "Allow Client Registration" disabled. All this did was make the spammers create fake orders instead of just fake client registrations.

Literally another two have just come in as I type this...

use the custom client field solution, it works.... I have had no more fake orders since.

[Ramouz]

The same is happening to us but it's been a bit longer than July. We semi resolved it by adding a custom client field under Setup. The same one with "YES". However, they returned almost a month later, bypassing that one, so we changed the YES to another word. It seems we'll have to keep changing the word every few weeks.

WHMCS really lacks proper anti-spam (among other features). Google reCAPTCHA is active.

And, "Allow Client Registration" doesn't work as they use fake payments/cards to go through checkout. We never would have thought it'd go this far.

Here's the worst part. We have 4 WHMCS installations for different hosting companies, and this is happening in 3 of them. Those 3 use older WHMCS versions. They're clearly targeting WHMCS but I wonder if it's because they're not up to date.

[Richman]

I was having the same issue, getting more than 50 registrations daily. I upgraded to version 8.10.1 and it stopped.

[Ramouz]

I wonder if bots discovered a vulnerability or if WHMCS is somehow doing this on purpose to force upgrade our grandfathered accounts.

[bear]

52 minutes ago, Ramouz said:

I wonder if bots discovered a vulnerability or if WHMCS is somehow doing this on purpose to force upgrade our grandfathered accounts.

#1 possible, #2 is kind of paranoid and very unlikely. What's a grandfathered account?

[Ramouz]

Just now, bear said:

#1 possible, #2 is kind of paranoid and very unlikely. What's a grandfathered account?

Indeed, a bit paranoid on my end, but I don't trust large corporations at all and greedy owners. What I mean is us who have bought lifetime accounts in the past, with lifetime updates, from WHMCS, before they decided to break their promise and cancel lifetime updates. Those of us who don't need the latest versions of WHMCS, stick to versions below 8.4 (which also is affected by bots). One of our accounts uses 8.10.1 and that one isn't affected, so far. It's also a less popular website so unsure.

[bear]

There were no lifetime updates, AFAIK. What you bought (as did I) was an owned license and a separate "support and maintenance" addon. There were no promises made about that, and they fooled a LOT of people with it. 

[Ramouz]

Sorry yes, that one. I had forgotten the  details as it's been a while, and life got in the way :). I was happy with the 99 USD per year (I forget the exact cost). But, even that is expensive for a software like this with hardly any important updates, and lots of missing features. There are too many subscription services out there, so we must take decisions.

Nonetheless, I'm still wondering why we're being attacked by bots :(. reCAPTCHA doesn't seem to help. Only that custom field.

[Richman]

31 minutes ago, Ramouz said:

Sorry yes, that one. I had forgotten the  details as it's been a while, and life got in the way :). I was happy with the 99 USD per year (I forget the exact cost). But, even that is expensive for a software like this with hardly any important updates, and lots of missing features. There are too many subscription services out there, so we must take decisions.

Nonetheless, I'm still wondering why we're being attacked by bots :(. reCAPTCHA doesn't seem to help. Only that custom field.

After some hours of having updated, it seems they are back.

[penguin]

We added Cloudflare Turnstyle via a hook and it's completely stopped the registrations since

[Ramouz]

On 8/6/2024 at 7:02 PM, penguin said:

We added Cloudflare Turnstyle via a hook and it's completely stopped the registrations since

Thanks. I assume you're using this one? https://github.com/hybula/whmcs-turnstile

Is it still working well?

[penguin]

Yes, that's the one. Not a single issue since implementing it.

[wintech2003]

19 hours ago, Ramouz said:

Thanks. I assume you're using this one? https://github.com/hybula/whmcs-turnstile

Is it still working well?

+1

We use this hook and the fake signups stopped immediately.

[sahostking]

I assume Google Recaptcha 3 doesnt stop it? I noticed we having the same issue now.

 

[snake]

12 minutes ago, sahostking said:

I assume Google Recaptcha 3 doesnt stop it? I noticed we having the same issue now.

 

Yes this has already been stated multiple times along with the solution, rest previous posts.

[Richman]

On 8/9/2024 at 5:26 PM, wintech2003 said:

+1

We use this hook and the fake signups stopped immediately.

YES

[sahostking]

Ok thanks

 

I disabled Google Recaptcha integration under Security and enabled the Turnstile integration.

Anyone know if this works with Lagom Theme?

Lets see how it goes.

Edited August 15 by sahostking

[wsa]

5 hours ago, sahostking said:

Anyone know if this works with Lagom Theme?

I think the best person is to contact RS Studio

[WHMCS John]

On 8/15/2024 at 3:00 PM, snake said:

Yes this has already been stated multiple times along with the solution, rest previous posts.

@snake @sahostking After applying the reCAPTCHA v3 hotfix for v8.10, make sure to generate new reCAPTCHA v3 keys on the Google reCAPTCHA site, and enter these into WHMCS. Old v2/invisible keys won't be effective when used with v3.

Then set the new reCAPTCHA Score Threshold setting (Configuration > System Settings > General Settings > Security tab). Google suggest a starting score of 0.5.

Submissions will start to be recorded on the Google reCAPTCHA site, alongside a score for each threshold. Use this information to adjust the reCAPTCHA Score Threshold setting as necessary to block automated submissions.

[wintech2003]

On 8/15/2024 at 5:43 PM, sahostking said:

Anyone know if this works with Lagom Theme?

The original hook from Hybula does not work with Lagom2 out of the box, but I found this fork that works fine: https://github.com/themikeambrose/whmcs-turnstile-lagom2

[Looper]

On 8/17/2024 at 3:14 PM, wintech2003 said:

The original hook from Hybula does not work with Lagom2 out of the box, but I found this fork that works fine: https://github.com/themikeambrose/whmcs-turnstile-lagom2

is this still works with v8.10.1 with Lagom2?

[Easy Green Hosting]

On 7/16/2024 at 4:39 PM, snake said:

use the custom client field solution, it works.... I have had no more fake orders since.

It worked for us as well. Thanks for the tip.

We've any possible protection in place (firewall, WAF, anti fraud sofware, recaptcha, etc), buy only the custom filed helped.

Has anyone tried hCaptcha? Does it help?