Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fake Customer Account Registrations

‎03-23-2021 07:30 AM
‎03-23-2021 07:30 AM

Fake Customer Account Registrations

We are seeing a huge number of fake customer accounts being created on our Magento 2.4.2 sites.

 

We tried these solutions:

  1. Enabled Google reCaptcha per the docs: https://docs.magento.com/user-guide/stores/security-google-recaptcha.html#step-3-configure-google-re...- we've had it enabled since day one.
  2. IP block - we have attempted to IP and country block at the server firewall level. It has not helped. We found several sources of malicious traffic, but blocking them have not fixed the issue.
  3. Restrict character limit for customer fields such as name - this does not apply. Fake accounts are using 8-12 random characters, so reducing the 255 limit will not help.

We believe the issue might be coming from Magento's API and not the create account form.

 

Reading this doc page: https://devdocs.magento.com/guides/v2.4/rest/protected-endpoints.html - it says: "Go to Stores > Configuration > Customers > Customer Configuration > CAPTCHA > Forms to enable or disable CAPTCHA on these forms"

 

Doing this adds BOTH Google reCaptcha and Magento Captcha to the account creation form. We'd prefer to use reCaptcha since it's easier and more familiar to customers. We temporarily enabled Magento Captcha, but it did not help anyway. 

 

We also attempted to IP block, but magento documentations says this: "The following APIs remain accessible to anonymous users. Most of these must remain accessible to support the checkout and add-to-cart Ajax functionalities."

https://devdocs.magento.com/guides/v2.4/rest/anonymous-api-security.html

 

Assuming of course that our issue is related to the API, how do we prevent unwanted/fake customer registration without breaking the checkout and add-to-cart functionality?

0 Kudos
4 REPLIES 4
‎03-23-2021 09:22 AM
‎03-23-2021 09:22 AM

Re: Customer Account Registration Spam

Please read my original post rather than posting the same generic responses that can be found elsewhere.

 

1. I already state recaptcha is enable

2. IP blocking as been attempted

3. Changing email settings is not going to stop the creation of an account in the first place

4. The 255 character limit does not apply in this case, so it's not helpful, per my original post.

5. Adding a form key might be useful, but again, per my original post, I think this might be happening because of the Magento API allowing anonymous API usage for the /v1/customer endpoint. How would a form key help with this? 

‎04-04-2021 12:15 AM
‎04-04-2021 12:15 AM

Re: Customer Account Registration Spam

Ugh. Thwarting spam attacks is like whack-a-mole. I had a similar issue with some hackers using my site to run hundreds of card reading transactions (testing if a credit card number is valid).

 

They took advantage of the ability to post REST API calls to Magento. In your case, they were probably using calls referenced in this document - https://magento.redoc.ly/2.4.2-customer/tag/customers.

 

To address your issue, I currently use reCAPTCHA v3 and have it setup like this:

 

Go to Store => Configuration => Security => Google reCAPTCHA Storefront

 

reCAPTCHA v3 Invisible
- Minimum Score Threshold: 0.5 (Try it with this value and decrease if you are still seeing fake accounts being created)
- Invisible Badge Position: Inline

Storefront
- Enable for Forgot Password: reCAPTCHA V3 Invisible
- Enable for Create New Customer Account: reCAPTCHA V3 Invisible
- Enable for Contact Us: reCAPTCHA V3 Invisible

 

I also use Cloudflare as a WAF (Web Application Firewall). It does add some complexity (and cost) to your stack, but it's worth the effort / cost. You can block countries and specify more granular restrictions such as a specific path. Additionally, Cloudflare acts as a CDN so your pages will load very fast on your customers' devices.

 

If you don't have a WAF, I would recommend you look into Cloudflare or Sucuri.

 

After implementing above changes, I haven't seen any fake accounts and card reading attacks in months.

 

 

0 Kudos
‎11-16-2022 04:53 AM
‎11-16-2022 04:53 AM

Re: Customer Account Registration Spam

This is an internal problem with Magento and no modules will fix this. We have proved it - Totally clean server and Magento installation was spun up on a Dev server to the latest version.

 

Secondly, the entire system is sandboxed and closed to the outside world and yet...new spam accounts are created.

 

This suggests that Magento Core is compromised in some way.

How can this be!?!

0 Kudos
‎01-16-2024 05:46 AM
‎01-16-2024 05:46 AM

Re: Customer Account Registration Spam

Well, it seems like you've tried some solid solutions, but the issue might indeed be lurking in Magento's API.I'd recommend checking out some expert forums or getting in touch with Magento support directly. They might have insights or patches that can help prevent those unwanted registrations without messing up your checkout and add-to-cart functions.Oh, and while you're at it, you can also explore IP Stresser & IP Booter services if you suspect malicious sources. Just be cautious not to disrupt legitimate users in the process.

0 Kudos