We are seeing a huge number of fake customer accounts being created on our Magento 2.4.2 sites.
We tried these solutions:
We believe the issue might be coming from Magento's API and not the create account form.
Reading this doc page: https://devdocs.magento.com/guides/v2.4/rest/protected-endpoints.html - it says: "Go to Stores > Configuration > Customers > Customer Configuration > CAPTCHA > Forms to enable or disable CAPTCHA on these forms"
Doing this adds BOTH Google reCaptcha and Magento Captcha to the account creation form. We'd prefer to use reCaptcha since it's easier and more familiar to customers. We temporarily enabled Magento Captcha, but it did not help anyway.
We also attempted to IP block, but magento documentations says this: "The following APIs remain accessible to anonymous users. Most of these must remain accessible to support the checkout and add-to-cart Ajax functionalities."
Assuming of course that our issue is related to the API, how do we prevent unwanted/fake customer registration without breaking the checkout and add-to-cart functionality?
Please read my original post rather than posting the same generic responses that can be found elsewhere.
1. I already state recaptcha is enable
2. IP blocking as been attempted
3. Changing email settings is not going to stop the creation of an account in the first place
4. The 255 character limit does not apply in this case, so it's not helpful, per my original post.
5. Adding a form key might be useful, but again, per my original post, I think this might be happening because of the Magento API allowing anonymous API usage for the /v1/customer endpoint. How would a form key help with this?
Ugh. Thwarting spam attacks is like whack-a-mole. I had a similar issue with some hackers using my site to run hundreds of card reading transactions (testing if a credit card number is valid).
They took advantage of the ability to post REST API calls to Magento. In your case, they were probably using calls referenced in this document - https://magento.redoc.ly/2.4.2-customer/tag/customers.
To address your issue, I currently use reCAPTCHA v3 and have it setup like this:
Go to Store => Configuration => Security => Google reCAPTCHA Storefront
reCAPTCHA v3 Invisible
- Minimum Score Threshold: 0.5 (Try it with this value and decrease if you are still seeing fake accounts being created)
- Invisible Badge Position: Inline
- Enable for Forgot Password: reCAPTCHA V3 Invisible
- Enable for Create New Customer Account: reCAPTCHA V3 Invisible
- Enable for Contact Us: reCAPTCHA V3 Invisible
I also use Cloudflare as a WAF (Web Application Firewall). It does add some complexity (and cost) to your stack, but it's worth the effort / cost. You can block countries and specify more granular restrictions such as a specific path. Additionally, Cloudflare acts as a CDN so your pages will load very fast on your customers' devices.
If you don't have a WAF, I would recommend you look into Cloudflare or Sucuri.
After implementing above changes, I haven't seen any fake accounts and card reading attacks in months.
This is an internal problem with Magento and no modules will fix this. We have proved it - Totally clean server and Magento installation was spun up on a Dev server to the latest version.
Secondly, the entire system is sandboxed and closed to the outside world and yet...new spam accounts are created.
This suggests that Magento Core is compromised in some way.
How can this be!?!