cancel
Showing results for 
Search instead for 
Did you mean: 

Fake Customer Account Registrations

Fake Customer Account Registrations

We are seeing a huge number of fake customer accounts being created on our Magento 2.4.2 sites.

 

We tried these solutions:

  1. Enabled Google reCaptcha per the docs: https://docs.magento.com/user-guide/stores/security-google-recaptcha.html#step-3-configure-google-re...- we've had it enabled since day one.
  2. IP block - we have attempted to IP and country block at the server firewall level. It has not helped. We found several sources of malicious traffic, but blocking them have not fixed the issue.
  3. Restrict character limit for customer fields such as name - this does not apply. Fake accounts are using 8-12 random characters, so reducing the 255 limit will not help.

We believe the issue might be coming from Magento's API and not the create account form.

 

Reading this doc page: https://devdocs.magento.com/guides/v2.4/rest/protected-endpoints.html - it says: "Go to Stores > Configuration > Customers > Customer Configuration > CAPTCHA > Forms to enable or disable CAPTCHA on these forms"

 

Doing this adds BOTH Google reCaptcha and Magento Captcha to the account creation form. We'd prefer to use reCaptcha since it's easier and more familiar to customers. We temporarily enabled Magento Captcha, but it did not help anyway. 

 

We also attempted to IP block, but magento documentations says this: "The following APIs remain accessible to anonymous users. Most of these must remain accessible to support the checkout and add-to-cart Ajax functionalities."

https://devdocs.magento.com/guides/v2.4/rest/anonymous-api-security.html

 

Assuming of course that our issue is related to the API, how do we prevent unwanted/fake customer registration without breaking the checkout and add-to-cart functionality?

3 REPLIES 3

Re: Customer Account Registration Spam

Spamming is usually known as an act of supplying inapplicable information done by the help of automated software. Most of the bots use tools like 'curl' and 'postman'. More advanced bots are capable to do their job without the need for bypassing the code on a website.

 The fake accounts are very easy to spot, they contain advertising text and links in the name and address details with the hope that the email address they enter will then give visibility to their links.

There are some solutions you can implement to prevent spam account registration in Magento2.

1. Enable Magento captcha from store configuration

Magento 2 provides facility to enable Captcha in some default Magento forms.

You can find the following setting: Stores -> Configuration -> Customers -> Customer Configuration -> CAPTCHA -> Forms.

Here you can select forms where you want to enable captcha.

2. Pass an encrypted string in a .phtml file

<vendor>/<theme>/Magento_Customer/view/frontend/templates/form/register.phtml

Create a hidden form field. Then bind encrypted string with form key in hidden element and then check field value in a controller.

For example,

1
<input name="form_key_hidden" type="hidden" value="<?php echo $FormKey->getFormKey().'259a8240fba23e82626efdc9eaa0c483';?>" />
 

In Magento\Customer\Controller\Account\CreatePost.php controller file add a condition in the start of code in execute() function.

1
2
3
4
5
6
7
$customformKey = $require->getParam('form_key_hidden');
if ($customformKey == $objectManager->create('\Magento\Framework\Data\Form\FormKey')->getFormKey() . '259a8240fba23e82626efdc9eaa0c483') {
 
//
 // default code
//
}
 

3. Enable the confirmation email

Enable the email confirmation : System > Configuration > Customer Configuration > Require Emails Confirmation > Yes.

4. Update field limitation rules from the database

Directly in the customer_eav_attribute table, update rows with attribute_id=5 [firstname] and attribute_id=7 [last name] and replace 255 by 25.

Change code

1
a:2:{s:15:"max_text_length";i:255;s:15:"min_text_length";i:1;} //before update or by default

To

1
a:2:{s:15:"max_text_length";i:25;s:15:"min_text_length";i:1;} // after change

        

5. Add Google CAPTCHA

Magento provides limited form's captcha, for custom form either we need to custom code for Magento captcha or you can add google captcha. Google Captcha is one of the best way to prevent spams.

6. Block the IP address

Every time if the bot is running from the same IP, then block that IP from your .htaccess file.

1
Deny from 000.000.00.111
 
 

All the above solutions are useful to prevent not only registration form but also other forms like contact us, newsletter registration and any custom forms, too. Hope this note is helpful to you.

Re: Customer Account Registration Spam

Please read my original post rather than posting the same generic responses that can be found elsewhere.

 

1. I already state recaptcha is enable

2. IP blocking as been attempted

3. Changing email settings is not going to stop the creation of an account in the first place

4. The 255 character limit does not apply in this case, so it's not helpful, per my original post.

5. Adding a form key might be useful, but again, per my original post, I think this might be happening because of the Magento API allowing anonymous API usage for the /v1/customer endpoint. How would a form key help with this? 

Re: Customer Account Registration Spam

Ugh. Thwarting spam attacks is like whack-a-mole. I had a similar issue with some hackers using my site to run hundreds of card reading transactions (testing if a credit card number is valid).

 

They took advantage of the ability to post REST API calls to Magento. In your case, they were probably using calls referenced in this document - https://magento.redoc.ly/2.4.2-customer/tag/customers.

 

To address your issue, I currently use reCAPTCHA v3 and have it setup like this:

 

Go to Store => Configuration => Security => Google reCAPTCHA Storefront

 

reCAPTCHA v3 Invisible
- Minimum Score Threshold: 0.5 (Try it with this value and decrease if you are still seeing fake accounts being created)
- Invisible Badge Position: Inline

Storefront
- Enable for Forgot Password: reCAPTCHA V3 Invisible
- Enable for Create New Customer Account: reCAPTCHA V3 Invisible
- Enable for Contact Us: reCAPTCHA V3 Invisible

 

I also use Cloudflare as a WAF (Web Application Firewall). It does add some complexity (and cost) to your stack, but it's worth the effort / cost. You can block countries and specify more granular restrictions such as a specific path. Additionally, Cloudflare acts as a CDN so your pages will load very fast on your customers' devices.

 

If you don't have a WAF, I would recommend you look into Cloudflare or Sucuri.

 

After implementing above changes, I haven't seen any fake accounts and card reading attacks in months.