Online stores are often targeted by malicious attackers who create false user accounts from which they try to spam email accounts. Note that the email accounts that are targeted are not associated with the merchant store. In fact, the nature of this attack requires that the victim of the phishing email not have an account on the merchant store as that would prevent them from registering the fake account.
This post describes a best practice for reducing store vulnerability to this type of exploit.
Attackers try to compromise Magento stores by creating false user accounts, associating each new account with an email address, and then spamming those email accounts. These emails use a template that inserts a false user name in the Name field without sanitizing it. The system then sends these emails, which contain the spam message and link to the email account that is associated with the new user.
Protect your store
Merchants can protect their stores from this type of attack by installing and deploying the Google reCAPTCHA extension. Google reCAPTCHA provides a greater level of security for both the storefront and Admin UI than is available with standard CAPTCHA.
Install Google reCAPTCHA
The Google reCAPTCHA extension is bundled and installed with Magento Open Source and Magento Commerce 2.3.x. However, you must enable this feature by generating Google reCAPTCHA keys and configuring this feature.