Online stores are often targeted by malicious attackers who create false user accounts from which they try to spam email accounts. Note that the email accounts that are targeted are not associated with the merchant store. In fact, the nature of this attack requires that the victim of the phishing email not have an account on the merchant store as that would prevent them from registering the fake account.
This post describes a best practice for reducing store vulnerability to this type of exploit.
Attackers try to compromise Magento stores by creating false user accounts, associating each new account with an email address, and then spamming those email accounts. These emails use a template that inserts a false user name in the Name field without sanitizing it. The system then sends these emails, which contain the spam message and link to the email account that is associated with the new user.
Merchants can protect their stores from this type of attack by installing and deploying the Google reCAPTCHA extension. Google reCAPTCHA provides a greater level of security for both the storefront and Admin UI than is available with standard CAPTCHA.
The Google reCAPTCHA extension is bundled and installed with Magento Open Source and Magento Commerce 2.3.x. However, you must enable this feature by generating Google reCAPTCHA keys and configuring this feature.
See for information about generating keys and enabling this feature in Magento. 2.3.x.
The Google extension is bundled and installed with Magento Open Source and Magento Commerce 2.2.9. These topics contain more information on the v2.2.9 implementation:
Magento Open Source 2.2.x reCAPTCHA
For Magento Open Source and Magento Commerce v2.2.8 and earlier, follow the instructions in in Magento DevDocs to install and troubleshoot the extension. At this time, Google reCAPTCHA can be installed only from the command line and may require developer assistance.
Magento Commerce customers can contact Magento Support at Help Center.
Yes, Agree to your post - Icluding Captcha in Each of your forms and it will decrease the chances of Spam Attacks and phising attemps. Nicely explained
Yep, We can secure our website and spam attacks using the Captcha code functionality.
Good Explanation @jeanne_frontain
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.