Spam / Fraud Orders

  • Resolved dominic_ks

    (@dominic_ks)


    2 months ago

    Hello,

    I’m logging this issue here in the first instance, though there are potentially a number of Woo plugins involved, I think that this plugin is allowing this to happen.

    I have been battling on a client’s website for some weeks now, against a person or persons who are placing bad orders on the website. The result of these is many failed orders, where the payment has failed with PayPal.

    We have done a lot to try and put a stop to these, but they still come through, including:

    • Using the official reCaptcha for WooCommerce plugin
    • Using Cloudflare to block all traffic outside the UK except for Cloudflare’s “good bot” list
    • Added custom code that blocks order creation for any orders, using the woocommerce_after_checkout_validation and woocommerce_checkout_create_order where:
      • The supplied phone number is not a UK number (100% of these orders have bad numbers)
      • The order has no source (100% of these orders have no source and listed as source “unknown”)

    Despite these measures, the orders continue. Here is some info from the access logs from one that was placed today which I believe demonstrates somewhat the process they are using here, though I haven’t gone as far as following these steps myself, this is the common pattern:

    5.187.21.98 - - [02/Jan/2025:13:42:53 +0000] "GET /wp-json/wc/store/products?stock_status=instock&order=asc&orderby=price&min_price=1&max_price=5000&type=simple&page=1&per_page=100 HTTP/1.1" 200 14142 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML like Gecko) Chrome/126.0.0.0 Safari/537.36"
    5.187.21.98 - - [02/Jan/2025:13:42:57 +0000] "POST /wp-json/wc/store/cart/update-customer HTTP/1.1" 200 1478 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML like Gecko) Chrome/126.0.0.0 Safari/537.36"
    5.187.21.98 - - [02/Jan/2025:13:43:01 +0000] "POST /?wc-ajax=ppc-data-client-id HTTP/1.1" 200 420 "https://www.example.co.uk/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML like Gecko) Chrome/126.0.0.0 Safari/537.36"
    5.187.21.98 - - [02/Jan/2025:13:42:55 +0000] "GET /wp-json/wc/store/cart HTTP/1.1" 200 503 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML like Gecko) Chrome/126.0.0.0 Safari/537.36"
    5.187.21.98 - - [02/Jan/2025:13:42:56 +0000] "POST /wp-json/wc/store/cart/add-item HTTP/1.1" 201 1247 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML like Gecko) Chrome/126.0.0.0 Safari/537.36"
    5.187.21.98 - - [02/Jan/2025:13:42:58 +0000] "POST /wp-json/wc/store/cart/select-shipping-rate HTTP/1.1" 200 1472 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML like Gecko) Chrome/126.0.0.0 Safari/537.36"
    5.187.21.98 - - [02/Jan/2025:13:43:00 +0000] "GET /checkout/ HTTP/1.1" 200 28037 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML like Gecko) Chrome/126.0.0.0 Safari/537.36"
    5.187.21.98 - - [02/Jan/2025:13:43:03 +0000] "POST /?wc-ajax=ppc-create-order HTTP/1.1" 200 94 "https://www.example.co.uk/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML like Gecko) Chrome/126.0.0.0 Safari/537.36"
    5.187.21.98 - - [02/Jan/2025:13:43:05 +0000] "POST /?wc-ajax=ppc-approve-order HTTP/1.1" 200 20 "https://www.example.co.uk/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML like Gecko) Chrome/126.0.0.0 Safari/537.36"
    5.187.21.98 - - [02/Jan/2025:13:43:06 +0000] "POST /wp-json/wc/store/checkout HTTP/1.1" 400 494 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML like Gecko) Chrome/126.0.0.0 Safari/537.36"

    The reason I believe that this plugin is the primary contributor is that I’ve reviewed the methods triggered by ?wc-ajax=ppc-create-order and ?wc-ajax=ppc-approve-order don’t appear to offer any opportunity to prevent an order from being place, i.e. woocommerce_after_checkout_validation and woocommerce_checkout_create_order are not called and as it happens it looks like they don’t validate the reCaptcha either.

    Any guidance here will be much appreciated.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Syde Jamie

    (@jamieong)

    Hi @dominic_ks ,

    We are aware of this issue, as it is most likely a fraud attempt to test the validity of credit cards, in your case causing failed orders.

    Beyond this, some users have shared a code snippet that helps prevent the use of automated APIs to create orders, and it to work for some. You can check out the snippet here: Blocking Card Testing Attacks in WooCommerce.

    We have tested it, and it doesn’t seem to directly impact PayPal Payments, but it should temporarily help prevent the issue.

    We are still analyzing the situation further and working on a more permanent solution. Let us know if you have any questions about the above.

    Let us know if you have further questions.

    Best Regards,
    Jamie

    Thread Starter dominic_ks

    (@dominic_ks)

    Hi @jamieong,

    Thanks for the response, I appreciate it. Also, happy to know I’m not alone in this one.

    I implemented that code blocking access to the /checkout endpoint on Friday and have had no failed orders since, but still monitoring.

    Thanks,

    Plugin Support Syde Jamie

    (@jamieong)

    Hi @dominic_ks ,

    Thank you, we will keep you informed on the progress. Let us know if you encounter new attacks.

    Best Regards,
    Jamie

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Spam / Fraud Orders’ is closed to new replies.