Spam order / attack to WooCommerce

Hi @2bearstudio

Spam order is created within seconds. WooCommerce Orders page flooded with Failed orders, thousands of them. All spam orders have same address, ordering same item, same amount, just with different name.

You installed reCAPTCHA on the checkout page, yet it did not help? You mean the spammer is filling/solving the reCaptcha and continuing to attack? May I ask which reCaptcha plugin is in use? We recommend reCaptcha for WooCommerce from the WooCommerce marketplace. This Recaptcha service protects your store from automated attacks and spam bots.

Please disable the “Allow customers to place orders without an account” checkbox by going to WooCommerce > Settings > Accounts and Privacy.

You can read more about controlling guest checkout here: https://woocommerce.com/document/configuring-woocommerce-settings/#accounts-and-privacy-settings

@margaretwporg Thank you for the reply.

Yes, I installed reCAPTCHA on checkout page, it didn’t help. The plugin I installed on the site is: reCAPTCHA for WooCommerce from EnvatoMarketplace.

I understand “Disable anonymous checkout” could help, but this is not the store policy. WooCommerce should have the ability to allow anonymous checkout. Even “Disable anonymous checkout” can stop spam for now, it is not a long term solution. Isn’t it?

Hi @2bearstudio

reCAPTCHA for WooCommerce from EnvatoMarketplace being a third-party plugin, we are unable to provide support for it. You may want to reach out to the plugin’s team to find out the best settings in order to prevent/stop such spam attacks.

WooCommerce should have the ability to allow anonymous checkout. Even “Disable anonymous checkout” can stop spam for now, it is not a long term solution

Store policies vary from site to site. Nonetheless, this thread is open for anyone to add their suggestions for long term solutions.

@margaretwporg I understand and thank you for the reply.

I have a feeling that, the attacker is utilizing some sort of bug of WooCommerce. Because it summit failed order every 2 – 3 seconds. Yet, there were 3 successful orders placed among the 4000+ attacks.

I have no proof but that’s my feeling. The attack happened on Sep 13, then on Sep 14. I upgraded WooCommerce from 6.8 to 6.9 on Sep 13, but apparently, it didn’t help either.

Hey 2bearstudio –
Sounds like a carding attack is or was in progress. Be sure to check your failed messages related to any suspect invoices. Watch for similar invoices and if you don’t have a security plugin such as WordFence, get at least the free one installed so as to be able to trace and block what IPs you can identify. To be clear, WordFence did not stop the exploit, but it did give me tools to trace the scumbag and block all associated IPS after the fact. That ability did come in handy later.

The same thing happened to a client site back in September 2021. At that time, the bad actor was able to spoof an invoice so that it recorded an item qty, but didn’t add the price up right. These seemed to be a probe of a WooCommerce defect, but WooCommerce/Automattic didn’t think so.

12 credit card transactions ran successfully out of 5200 attempts. Fortunately for my client, this seemed to be a test of an exploit as the scumbag used a low-priced item. We ended up eating a few chargebacks that tricked, but didn’t loose any product or take a reputation hit.

There was still one dirty deed to be done and that was that Braintree shut down the account AFTER running the stolen credit cards 5200 times and held back the client’s funds for about a week.

Since this site has a pretty robust level of security, I was able to flag the behavior and about a month later, the same IPs started generating a similar attack, but from a different address in a different region. Since I had traced the IP of the original carding attack, I was able to match the new one up to the same scumbag. We did change our gateway, (fired Braintree) and there was a WooCommerce update. One or both stuffed the scumbags ability to pull of the same BS.

Sounds like there is still an exploit. If you are using WordFence, send them an alert. They were more helpful than WooCommerce in every way.

@wudman Wow! What a story. Thank you SO MUCH for the comment and helpful tips.

The site indeed has Wordfence Security. I am able to use it to block and track how many continued attack.

On the 2nd day, when attack started, I blocked few IPs and then put the site on maintenance because the site isn’t busy online store. It stopped the attack immediately. So if anyone who unfortunately run into similar attack, “Maintenance” mode can buy you some time.

I absolutely believe this could be a security problem of WooCommerce. 20 – 30 orders in every minute, even bypass the reCAPTCHA solution.

By checking the access log, I noticed that the bot access the product page directly, then checkout page. Guess it somehow triggered the add to cart button and then check out. This steps were repeated over and over. To my surprise, Wordfence couldn’t catch this.

The site was attacked by a similar spam before, the attack is documented here. I cleaned up the spam orders but interestingly, noticed that during this attack, hacker created 2 account with user name “bbbbb.bbbbb” & “bbbbb.bbbbb-8431”. These two accounts are left active with latest login date “August 17, 2022”. During the maintenance mode, I disabled these 2 accounts.

Along with few other security hardening, the attacked stopped today. Figures crossed, hope one of my solution worked. But I am still on high alert.

• This reply was modified 2 years, 2 months ago by 2bearstudio.
• This reply was modified 2 years, 2 months ago by 2bearstudio.

Glad you have a handle on this. Both our hosting (WPEngine) and WordFence extended efforts to quash this. WooCommerce not so much. I documented the “adventure” in a series of posts on LinkedIn because I knew that what I was seeing could not be the only incident despite WooCommerce saying they had not seen a similar exploit.

The invoices in question were filled out to look real, but a quick search revealed the fake address in Texas. The next attempt had an invoice featuring a fake address in New York. The IP trace showed a similar series of IPs, enough to suggest the same actor.

In my opinion, the biggest issue is that the payment gateways basically open for business after thousands of fraudulent attempts to run what I assume were stolen credit cards. At the minimum, the payment gateways earned fees on fraudulent transactions they should have prevented. One account getting hammered thousands of times in under an hour, for the same transaction, using stolen credit cards, and the gateway leaves the door wide open for more attempts.

@wudman In my case, all order has exactly same address. The only difference is name. I’ll have a good night sleep. The attacked stopped today.

Thank you for all the comment and help.

Hi all! I wanted to keep this open as this has happened to 2 of our sites now. Thousands of fake orders in in 20min timespan.

It always changed the name for the order, changes the email, etc. Examples >

Iamhna Alokgan
Iamhna Factory
215 Mac Arthur
New York, NY 10010

Iaahnm Klagano
Iaahnm Factory
215 Mac Arthur
New York, NY 10010

Hiaanm Aanolgk
Hiaanm Factory
215 Mac Arthur
New York, NY 10010

That will go for about 1000 orders, and then the next 1000 use a different city state, I believe it was a California address and zipcode.

The client uses Cardpointe for their payment gateway. Last time this happeend (back in late 21), we went in and foudn out AVS wasn’t enabled at the gateway level. That led to attacker trying 5 more orders, failing, and went away. Not it’s Nov 2022 and it’s happening all over again.

We do have Wordfence installed on the site as well and everything is updated to the fullest (All plugins, WP to 6.1.1, WC to 7.1, etc).

I went a couple of pages down, and can see that they also started trying to change the IP address each time so it’s hard to block by IP. It can go from a group of IP address from Kyrgyzstan, and then immeditaley after a few they change it to a California IP, after a few they change it to a Hong Kond IP.

I’m lost on where to go next. Any help is appreciated.

What was the general idea on where we should go next with this?

@grimesweb Thank you for adding your case to the thread. I know adding different question to a thread is not encouraged in this forum. But I like to add a quick reply.

I believe the attack happened to you is the similar one like the attack I experienced. Seems hacker upgraded their technique by changing IP. That’s a huge challenge, especially when we have to deal with it manually.

In my case, I added CDN to the site to provide another layer of protection. It didn’t happen to me afterwards. But I can’t say for sure that’s a solid solution.

Hi.

you can also try the following ReCaptcha, which is based upon a proof-of-work concept, what makes DDoS-attacks pretty unattractive:

GDPR-compliant ReCaptcha for all forms and logins – WordPress plugin | www.remarpro.com

I am curious for feedback.

Cheers, Matthias

Thanks for the thread, this happened to our site last night at 4am. After a few hundred orders I woke up and blocked the IP and country. 2 hours later I woke up again this time I felt like I was battling the bot directly. I would block the IP and 10 mins later new IP new country. It’s heavy in India, Singapore, China, and Russia though. I use a CDN cloudflare, the pro $20 per month version. I highly recommend that. Cloudflare pro allowed me to add lots of security stuff that helped. Isolate the IPs that went to checkout, cart, time frame last 30 mins. You can block by country, ISP provider called ASN, I blocked the continent of Asia, Africa, etc. Then they jumped to France, Germany, Belgium, I blocked Europe, now they can only us the US and they seem to be having a harder time with that, the orders come in much slower when it has a US IP. They did a total of 2200 failed order and not one went through. Strip is my merchant service and they blocked all saying high threat.

these are the steps that helped me.

Having cloudflare CDN I clicked the under attack button on the home page, that stops it immediately, I’ll undo that in 2 days. Under security, WAF, block by IP, ASN, continent, etc, click on BOTS, then enable super bots fight, block definitely automated bots, allow verified bots, and enable Javascript detections, then under settings, click I’m under attack, set the challenge passage to 15 mins, enable browser integrity check, and privacy pass support. Under network enable ip geolocation, go to traffic tab. 30 min tine frame. From here you can find the attackers IP, data centers, ASN, and more. Start blocking these in the WAF tab. Attacks last uo to 2 days. They usually will come back to you again in a month and again in a year so make improvements after the attack. Also make sure ALL plug-ins, woocommerce, WordPress, etc are all updated to the latest versions. Good luck to you!