Mike, this is a good idea. I'm sure some of us other developers would be glad to help out. I'd offer personally but a tad busy ATM as one could imagine.

Yep, now count us among one of the sites being affected as well. :(

Tons of accounts (about 300 so far), almost all end in .ru

I wonder how many other sites are being targeted that don't even realize it?

I am having the same problem also, their emails end in; .ru or .fr or .de. They are typical SPAM adds like; how to get rich and bitcoin schemes with a few "how the meet a beautiful girl" etc. There have been a least 200 so far in the last month, and this looks like it is going to be another maintenance duty cleaning these up.


Is there a way to block these by country?

Paul

wajake41 Hi Larry - I wrote a module to do it - there's no way to do it through Miva out of the box. I haven't posted it for anyone to use yet since I wanted to be 100% confident in it. I've had it running on a couple of sites I work on for a few weeks now with no problems, but I'm not a module developer and I don't really want to be on the hook supporting it for dozens of sites. Maybe I'll just post the source on github for everyone to use as they wish.

I had a long back-and-forth with Miva about this and eventually they confirmed what I was saying - that the only way to validate the ReCaptcha token was via a module. (lesliekirk also) - Miva pointed me to this thread, where it seems like there's a way to use the Toolbelt module to validate the token. I read through it and it seemed like it would work. Miva said that they don't view this as a vulnerability, and I didn't get the impression that any further fix was coming from them.

lesliekirk - I didn't think of trying to use the payment screen's ReCaptcha on ACAD - I imagine it would use the same settings. Off the top of my head I'm not sure if it would work, since the ACAD form submits with a different Action than OPAY, so even though the token might be created on ACAD, I don't think it would get validated by merchant.mvc on submit.

Mike:
Are you saying that recaptcha for any page is already available in admin or have you created a module to do this?
Larry

Now I get to add to the list of sites that are getting spammy account creations. This one is using Levels, so there is no short form involved. I was going to ask if the Payment reCAPTCHA could be used on the ACAD which seems to be triggered using this item

My concern is if this token is used, is it controlled by the Payment Settings? I'm assuming it is, so using it probably will not work. As someone else mentioned, can I use the code from the source code? Will that have any impact on the reCAPTCHA on the OPAY page? As in, will it get triggered? And I just thought of this, if the token is used, will it help with IP blocking? So many questions...

I have read through this post several times, but not sure what can be done to stop the bot from creating accounts. Is there a solution? Any help would be greatly appreciated!

Yea, the admin interface has a spot for you to enter the site key and secret key (right now it only uses Google ReCaptcha v3). Site key is not currently used but I figured if I ever update it to handle the front end, can't hurt to have a field for it. Right now this only handles the back end, so code must be added to the front end manually (google's scripts, etc).

In the Miva admin interface you enter the actions you want it to monitor (ICST in this case) and the tolerance level (Google returns a score of 0 - 1), so if you enter .4, anything less than that will be rejected (user will get a blank screen with no info whatsoever).

Hi Mike:
That sounds encouraging.
Can a way to retrieve the secret key be added? Maybe from a SQL table?

wajake41 Working so far - no fake accounts have been created since I installed it, and regular accounts are being created just fine. I did find a bug today and had to do some rewriting to fix it, so still not something I'd want to release to everyone - but maybe in a few days if all continues to go well

Thanks for the clarification Bruce.
Maybe after Mike521w's solution is confirmed, he could market it. We'd be interested for possible future use if it can be assigned to any of our miva modules
needing protection from bot attacks. Just have it in the toolbox in case.

Most bots are not 'clicking' submit buttons. You have to block the submittal of the form post at the miva executable layer.

Nevermind

Nevermind

Bruce - PhosphorMedia Thanks for the suggestion Bruce - I just finished a system extension module that validates Google's ReCaptcha token server-side. I didn't end up using the checkbox you mentioned, just token validation, which should be fine.

My tests show it to work so far, but I haven't written a script that emulates a browser and gets it's own (presumably low-scoring) token. But in testing against the fake-account PHP script I wrote last week, it always works - anything with a missing or invalid token fails. I'll watch over the next week or so to see if any fake accounts are created. I've still been getting a steady flow of them, so if a week goes by with none, then mission accomplished.