Flooded with hundreds of one time donations

[gusaus]

Rocco forwarded me one of hundreds of failed one time donation notifications he's received over the past few days.

The one time $5 donations are being processed via the Donate block (provided by Newspack) on https://angelcityjazz.com/donate/ where $5 was the minimum donation we set (see the next screengrab)

Here's a screengrab of the settings (see https://newspack.com/support/reader-revenue/setting-up-donations/ for details on how we set up)

All of these fails are by Credit Card (Stripe) where the following info is collected upon (WooCommerce) checkout -

It's pretty obvious this is some sort of bot attack - something I've never seen or had to deal with, but I'm looking pages like this for solutions - https://www.oopspam.com/blog/spam-protection-for-woocommerce

[gusaus]

@angelcityjazz I increased the minimum donation to $10 (to see if that affects the spam bots) and disabled email notifications for failed orders (so your email isn't flooded) while I troubleshoot further.

After reading through the following from https://www.oopspam.com/blog/spam-protection-for-woocommerce, I'm concerned about the WooCommerce plugins we can no longer update (see https://github.com/OpenProducer/angelcityjazz/issues/35).

Sometimes vulnerability scanners look for a specific security bug in WooCommerce. The spam bots create an order to test certain behavior in the checkout process and hope to discover a bug they are looking for. Before WooCommerce version 4.6.2, a user reported failed orders in WooCommerce support where an attacker was able to create an account without registration even though “Allow customers to create an account during checkout” setting is enabled. They announced the bug publicly and released a fix. This is a great example of why you may see many false orders. It’s important to keep your WordPress plugins including WooCommerce up-to-date.

I'm doing another round of code updates and seeing what else we can do to resolve this (finishing set up for reCAPTCHA may also help).

Since donations have been so rarely used (how many recurring donations do we have?), I'll recommend again we finish setting up ACA as a host org on Open Collective so we can swap out the current donate block and use their platform to process donations.

All the other WooCommerce plugins we're using are free, so we wouldn't run into potential security bugs caused by outdated plugins.

[gusaus]

@tonyzeoli Thanks for your tips over email. If you look at my previous comment, I've been in the process of making some of the fixes you pointed out.

First off, I'll reference some good docs on the Newspack site https://newspack.com/support/reader-revenue/keeping-donations-secure/

Per the articles and tips from you, I've done the following -

• [x] Generated the reCAPTHA keys on https://www.google.com/recaptcha/admin/site/602225487
• [x] Set up reCAPTCHA for Stripe https://newspack.com/support/reader-revenue/keeping-donations-secure/#setting-up-recaptcha-for-stripe
• [x] Changed the minimum donation setting from $5 to $10 https://newspack.com/support/reader-revenue/keeping-donations-secure/#setting-a-minimum-donation-level-for-the-Newspack-platform
• [x] uncheck Allow customers to place orders without an account https://www.oopspam.com/blog/spam-protection-for-woocommerce#configure-user-registration

That said, it looks like reCaptcha won't work on the donation checkout unless

• [ ] reCaptcha for WooCammerce (a paid plugin) is enabled

or

• [ ] finish setting up a host org on Open Collective
• [ ] swap out the Newspack Donate Block with the Open Collective embed
• [ ] disable and remove the outdated WooCommerce plugins Name Your Price + WooCommerce Subscriptions

@angelcityjazz Now that I'm aware, I'll continue to monitor WooCommerce orders on the site. That said, I strongly recommend we switch over to Open Collective to process donations as soon as possible.

[gusaus]

@tonyzeoli Couple other related issues/questions -

It looks like two of these spam payments actually went through (you should be able to see the completed orders if logged in). What do we do (if anything?)

What about the 3,792 failed orders. Should we bulk 'move to trash'?

[angelcityjazz]

Not sure what to do. They’re still coming in. Now is a good time to initiate the transfer to open collective I think.

On Mon, Jan 9, 2023 at 4:56 PM Gus Austin @.***> wrote:

@tonyzeoli https://github.com/tonyzeoli Couple other related issues/questions -

It looks like two of these spam payments actually went through (you should be able to see the completed orders https://angelcityjazz.com/wp-admin/edit.php?post_status=wc-completed&post_type=shop_order if logged in). What do we do (if anything?)

What about the 3,792 failed orders https://angelcityjazz.com/wp-admin/edit.php?post_status=wc-failed&post_type=shop_order. Should we bulk 'move to trash'?

— Reply to this email directly, view it on GitHub https://github.com/OpenProducer/angelcityjazz/issues/50#issuecomment-1376567389, or unsubscribe https://github.com/notifications/unsubscribe-auth/AT6OTN4GM5CJEADY2OX3PPDWRSXSBANCNFSM6AAAAAATV2BONQ . You are receiving this because you were mentioned.Message ID: @.***>

[gusaus]

Hey Rocco - I'm monitoring and not seeing any additional failed orders since I started troubleshooting earlier today. I also disabled notifications so you shouldn't be getting additional emails.

You probably have gotten a few with 'spam' in the name and address - those are all from me as I test the fixes.

That said, I agree we should pick up on the open collective setup asap https://github.com/OpenProducer/angelcityjazz/issues/38#issuecomment-1275024638

[angelcityjazz]

I got about 7 of them simce your last emai.

On Mon, Jan 9, 2023 at 5:39 PM Gus Austin @.***> wrote:

Hey Rocco - I'm monitoring and not seeing any additional failed orders since I started troubleshooting earlier today. I also disabled notifications so you shouldn't be getting additional emails.

You probably have gotten a few with 'spam' in the name and address - those are all from me as I test the fixes.

That said, I agree we should pick up on the open collective setup asap #38 (comment) https://github.com/OpenProducer/angelcityjazz/issues/38#issuecomment-1275024638

— Reply to this email directly, view it on GitHub https://github.com/OpenProducer/angelcityjazz/issues/50#issuecomment-1376603793, or unsubscribe https://github.com/notifications/unsubscribe-auth/AT6OTN3M4M2DD56IVLPR67TWRS4WXANCNFSM6AAAAAATV2BONQ . You are receiving this because you were mentioned.Message ID: @.***>

[tonyzeoli]

We should investigate the IP addresses hitting the site and making the transactions and block that IP through Cloufflare.

On Mon, Jan 9, 2023 at 10:09 PM angelcityjazz @.***> wrote:

I got about 7 of them simce your last emai.

On Mon, Jan 9, 2023 at 5:39 PM Gus Austin @.***> wrote:

Hey Rocco - I'm monitoring and not seeing any additional failed orders since I started troubleshooting earlier today. I also disabled notifications so you shouldn't be getting additional emails.

You probably have gotten a few with 'spam' in the name and address - those are all from me as I test the fixes.

That said, I agree we should pick up on the open collective setup asap

38

(comment) < https://github.com/OpenProducer/angelcityjazz/issues/38#issuecomment-1275024638

— Reply to this email directly, view it on GitHub < https://github.com/OpenProducer/angelcityjazz/issues/50#issuecomment-1376603793 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AT6OTN3M4M2DD56IVLPR67TWRS4WXANCNFSM6AAAAAATV2BONQ

. You are receiving this because you were mentioned.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/OpenProducer/angelcityjazz/issues/50#issuecomment-1376667398, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA65WO4RVYS6WF4DBVAUDA3WRTHIDANCNFSM6AAAAAATV2BONQ . You are receiving this because you were mentioned.Message ID: @.***>

[tonyzeoli]

Some of the transactions - I think - are going to go through because the spam bot is submitting credit card numbers and looking for any valid number. So, a transaction will complete if the card is valid.

In terms of trashing the old charges that did not go through, I'd export them to a CSV first, just to have a record of them, and then yet...you could probably trash them.

You probably want to notify Stripe this is happening and get their feedback on this. They may freeze your account...I don't know. But contact them immediately and tell them what is happening so they are aware and can also help.

On Mon, Jan 9, 2023 at 10:09 PM angelcityjazz @.***> wrote:

I got about 7 of them simce your last emai.

On Mon, Jan 9, 2023 at 5:39 PM Gus Austin @.***> wrote:

Hey Rocco - I'm monitoring and not seeing any additional failed orders since I started troubleshooting earlier today. I also disabled notifications so you shouldn't be getting additional emails.

You probably have gotten a few with 'spam' in the name and address - those are all from me as I test the fixes.

That said, I agree we should pick up on the open collective setup asap

38

(comment) < https://github.com/OpenProducer/angelcityjazz/issues/38#issuecomment-1275024638

— Reply to this email directly, view it on GitHub < https://github.com/OpenProducer/angelcityjazz/issues/50#issuecomment-1376603793 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AT6OTN3M4M2DD56IVLPR67TWRS4WXANCNFSM6AAAAAATV2BONQ

. You are receiving this because you were mentioned.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/OpenProducer/angelcityjazz/issues/50#issuecomment-1376667398, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA65WO4RVYS6WF4DBVAUDA3WRTHIDANCNFSM6AAAAAATV2BONQ . You are receiving this because you were mentioned.Message ID: @.***>

[gusaus]

@angelcityjazz Regarding https://github.com/OpenProducer/angelcityjazz/issues/50#issuecomment-1376667398 are you sure those aren't my test purchases? I'm looking at the orders and not seeing anything new since I increased the minimum donation https://angelcityjazz.com/wp-admin/edit.php?post_type=shop_order

Can you forward me a few of the recent ones?

@tonyzeoli Thanks for the additional tips - I'll check status and will followup on resolving this tomorrow.

[gusaus]

@angelcityjazz Checking orders right now (10:30 AM EST/7:30 AM PST) and no other orders have come in (see https://angelcityjazz.com/wp-admin/edit.php?post_type=shop_order). Per https://github.com/OpenProducer/angelcityjazz/issues/50#issuecomment-1376546831 we're still not able to enable reCAPTCHA on WooCommerce w/out paying for it (although I did enable on the contact form https://github.com/OpenProducer/angelcityjazz/issues/31) so I wouldn't consider this issue resolved until you set up on Open Collective (see https://github.com/OpenProducer/angelcityjazz/issues/38#issuecomment-1376777508) and swap out the donation block.

We're not ditching WooCommerce (which powers https://angelcityjazz.com/shop/) so we'll keep this open until we have additional tips and solutions for preventing this from happening in the future.

You probably want to notify Stripe this is happening and get their feedback on this. They may freeze your account...I don't know. But contact them immediately and tell them what is happening so they are aware and can also help.

Good idea - I'll see if I can contact them. Maybe our fabulous new hosting providers could help too? https://wpengine.com/

[gusaus]

@angelcityjazz Checking orders right now (10:30 AM EST/7:30 AM PST) and no other orders have come in (see https://angelcityjazz.com/wp-admin/edit.php?post_type=shop_order). Per https://github.com/OpenProducer/angelcityjazz/issues/50#issuecomment-1376546831 we're still not able to enable reCAPTCHA on WooCommerce w/out paying for it (although I did enable on the contact form https://github.com/OpenProducer/angelcityjazz/issues/31) so I wouldn't consider this issue resolved until you set up on Open Collective (see https://github.com/OpenProducer/angelcityjazz/issues/38#issuecomment-1376777508) and swap out the donation block.

We're not ditching WooCommerce (which powers https://angelcityjazz.com/shop/) so we'll keep this open until we have additional tips and solutions for preventing this from happening in the future.

You probably want to notify Stripe this is happening and get their feedback on this. They may freeze your account...I don't know. But contact them immediately and tell them what is happening so they are aware and can also help.

Good idea - I'll see if I can contact them. Maybe our fabulous new hosting providers could help too? https://wpengine.com/

[tonyzeoli]

This is not a WP Engine issue to resolve because it happens in o all donate plugins line Give WP who have documentation on how to resolve this. It’s blocking IP addresses at Cloudflare, recaptcha for Woo, increasing the base rate, and requiring user registration.

On Tue, Jan 10, 2023 at 10:53 AM Gus Austin @.***> wrote:

@angelcityjazz https://github.com/angelcityjazz Checking orders right now (10:30 AM EST/7:30 AM PST) and no other orders have come in (see https://angelcityjazz.com/wp-admin/edit.php?post_type=shop_order). Per #50 (comment) https://github.com/OpenProducer/angelcityjazz/issues/50#issuecomment-1376546831 we're still not able to enable reCAPTCHA on WooCommerce w/out paying for it (although I did enable on the contact form #31 https://github.com/OpenProducer/angelcityjazz/issues/31) so I wouldn't consider this issue resolved until you set up on Open Collective (see #38 (comment) https://github.com/OpenProducer/angelcityjazz/issues/38#issuecomment-1376777508) and swap out the donation block.

We're not ditching WooCommerce (which powers https://angelcityjazz.com/shop/) so we'll keep this open until we have additional tips and solutions for preventing this from happening in the future.

You probably want to notify Stripe this is happening and get their feedback on this. They may freeze your account...I don't know. But contact them immediately and tell them what is happening so they are aware and can also help.

Good idea - I'll see if I can contact them. Maybe our fabulous new hosting providers could help too? https://wpengine.com/

— Reply to this email directly, view it on GitHub https://github.com/OpenProducer/angelcityjazz/issues/50#issuecomment-1377479254, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA65WO3OQ6IIIKCOMH2Z5O3WRWAYNANCNFSM6AAAAAATV2BONQ . You are receiving this because you were mentioned.Message ID: @.***>

-- Sent from Gmail Mobile

[gusaus]

While I didn't follow up with Stripe, I have been monitoring the site to see if there have been additional bot donations. Looks like changing the minimum donation stopped this attack, but the fact that we're using outdated versions of the paid plugins could leave us vulnerable. At the same time, I think other tools/platforms may provide additional benefits #51

Also, considering there's only one recurring subscriber https://angelcityjazz.com/wp-admin/edit.php?post_type=shop_subscription (actually looks like the current payment failed?!?!) we wouldn't need to ask many (any?) folks to unsubscribe and then resubscribe on the new platform.

I'll leave this issue open until we're set up on a new platform.

[gusaus]

Closing this out as we're no longer using WooCommerce for Donations. https://github.com/OpenProducer/angelcityjazz/issues/49#issuecomment-1445224163