0

[Fixed] WHMCS Fake Account Registrations / Fake Order Submission From Multiple IPs

What was the Issue:

We were receiving a huge number of fake registrations and fake orders. All the accounts registered were from different IPs from different countries. So, the point of blocking an IP or two as a solution to the problem was discarded.

What people recommended and what I have tried:

The very first recommendation was to activate email validation to stop registration of accounts from fake emails. So, I went to search for an add-on which can restrict the user to validate the email before registering an account. Unfortunately, it did not stop the process of registration.

After this add-on failed to stop the registrations, I focused myself towards the server. Our setup was hosted on a Linux based system. So, I went to search for malware or any thing else which was helping the attacker to bypass email validation. In that process I found that my server is totally clean.

Solutions / Fix to this problem:

Use Banned Email Domains:

Go to WHMCS > Setup > Other > Banned Email

Here you can ban the email domain. In my case it was qq.com. You will find the email domain in the addresses of those registered accounts. For Example: 1224234324@qq.com (Ban qq.com)

Add Custom Client Fields:

Go to WHMCS > Setup > Custom Client Fields

Field Name: Are You Human?

Field Type: Text Box

Description: To help prevent automated submissions, please answer “YES” to prove that you are a human. In Capital Letters.

Validation: /[Y]+[E]+[S]/

Select Options: 

Tick these two options: Required Field & Show On Order Form.

After banning the domain of the email addresses I have removed the email validation add-on. Reason for removing it was that some of my real clients were having issues in receiving the code. So, as an alternative I have added simple Custom Client Fields.

Conclusion:

This particular attack is very common these days. A lot of WHMCS users are reporting it now a days. Basic issue in countering this kind of attack is that we think the email addresses are either fake, or else there is some kind of code injected into our system which is allowing these fake emails to by-pass verification. But the story is different this time, attackers have changed their strategy and they are now working with real email address. So, resolve this issue and fix this problem by taking these above given simple steps and relax.

Haider

Leave a Reply

Your email address will not be published. Required fields are marked *