Hello! We have an ongoing (and potentially fraudulent) problem with online constituents being created with gibberish names and bogus addresses. AND there are never any orders associated with the new accounts. I cannot figure out the purpose, if this is a preemptive attempt at setting up fraudulent order, and are they BOT created. I run a New Record Summary report everyday, and everyday go through the list of new online accounts that were created the day before. The bogus accounts are pretty easy to spot, but sometimes number in the teens or twenties each day. I then go into each account and deactivate them, which can be quite laborious. Does anyone else have this issue and do you have any other way of dealing with them. More often than not, they have emails with the word stellard in the address. I have an ongoing ticket trying to find a pattern that might help create some preventative measures in keeping these accounts from being created. Any shared experiences are welcome.
Bringing this to the top. Have we figured out a way yet to stop these Stellard accounts from being created? We deactivated 70 over the weekend and have since had 5 more created in the past 2 days.
Hi Jessica. No sure-fire solution has been discovered or developed. Mayo Performing Arts Center has addressed fraud in a recent CRM assessment, which basically deals with three layers of what one might consider fraud. First is the creation of what I call bogus accounts (stellard emails) Then there are secondary resellers (scalpers) which while legally not fraud as long as there is no legislature to prevent third parties from reselling our tickets at exorbitant prices, none-the-less interfere with our ability to give good customer service and sell to customers legitimately priced tickets. Then there are "bad actors" who make last minute online purchases, using fraudulent credit cards, then those sales are disputed as fraud after the show has past. Implementing AVS (address verification service) in TNEW should take care of this third case of fraud, but there are certain defects in the current functionality of AVS. Using delayed eTicket delivery method helps combat scalper activity. Currently, we have not been able to keep bogus accounts from being created. Nor do we understand the reason for such accounts being created other than their potential use for future fraudulent activity. We do use RECAPTCHA which should prevent BOT activity in creating a new account. We also have a "terms and conditions" waiver that we require to be checked at the end of the order creation. If these people/BOTS are getting around RECAPTA and are intending to create fraudulent orders, it is possible that our terms and conditions waiver is preventing the person/BOT from creating an actual order. This would result in a bogus new account with no order. This is just a guess at what might be happening. Perhaps someone from Tessitura can weigh in on this? We just continue to run a daily report of new constituents and inactivate these bogus accounts. We also are able to find some of these last minute fraudulent sales and return them before the show occurs and before a fraud dispute can be issued.
Thank you Gawain for your input. I too think there is a certain amount of human hands at work here. Thank you also for your thoughts on internet forum activity.
Not sure if this directly relates, but here is a recent article about fake account creation and getting around captcha. Microsoft just cracked down on it: This is from NBC news this week:
A U.S. court allowed Microsoft to seize several websites it said belonged to a Vietnamese operation that allegedly sold hundreds of millions of fake Microsoft accounts, an unusual step in the ongoing fight against online fraud and cybercrime.
Microsoft said in a blog post on Wednesday that the group operated at least four websites that were seized.
One site tied to the operation, Hotmailbox, was a popular source to buy fake Hotmail accounts, a service owned by Microsoft, in bulk. Microsoft said Hotmailbox frequently sold those to cybercriminals.
Microsoft’s decision to sue for custody of the site was in large part motivated by its inability to figure out how the scheme’s operators were so good at automating the CAPTCHA process, which is designed to stop automated bots from repeatedly making new accounts, according to Amy Hogan-Burney, head of Microsoft’s digital crimes unit.
“They are using tools that allow them to defeat CAPTCHA at scale. They are able to create a high volume of accounts that can appear to be, for a period of time, legitimate,” Hogan-Burney said in a video interview.
The alleged fraudsters behind the operation have figured out a way to make “a bot that actually solves the puzzle,” and sold around 750 million fake accounts, she said.
“I really want that discovery,” Hogan-Burney said. “I want to know what’s going on here, because that’ll actually make our products and services better.”
Microsoft has spent tens of millions of dollars fighting bots from abusing its service and trying to ensure only humans can create new accounts, it said in the complaint, filed Dec. 7 in the Southern District of New York federal court.
this is excellent info, thank you!!
It occurs to me that I never checked before, but the stellardl accounts are not linked to any rows in V_PAYMENT_GATEWAY_ACTIVITY, which would presumably happen if they were at least trying to pay for orders, right? I guess we wouldn't have any record of people entering incorrect gift certificate numbers...
I have been tracking these account creations since June. We have over 600 accounts that have been created. Many use an email address with "stellard" in them, many don't. They usually use NY as the state, but not always. The first and last name are usually just a combination of letters, but not always. The new thing they are doing is putting Paramount Theater in the city and street 1. I have gotten really good and seeing these accounts. We mark them as "Inactve - Bad Info needs new info" so they can't login again with that account. I do have a ticket open with Support about this. They have told me that no transactions or authorizations have happened that they can see and there is nothing on the account. They did say that the bad actors are using VPNs which makes it hard to block the creator.
Christopher Cuhel said:The new thing they are doing is putting Paramount Theater in the city and street 1.
We've seen some with random Guthrie Theater-related text in the address, too, e.g. one of our facilities is the McGuire Proscenium, and at least one stellard-ish account has appeared with street1 = 'McGuire Proscenium', plus state = NY, etc..
Christopher Cuhel said:They did say that the bad actors are using VPNs which makes it hard to block the creator.
Interesting.
I've seen a couple use our two venue names: Stoner Theater and Temple Theater. It's just nonstop with the accounts sadly.
I just found 60 accounts since 12/13/23 with the pattern somename.stellard@gmail.com, and found the name of our theatre as an address1
Thank you for the heads up. I'm thinking that I could just automatically delete or inactivate these accounts with a nightly query.
Hi all - we hadn't seen any stellardl accounts way back when this thread started, but in the intervening time it looks like our org joined the party, I searched again today and discovered 94 accounts going back to mid-September. No more than 3 or 4 created a day with some gaps in between, so the volume isn't terribly high. No payments in the payment gateway, though T_WEB_ORDER shows some recent nonsense of adding various seats and performances to carts, and the IP addresses hop around the globe as one would unfortunately expect.
The most salient point is that we aren't a TNEW client - so that no longer seems to be a common denominator as far as who is targeted. Not sure if it's arts and culture venues in general (whether on Tessitura or another CRM), or if the bad actors have identified any site using the Tessitura API as a potential playground...
I'll open a support ticket just to add our voice to the chorus and give the Network security team more data. Thanks for all the resources and tactics being shared!
(Edit: most of these accounts are using our guest checkout, so nothing is really collected beyond the bad email. HOWEVER - one of the few that did input a mailing address put in something that stood out - an address on Stellar Dr, Kenai, AK. The fact that the street name matches up to the common email pattern caught my eye - though no clue what to do with that info!)
Evan Cartwright said:The most salient point is that we aren't a TNEW client - so that no longer seems to be a common denominator as far as who is targeted. Not sure if it's arts and culture venues in general (whether on Tessitura or another CRM), or if the bad actors have identified any site using the Tessitura API as a potential playground...
That's definitely interesting!
For us the names seem South Asian (or mock-South Asian) or garbage.
Just to add another org's experience: we have only had a handful of these stellard accounts created so far, and they all happened from November 2022 to September 2023, ending when we moved from self-hosted to Tess Hosting. I can't imagine where we're hosted would matter, but I do find it interesting that we haven't seen any of these accounts created since we moved. We've had TNEW for years now, though, so in that regard we're similar to most other orgs experiencing this.
With such a small sample, it's hard to say if this is significant, but we did see Khordha entered as the city for half of them. The constituent names also seem to trend in a South Asian or mock-South Asian direction.
I'll definitely be keeping an eye out to see if we have any more pop up since everyone else seems to be getting hit hard with this.
Brian Wilbur Grundstrom said: I'm thinking that I could just automatically delete or inactivate these accounts
I used to delete them, then moved to inactivating the login + merging the record into one known-bad constituent, as per a recommendation from support, so that the login names can't be re-used.
I've just been straight-up inactivating the accounts. Sigh... does it really make that much of a difference if I also don't merge?
Kathleen Smith said:does it really make that much of a difference if I also don't merge?
Inactivating the login, or the whole constituent, will prevent another login being created with the same name/e-mail. For me, deletion or merge is a worthwhile extra step mostly to keep the garbage address and other data from constantly appearing in various data hygiene jobs, bad Zips, etc., etc... It's not repairable, so it must be excluded. :-)
Does merging update customer numbers for web session tables? I'd want to keep my window into their online behavior.
I wonder if there is any way to use Google Analytics to get a better sense of what these accounts are doing or trying to do.