Hello! We have an ongoing (and potentially fraudulent) problem with online constituents being created with gibberish names and bogus addresses. AND there are never any orders associated with the new accounts. I cannot figure out the purpose, if this is a preemptive attempt at setting up fraudulent order, and are they BOT created. I run a New Record Summary report everyday, and everyday go through the list of new online accounts that were created the day before. The bogus accounts are pretty easy to spot, but sometimes number in the teens or twenties each day. I then go into each account and deactivate them, which can be quite laborious. Does anyone else have this issue and do you have any other way of dealing with them. More often than not, they have emails with the word stellard in the address. I have an ongoing ticket trying to find a pattern that might help create some preventative measures in keeping these accounts from being created. Any shared experiences are welcome.
Kathleen Smith said:does it really make that much of a difference if I also don't merge?
Inactivating the login, or the whole constituent, will prevent another login being created with the same name/e-mail. For me, deletion or merge is a worthwhile extra step mostly to keep the garbage address and other data from constantly appearing in various data hygiene jobs, bad Zips, etc., etc... It's not repairable, so it must be excluded. :-)
Does merging update customer numbers for web session tables? I'd want to keep my window into their online behavior.
I wonder if there is any way to use Google Analytics to get a better sense of what these accounts are doing or trying to do.
I just searched for these types of accounts. We have less than 300, created over the last calendar year. Not very substantial, but kind of annoying. The one consistency I can see in reviewing the traffic request headers is that the initial request always seems to have this referrer/referrer domain:
I added a rule to our WAF to block traffic with that referrer in the headers. You can probably create a similar rule in your WAF and it should blunt the traffic. I'm not sure if it will hold up, but it is a good place to start.
Romania... didn't realize they were such a hotbed of activity!
The traffic isn't originating from RO; we already do a GEO block for RO. It just has that referrer in the header. I'm not sure how long it will hold up, but it is worth looking into.
Hi Patrick.
Was adding the rule to your WAF something that you needed Tessitura support for, or were you somehow able to do it yourself. Does Tessitura control the firewall settings? Michael
I just ran a search and found only 11 in our system, all added around Aug-Oct of this year (2023). All with the same types of data is that described by everyone. No transactions and seemingly no additional engagement after the account was created.
Oh, that brings up a point: I did an analysis of create vs. last login dates and I did see a handful of accounts that were returned to days after creation, so that does happen as well.
Hello Michael. For members on TNEW, our Imperva WAF would be where we set header rules. Our security team is already monitoring abnormal traffic and adding rules as patterns emerge, but we have seen these headers shift frequently so this sort of thing has not proven to be effective in our expierence in the long term for this particular issue. I will be posting here in greater detail to the larger thread shortly with a more fulsome update on this problem, but I wanted to respond here to this specific piece!
Hello Michael (and everyone in this thread). I wanted to give you an update on this issue as to where things stand at this point, knowing how disruptive and frustrating it is for all of you impacted by it.
Our security team has been vigilantly observing this behavior and trying to find anything that might give us a clue as to how to block this tool, but so far there isn't a discernable pattern that can be stopped at the firewall level. We have various alerts in place to look for suspicious activity (repeated patterns from a single origin or headers, velocity, etc.), but these bad actors mix up their point of origin enough that it's difficult to come up with anything systematic. We have gotten pretty good at dealing with bad actors who a) just use bots, or b) go after the transaction path, but it is very difficult to deal with human-assisted bots (which this appears to be) as they pass the recaptcha tests issued by our firewall and that are just doing nuisance account creation.
The recommendation at this point is to use List Manager to generate a list of these junk constituents, using either the EAddress Like filter with '%stellard%' as the criteria or by using the below SQL in the Show Query tab:
SELECT e.customer_noFROM T_EADDRESS AS eWHERE e.address LIKE '%stellard%'
NOTE: This will require that you carefully check the results to avoid catching anyone who might actually be legitimate. You may be able to add an exclusion list to remove folks who you know to be real people.
You can then run the Purge Utility with that list to remove these junk accounts. You could also do a simple SQL query to simply inactivate these constituents, if that fits better into your data santiziation practices.
We are continuing to discuss what other measures we might be able to take to block or deter this behavior and I will update you all here when I know more. You are also more than welcome to submit a support ticket to address your specific concerns, as many of you in this thread have already done.
Thank you all for your feedback so far. More as soon as I have it!
Matt BelangerSupport Escalation ManagerTessitura Network
Matt-
I've spent a bit of time (probably too much time) looking at this issue over the past few days. I agree with most of the points in your assessment. Between our WAF, bot mitigation and the IPs in T_WEB_SESSION_SESSION, I have a couple of ideas if your team wants to discuss. I've managed to get this traffic to a trickle in our system. I'll know how successful it is in a week or so. I'll be off next week, but would be happy to discuss with your team after the New Year if you want to reach out.
Best,
Patrick
Sounds good, Patrick. I'll be in touch!
Just adding to the conversation the we are also seeing quite a few of these "stellardl" bot accounts being created on our site. We are also seeing some accounts with our various halls/venues in the name and address fields like someone else mentioned, and, interestingly, I'm now also seeing accounts with other Tessitura venues/halls in those fields as well. This morning I found one with Daniels Pavilion at Artis-Naples in the street1 field.