This site was built to compliment the existing NetSuite Professionals Slack Community by adding a means for members to easily find answers to common questions and to create a searchable database of those questions and answers.

NetSuite Professionals

For a while we have been getting slammed with bots creating fake accounts. Nothing malicious, just annoying as heck.

Anyways....we have a developer building an extension that includes reCAPTCHA to help slow this down. If anyone has something like this in place, what do you when the reCAPTCHA score is not met? just redirect them?

For our reCAPTCHA solution we just prevent the action. However, yes, I have seen some customers either kick the user out and some have gone further as to deactivate the user record and log the action so an admin can be notified.

Your reCAPTCHA solution should have both frontend and backend components that change the behaviour of how the SuiteScript works. We typically use the `Application.on` mechanism for this.

I've done this a few times in the past. The captcha docs aren't straightforward to adapt to SC sites. Like <@U8X7E86M6> said, you must have front and back-end components for this to work correctly.

I created this bundle that seems to solve the bot attacks since I don't think recaptcha will work for current attacks I'm seeing.

<https://www.anchorgroup.tech/suitecommerce-email-verification-install-guide>

I first build a <https://www.anchorgroup.tech/how-to-install-google-recaptcha-on-suitecommerce|reCAPTCHA bundle> which is a good line of defense but I think i figured out how the attacker has their script build to target the website and the email verification bundle seems to do the trick. I have tried an extension to listen to the number of credit card adding attempts and then force the user to log out and remove their access. I they were able to adjust their script to accommodate for that. Email verification seems to be the most effective.

From my observations of about 30 attacks, this seems to do the trick. They are getting credit cards missing CVV code and running them through to test for a success response when adding a card with the correct CVV. They do this up to 999 times and then store the success CVV code and use another card. The payment processor will shut you down if you don't take action on it so it is important to address.

Hopefully the solution we bundled and pre-built will do the trick for you. They can be up within a few hours which is nice.

Good luck! :slightly_smiling_face: