We have been under attack since July. 100s of fake accounts are being created in our Big Commerce store and trying to check out one product (the same product every time), with a different credit cards. A few orders got through, and we have since made the payment processing more stringent. However, this has not stopped the issue. The only was I can pause the activity is completely delete the product and a few days later the process starts again with a different product. We are now at a point where the payment provider is threatening to suspend the account because of the number of attempts, I have over 1,000 fake accounts in Big Commerce (and subsequently the same in my Email Service Provider).
What steps have you taken to resolve the issue?
We installed Cloudflare Pro Plan a few days ago and configured it with the Orange to Orange Big Commerce instructions. I initiated Under Attack Mode, but a few hours later accounts were being created and orders attempted. This is not my area and I desperately need help. There could be rules we could put in place, but what they are and how to create I would not know.
I thought these bots would be shown a captcha form at checkout, but somehow they are getting under the radar. All of the email addresses start with a mix of numbers/letters:
Generally, you would want to identify common features of either your real customers or fake customers. If that is not something you can do, you might need to hire a consultant that helps you with that.
Are your real customers all from a handful of countries? Then start by blocking other countries. Are the fake customers all from one country? Block that country.
Same for other things. Source IP, User-Agent etc.
Also, I would recommend that you use Super Bot Fight Mode and block definitely automated and likely automated requests. You would then need to create exceptions to these blocks for traffic that you do want to reach your servers, like your payment provider.
The IP addresses I see in Big Commerce are different - where would I see the Source IP address? The orders use US addresses - sometimes, but not often the IP address is not in the USA. There is no consistency between countries or IP addresses.
eyeenvy.com is challenging and you showed the correct CNAME in your screenshot. But it redirects to www.eyeenvy.com that does not challenge if you enter directly there. What DNS records do you have set for www? It should be the same CNAME.
Now all requests are passing through your Cloudflare account first, before going on to BigCommerce, you can set custom rules in the WAF of your account to block specific IP addresses or other characteristics depending on what you find.
Challenging everything should stop most of the automated stuff, you can find tune with custom WAF rules for anything else that gets through.