OpenCart Receiving Orders For Products That Do Not Exist

[DontAsk]

Anyone ever seen this?

I have had 5 orders paid by PayPal, for £1, for products "Gift certificates" that do not exist on my OpenCart site.

No shipping details on 4 of them, order confirmation e-mails are bouncing.

I still have control of the site, and my PayPal account, have changed the passwords and put the site in maintenance mode. The only funds in the PP account are the payments minus the PP commission.

I can't see a way to report the PayPal transactions as suspicious. None of the three options in the Resolution Centre help.

What's the scam here? What are they hoping to achieve? What do I need to do?

Anyone have any ideas?

 

[Paul Kelly ICHYB]

Have you got a giftcard plugin installed (I do not think it is native to the system, is it?)?

 

[DontAsk]

There is a system built in, but I had removed the links for it, years ago, along with the ability to apply gift cards to the order total. I guess they know how to create a link. I've now also hacked the .php to prevent creation of gift cards.

One of the PayPal accounts has now lodged a dispute so it looks like at least one PayPal account has been hacked, which makes a bit more sense. I cant simply refund, as that would cost me the commission and there's no way to completely reject a PayPal payment.

It's all quiet today.

 

[antropy]

There is a system built in, but I had removed the links for it, years ago

Just removing the links isn't enough as people will be able to guess the URL.

We'd be able to disable the functionality as well if you like, details in sig.

Paul.

 

[yellowcircle]

Anyone ever seen this?

I have had 5 orders paid by PayPal, for £1, for products "Gift certificates" that do not exist on my OpenCart site.

No shipping details on 4 of them, order confirmation e-mails are bouncing.

I still have control of the site, and my PayPal account, have changed the passwords and put the site in maintenance mode. The only funds in the PP account are the payments minus the PP commission.

I can't see a way to report the PayPal transactions as suspicious. None of the three options in the Resolution Centre help.

What's the scam here? What are they hoping to achieve? What do I need to do?

Anyone have any ideas?

We saw this happen with a client‘s woocommerce website recently.

That turned out to be a fraudster testing stolen credit cards by placing low value cards orders to see whether the payment was declined or succeeded. The idea being that if the orders went through they knew they could go on a spending spree with the card.

We helped the client with their site to prevent this from happening by installing some anti-fraud software.

 

[DontAsk]

It's all quiet now, no more suspicious activity so far today.