Have any other app owners seen installs where the shop domain field points to another myshopify store?
Like shop = ‘foo.myshopify.com’
and domain = ‘bar.myshopify.com’
I’ve had two fraudulent installs that match this pattern. One got access to an unthrottled Twilio route. But I’ve seen many more of these cases recently.
Anyone else seeing this with their apps?
Can I just block these straight away? Or is there a risk doing this?
I wouldn’t block Shopify stores if they have the two different myshopify.com. While we’ve seen lots of fraudulent stores with this pattern, it also occurs when a store changes its myshopify.com domain.
Earlier this year we had a wave of fraudulent stores. They were newly-created, would sign up for the most expensive plan, use the app and then never pay their Shopify bill. (As a kicker, sometimes they’d ask for a refund even though their bill was unpaid.) We tried different methods to block them, and had some success, but I was really worried about false positives.
If you have something like a Twilio integration where fraudulent usage can cost you a lot of money the best solution I’ve heard of is to limit access to a few calls if a store looks suspicious. Potentially something like “If the store was created in the last 2 months only let the users send 10 messages. Then have them contact support to verify their account.”
Verification could just be filling out a short Google form that could unlock a higher tier of maybe 1000 requests. That would probably still cause a lot of the fraudulent stores to look elsewhere.
I hope this helps some. Ultimately it’s a game of cat and mouse where you want to make it hard enough to abuse where they’ll go elsewhere, but not make it too hard for legitimate users.
Best,
Daniel
Thanks Daniel
Glad I’m not the only one seeing it