Recently, one of Cogneato’s client’s site donate form was submitted thousands of times, presumably to fraudulently test credit card numbers. This happened over a couple hour period overnight, and was aggressive enough to cause the server load to spike and stay high for the duration. It seems the (presumed) bots were smart enough to operate the Stripe popup that we use for payment information.

It did not appear any of the requests were successful, but both the nefarious possibility and the server load were enough to warrant a response. Our solution was to add a captcha to the form, on that site and others with donation / payment forms. Since each site donate form is done custom for that site, we had to add this one by one, though we were able to make use of the functionality provided by our CMS.

It’s annoying to have to implement and presumably annoying for users that just want to donate or pay, especially when it was just a single incident, but we can’t allow this sort of activity. The bots have seemingly stopped, and will have a higher bar if they come back.

We did not implement it for our e-commerce checkout forms since it would likely be too hard for a bot to add to cart and then submit to the form at this point. Hopefully, they don’t figure it out.