Re: External bot accessing Marketo form data

Anonymous · ‎06-30-2013

1. Legitimate user comes to the website and submits a Marketo-based form

2. Marketo is updated with the user's data, new lead created

3. Over the next hours or days there are additional submissions on different versions of the same form on the website with the identical information as the original submission.

4. These new submissions are assume to be bots. They have a different IP address than the original submission, and are IP addresses associates with bot attacks.

What we can't figure out is how does the bot access the Marketo data?

We have had multiple legitimate external users from different companies & countries, submit forms, and the bot begin to submit new forms with their data. We have also replicated this from our internal network. This seems to rule out a malware infection at the client PC/Mac end of things.

Marketo support just says this is a bot and not a Marketo problem. They are incapable or interested in addressing the issue of how this bot has access to data stored in Marketo.

Anyone elese experienced this?
Any theories on how this could be happening?

Anonymous · ‎07-01-2013

Hi Derek

Just to clarify your point 4 above.

The bots DO NOT have access to the Marketo information or data. As previously detailed to your colleague the Form submissions are blank. You recieve the "Email Alerts" with the data as your Email Alerts have tokens which are populated when the Alert is sent directly from the the Application.

We have escalated this internally to have another look to see, how this is getting to associate to a lead in the database or is this just random.

Thanks
Damien

Anonymous · ‎07-01-2013

Damien,
I am the colleague.

Let's assume the bot does a blank submission (though we have mandatory fields that must be filled out).
Our notifications have triggers to email us the data that was used to fill out a form.
So when I fill out a form and skip a non-required field, the alert notification comes back with that field being blank.
It doesn't happen with a bot submission.

Instead, Marketo associates that submission (which happens within an hour of a legitimate submission) with a real person/marketoID and their (recent) submission, and then the process repeats itself over multiple Marketo forms.

I pleaded your colleague to explain how Marketo is associating a blank bot submission with a new record that was just created but to no avail. And this is the first time I'm hearing of any internal investigation. This is a very serious issue for us because the bot somehow triggers a response from Marketo forms and insitgates an autoresponder. By hitting many forms, our legitimate leads get multiple autoresponders from forms they'd never filled out.

Have you considered blocking the IP in question, at least temporarily: 188.143.232.31?

Anonymous · ‎07-01-2013

Hi Gennadiy

As perviously stated the form submissions are blank, you can see this yourself in the activity log also from the communications from my colleague . The information being populated to the Email alerts are from the Tokens in the emails itself which are populated from the database at the time the email is sent. So if these fields have previously been populated the will have values in the Email Alerts.

As stated above we are having another look to see if we can identify how this is being associated to these leads or if just is just random.

Thanks
Damien

Anonymous · ‎07-01-2013

Damien,
I understand how tokens work and I understand how notifications are generated. But please, draw me a picture because I do not understand how a blank submission from a bot to forms that have mandatory fields generates a notification alert where tokens pull data from the last submission that was done by a legitimate user on a completely different form.

Dan_Stevens_ · ‎07-01-2013

We're a new client of Marketo. But back when my prior company was a client (2012), we experienced an issue where someone would complete a form submission. Then when the next user attempted to fill out the form, it was pre-populated with the last user's personal data (a huge privacy issue). Not sure if this is related, but wanted to make note of the issue we experienced last year which sounds very familiar here.

Anonymous · ‎07-02-2013

Thank you, all.
We have received an update from Marketo Support that they were able to find the cause of our problem.

Apparently, Marketo forms embedded into pages that we are hosting (outside of Marketo), retained a piece of code that should have been removed. Specifically, point 5.4 of Marketo instructions asks to clear the value for the _mkt_trk input:

Old: <input type="hidden" name="_mkt_trk" value="id:066-WBT-195" />
New: <input type="hidden" name="_mkt_trk" value="" />

Put a Marketo Form on a Non- Marketo Page: http://community.marketo.com/MarketoArticle?id=kA050000000KyqgCAC

As a result of this error here's what was happening.

A legitimate user visited our page, filled out a form, and shortly after, a bot visited the same page and attempted to submit to the same form without filling in any values. Because the _mkt_trk value wasn't removed from the code, the bot was able to associate itself with the last know visit, using tracking parameters/code that were on the page/Marketo form.

That was the missing piece of the puzzle and the one we were stressing on the most. Thanks to Marketo engineers/support for identifying the problem and we are currently in the process of fixing the code on all Marketo forms embedded outside of Marketo.