Guys, we've been working on this. Will have another update out very shortly. Seems the last update helped the vast majority of users with the script fraud donations... but you can never stop someone from sitting at their computer and manually filling out your form over and over again.
The change we have just implemented in the last day is to send the IP address to Authorize.net for all attempts. The last update would store the IP for successful donation records. Now, all attempts will send the IP to authorize.net. Then of course you can get the IP and block them.
We would also recommend of course that you check your authorize.net security settings and improve them. Make sure you have CVV code as required. Have at least the address and/or zip code match to be required.
As part of the fix can you log all unsuccessful credit card transactions. Authorize.net deletes all unsuccessful attempts when it accepts a batch. Logging the failures will also allow us to respond to legitimate customers who's credit cards failed for one reason or other.
Having the same problems here. Updated to the latest plugin but got hit again a number of times. This is costing real $ because each failed transaction is $.10 . These are adding up, well into the hundreds of $'s already. Have temporary taken down our donation page and put the authorize.net account in test mode.
thepiston wrote: would it help to put component behind password or are they accessing the files directly?
I think the biggest help is tightening up on Authorize.net. Make sure your transactions are validated with as much information as possible. In addition If you add Fraud Protection Suite make sure you set the filter to hold for approval. You won't be charged unless you approve the transaction.
I tried a bogus transaction which was stopped by the Fraud Protection suite, it responded to the user with "Try Again". If you were a hacker and got no information you would eventually give up. I just hope I don't turn off my regular donors.