Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do I Fight Russian Site Cloners?

Posted by kdawson on from the cloned-and-pwned dept.

An anonymous reader writes "I used to run a small web design service, the domain for which I allowed to expire after years of non-use. A few weeks ago, I noticed that my old site was back online at the old domain. The site-cloners are now using my old email addresses to gain access to old third-party web services accounts (invoicing tools, etc.) and are fraudulently billing my clients for years of services. I've contacted the Russian site host, PayPal, and the invoicing service. What more can I do? Can I fight back?"

24 of 208 comments (clear)

  1. contact your clients by Pinhedd · · Score: 5, Informative

    If you have a summary of your clients (and you should) you should send out a mass email and let them know what's going on

    1. Re:contact your clients by Cassini2 · · Score: 4, Informative

      Check that the problem is not closer to home. The problem could be either technical like a corrupt ISP or some spyware, or it could be an insider running the scam.

      To make this scam work, the third party needs a great deal of inside information. That points to an insider. For instance, the third party would need access to invoicing forms to make everything look official.

    2. Re:contact your clients by sopssa · · Score: 5, Funny

      The money has to get to these people somehow. Follow it, and you find the crook.

      Exactly, good advice!

      Like girlintraining states, you only need to hack to the Visa merchant account to know what bank account it belongs to, then hack the bank to know who is the owner of that account and get his bank statements to know what is being done with it. After you furiously raid the persons home you discover the old lady is a money mule and has wired the money overseas. Now you only need to take a flight to Kazakhstan and go talk with the local banks about it, just to find out that some alcoholic cashed it out for $10 and gave it to some man he doesn't remember.

      As always, great tip, girlintraining.

    3. Re:contact your clients by wvmarle · · Score: 5, Insightful

      I didn't immediately think "insider" but now you mention it... it makes total sense of a very unbelievable story.

      Oh well yet another story that doesn't pass a reality check, and in good kdawson fashion no supporting links or so. Here we go:

      The fraudsters copied the web site (that was presumably off-line for a long time). Trivial if it is all static pages, not trivial to impossible if it includes a lot of server-side scripting and you do not have access to the server directly. And quite unlikely that a web site is copied and kept archived by would-be fraudsters hoping that in the future the owner lets the domain expire so they can bring it back on-line? No. It just doesn't happen.

      Then they need to know which third-party services you used. And that you were so trusting that you use a third-party web service for invoicing in the first place.

      Then they know your clients (potentially through the third-party invoice service).

      Then they have your passwords (I may assume password protection).

      And how come your old accounts at those invoicing services are still accessible in the first place? From the fact that you let your domain expire after "years of non-use" I take it your business has closed years ago too. Third-party web services usually require payment, especially specialised stuff like invoicing. Not likely they keep that active without it being paid for.

      So Russian hackers? No. Insider job? That's where you should look first indeed. Start with former employees I'd say.

    4. Re:contact your clients by ottothecow · · Score: 5, Insightful
      I am not sure they would have to replicate the pages exactly. Just take whatever shows up on archive.org and and slap a current date on it.

      The cloners are not trying to recreate your business--they just have to make it look like the business still has an active website. Then they use the emails that they now control to get back into old accounts.

      As for knowing which third-party services were used, there may be some indication on the archived site or there may be something available with enough googling--maybe they find a former client from a "site design by..." tag and social engineer some answers out of them (they don't have to be an insider or client themselves...they just use your old email address and ask a former client). There can't be that many providers of some of these services that were active when the business was running and are still active now...just start using lost password forms.

      They might have to reinstate your old payments, but a few months of invoicing service is a drop in the bucket compared to what they could then invoice your clients for (and bigger corporate customers might not ask questions before cutting a check to a company already in the system).

      --
      Bottles.
    5. Re:contact your clients by EdelFactor19 · · Score: 4, Insightful

      what are you talking about?

      His clients aren't going to the site, the cloners are using the access to third party information obtained through the sites email fraudulently bill them. When old clients (some might not be any more) all of the sudden see themselves being billed for years of service that they never recieved/paid for or got, who do you think they are going to believe?

      Someone telling them there is a scam going on, which would explain the behavior?
      Or someone telling them ignore him, everything is fine we are just billing you for no real reason?

      What happens when they pick up the phone to follow up with a complain?

      He doesn't need a way to prove who is to the customers, he has proof that he paid for the site domain originally and needs to contact the third party service providers to get that account cut off and redirected to him

      Shame on you for not updating contact information when you let the domain expire. forget the open customer accounts within your 'profile' I'd be willing to bet that all of the transactions and everything else are tied to an account of his OWN with the 3rd parties, and various bad bits of information that have now been stolen the biggest problem is that the third party services are treating the activity as legit.

      --
      "Jazz isn't dead, it just smells funny" ~Frank Zappa
      EdelFactor
  2. fight back by toxygen01 · · Score: 5, Insightful

    check the dns domain registrar of theirs and report domain abuse.
    that's what whois information is about too.

  3. Don't let valuable/vulnerable domains expire? by Bourdain · · Score: 4, Insightful

    Wouldn't it just be cheaper/easier to just never let even remotely valuable/vulnerable domains expire since it costs so little to keep renewing them?

    1. Re:Don't let valuable/vulnerable domains expire? by uglyduckling · · Score: 5, Insightful

      Yes!! You've hit on the perfect answer. Hindsight and a time machine can solve any problem. Bravo!

    2. Re:Don't let valuable/vulnerable domains expire? by Bourdain · · Score: 4, Informative

      I completely appreciate your response -- my suggestion is clearly inappropriate in the poster's question but...

      Even though the poster claims this domain was not used, merely the ownership of it (at nominal cost might I add) protected his business which he only realized in retrospect. That, I believe is the take home to readers of this forum in this situation -- not what to do if you make this blunder.

      As little as a single lost sale as a result of this gaffe on the poster's part, could far exceed the cost of renewing the domain for a decade.

  4. Based on my understanding... by fuzzyfuzzyfungus · · Score: 5, Funny

    Of how Russian Free Enterprise works, I would suggest either hiring hitmen to brazenly gun-down whoever cloned your site, if it is a relatively small operation, or insinuate that the cloner is an enemy of the state, and have him jailed on trumped-up tax evasion charges, if it is a large operation.

    If neither of these options suits, I hear that Polonium is the new Earl Grey...

  5. Phishing filters by ISurfTooMuch · · Score: 4, Informative

    Just an off-the-wall idea here, but check to see how to report this site to Mozilla and Microsoft to get it into their blacklist of phishing/scam sites. If I got something from a site, and, upon trying to visit it, my browser's filter warned me about it, I might suspect something fishy is going on.

    Doing this is by no means a complete solution, but it could get you part of the way there.

  6. ICANN by carp3_noct3m · · Score: 5, Informative

    Check out Uniform Domain Name Dispute Resolution. It is often overturned in court, and isn't always effective, but taking back control of the domain in whatever way possible is more than likely the only way you will fully recover from this. Otherwise you are simply on a damage mitigation mission.

    --
    "It's ok, I'm completely secure as long as my iron is off"
    1. Re:ICANN by v1 · · Score: 4, Insightful

      the problem I see with this though is it's not like the domain was stolen. He allowed it to lapse while having email addresses on that domain still recognized by clients. They legally registered it, and are now making life hard for him. He screwed up, and can't go running to the authorities for that alone. Now clearly they're being fraudulent WITH the domain, but they obtained it legally, so that makes it a lot harder to legally take away.

      --
      I work for the Department of Redundancy Department.
    2. Re:ICANN by ISurfTooMuch · · Score: 5, Interesting

      Excellent idea! If you file the claim, the scammers have to file a reply, or they lose by default. Since people like this are bottom feeders who move from one scam to another, I seriously doubt they'll want to expose themselves by filing a response. Like cockroaches exposed to a light, they'll scurry away.

    3. Re:ICANN by Rich0 · · Score: 4, Insightful

      Additionally, it doesn't sound like he even wants the domain back. He just wants people to stop using it to impersonate him.

      Suppose I own a domain, and want to stop using it. No big deal - I let it lapse. I don't want to pay for it - I don't need it. However, if somebody were to register it expressly for the purpose of impersonating me, I'd certainly care about it!

      The same thing can happen offline. Suppose I buy a home and phone number that used to be owned by Bill Gates simply so that I can impersonate him and clean out his bank accounts or whatever. Should Bill Gates need to dispute my purchase of the home? That isn't what is at issue.

      The problem is fraud, not domain ownership in this case.

      The real solution is to not tie identity to a domain. Sure, you can deliver based on a domain, but emails should be encrypted to a certificate, and signed by a certificate, and identity should be based on that.

      For whatever reason it seems like we live in this fantasyland where security and authentication is an afterthought in almost all internet protocols...

    4. Re:ICANN by dissy · · Score: 4, Informative

      the problem I see with this though is it's not like the domain was stolen ... Now clearly they're being fraudulent WITH the domain, but they obtained it legally, so that makes it a lot harder to legally take away.

      You should read the ICANN domain agreement you clicked OK to when registering a domain (All registrars for .com are required to pass that agreement on)

      Registering a domain name in bad faith, and/or for the use of fraud, is grounds for domain revocation.

      Being legally purchased, and not being stolen, do not factor into ICANNs rules. Those are more legal issues a court would need to address, and only after that happens would it be ICANNs concern.

      ICANN can revoke any .com domain on the grounds it is registered in bad faith or used for fraud.
      They HAVE done this in the past too.

      If you register a domain that sounds similar to an existing business, and also use that website for business, odds are good they can have it revoked from you. If your business line is the same as the existing business, it is guaranteed to be revoked. Being local rules, that the end user agreed to, there is little recourse when ICANN chose to do so, even if they do abuse this vague rule.

      http://www.icann.org/en/dndr/udrp/policy.htm

      Section 4, subsection A, paragraph III

      4. Mandatory Administrative Proceeding.

      This Paragraph sets forth the type of disputes for which you are required to submit to a mandatory administrative proceeding. These proceedings will be conducted before one of the administrative-dispute-resolution service providers listed at www.icann.org/udrp/approved-providers.htm (each, a "Provider").

              a. Applicable Disputes. You are required to submit to a mandatory administrative proceeding in the event that a third party (a "complainant") asserts to the applicable Provider, in compliance with the Rules of Procedure, that

                      (i) your domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; and

                      (ii) you have no rights or legitimate interests in respect of the domain name; and

                      (iii) your domain name has been registered and is being used in bad faith.

  7. Re:A crazy Idea by Anonymous Coward · · Score: 4, Funny

    That's a rather dangerous and almost certainly illegal thing to do.

    However, I was thinking about suggesting that he post the URL here so that people here in slashdot could take a look at the site and get some ideas about what to do about the ...
     
    ...oh, wait.

  8. Re:Try to have the DNS entry removed by Archon-X · · Score: 4, Informative

    There's a problem with these automated tools - and that is that they're the shotgun approach.

    We run some mainstream sites, and we also allow affiliate promotion.
    We have a zero-tolerance spam / mailing policy, but that doesn't stop people trying.

    If or when complaints come through (SpamCop, SpamHaus, etc) - we deal with them, and nuke the affiliates - we're just as anti-spam & fraud as the BL guys.

    The problem, however, is that with the use of this / these tools, when DNS, upstream and network providers are scatter-bombed with complaints, over, and over, you end up getting blacklisted. Even if you're not in the wrong, you get blacklisted.

    If you've ever been on the end of a SpamCop / SpamHaus complaint, as much as they may have intended to setup a good service, their 'service' is incredibly partial.

    For example, the latest email back from SH to our host, when we had banned a fraudulent affiliate:

    Let's talk about removing the customer instead of offering up yet another affiliate excuse.
    Regards,
    -- The Spamhaus Project (SR22) http://www.spamhaus.org/

    Their website 'evidence' archives are full of libel and blackmail - if you email SH with a fake complaint, and say that company X participates in money laundering, international fraud and spam - they'll publish it - without an ounce of fact checking.

    Somewhat off topic, but these issues burn - who watches the 'watchers' / internet 'police'

  9. Re:Didn't you notice? by John+Hasler · · Score: 4, Funny

    > A few recommendations...

    a) Read the article.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  10. Re:More To It? by Nadaka · · Score: 4, Informative

    It probably wasn't even that hard. Once they own the domain, they can park a standard email server on it and capture email sent to the domain, they don't even need to implement the specific addresses.

  11. Re:Close your accounts! by Chrisq · · Score: 5, Funny

    Try to close your Slashdot account, for example.

    Bastard. now I've got to re-register.

  12. Re:More To It? by patSPLAT · · Score: 4, Insightful

    1. take over domain
    2. setup catch all email account
    3. wait for "we wish you were still our customer" email
    4. take over old billing accounts
    5. repost site from archive.org
    6. start tracking down clients perhaps with search for 'site designed by xxxxxxx' and send bills

    It's a pretty smart scam.

  13. put this in bold by Onymous+Coward · · Score: 5, Insightful

    This is the fundamental thing to take away from this incident, and, while it may be obvious, it deserves stating plainly:

    Domain control / email address control is an authentication tool.

    We've brushed by the concept in prior conversations about validating new user sign-ups.

    Implications include, as in this scenario, human verification by looking at a web page of a familiar domain, human verification by email correspondence with a familiar email address, and password resetting when in control of an email address; SSL certificate-based identity (if the decrypted certificate can also be acquired), URL -referenced data validity (executables for download), and probably a number of other authentication/control mechanisms reliant on domain/address -- your ideas are solicited.

    DNS hijacking, then, should be a serious concern. DJB warned about cache poisoning via brute-force source port + transaction ID spoofing in 1999. A long time went by before the issue got enough publicity (in 2008) to force the major DNS software purveyors to clean up their acts. This guy needs to be taken seriously.