Is this some of sort of domain hijacking

Solved
Highlighted
Tourist
8 0 1

My site is

 

https://www.groomingdept.com/

 

But someone registered a domain https://flaresocietyshop.com/

 

This replica site is identical to my site in every way. What's happening here? What's happening to my sales? What's happening to my customers who try to purchase something. It seems that PayPal process goes through.

 

What on earth is going on here?

 

0 Likes
Highlighted
Shopify Partner
2471 129 406

Doing a test checkout, that domain gets errors so no checkout.

They've pointed that domain to your myshopify store so all it's doing is loading your content, albiet in someplaces to the wrong urls will error because it is not the primary domain.

 

WHOIS tool shows the registrar is namecheap contact them abuse@namecheap.com

Then contact support@shopify.com with any relevant details so they are at least aware of this activity.

Problem Solved? ✔️Accept and ? Like the solution so you can help others.
Buy me a coffee ☕ paypal.me/paulnewton or donate to eff.org
Confused? Busy? Buy a custom solution paull.newton+shopifyforum@gmail.com
0 Likes
Highlighted
Tourist
8 0 1

I have reported it to abuse@namecheap.com

 

I wonder what the purpose of this mirror then? This has happened to someone else who wrote about it on Reddit. There was no resolution on the Reddit thread. I'm puzzled!

 

https://www.reddit.com/r/shopify/comments/dw4fnh/so_umever_find_an_exact_duplicatemirror_of_your/

Highlighted
Tourist
8 0 1

On the fake site, I had a customer buy something, the sale went through and I collected the money in my PayPal account. But the entire transaction took place on the fake site.

 

My question now, were they able to harvest the customer info on the fake site?

 

Is anyone at Shopify reading this?

0 Likes
Highlighted
Shopify Partner
2471 129 406

My question now, were they able to harvest the customer info on the fake site?

All customer info should only be entered from paypals side or on checkouts.shopify.com

So in theory the most they are getting here is traffic logs, there may be more going on but it would have to be investigated.

If there is malicious intent the end goal could vary wildly,  a simple attack would be they want to make the fraudulent domain seem legitmate create that association then some time later point the fake domain to different malicious impersonation content similar to how scammers attack banks with mispelled domain names.

 

Contact shopify directly

https://help.shopify.com/en/questions

Problem Solved? ✔️Accept and ? Like the solution so you can help others.
Buy me a coffee ☕ paypal.me/paulnewton or donate to eff.org
Confused? Busy? Buy a custom solution paull.newton+shopifyforum@gmail.com
0 Likes
Highlighted
Tourist
8 0 1

 

I definitely think there is something malicious about it. I have never seen anything like this before.

 

Shopify's help response was to give me a piece of JavaScript to insert in themes. js. That's not a solution. My site's reputation is at stake because Shopify is letting this happen. I have googled for hours and hours. Nobody has come across something like this.

 

As I pointed out, this has happened to someone else, the link to the post on Reddit is above.

0 Likes
Highlighted
Shopify Partner
2471 129 406

Small fix to place as either a javascript tag in your theme.liquid's head tag area, or into theme.js without the html tag

 

<script>
 if (window.location.hostname != "{{shop.domain}}") { window.location = "{{shop.secure_url}}"; };
</script>

 

 

There's also the possibility of still targeting users without javascript but i'm not 100% sure of what domain information liquid renders in this situation.

Try this at the top of the <head> area in theme.liquid and see what the output is when on the fraudulent domain, in your browser use ctrl+U to view source

<!-- canonical_url: {{canonical_url }}, request.host: {{ request.host }} -->

If those two object output anything besides the real urls then that means it should be countered easily without javascript even if they try another domain.

 

Here is code to test with javascript disabled if the above detects the wrong domain.

Though if you want PM me, and i'll send a partner request to test it myself.

{% unless canonical_url  contains  "groomingdept.com" or request.host == "groomingdept.com" %}

<noscript>

  <meta http-equiv="refresh" content="0; URL='https://www.groomingdept.com/'" />
</noscript>

{% endunless%}

💣⚠💥Do not leave the above struck out code in your live theme without thoroughly testing

Problem Solved? ✔️Accept and ? Like the solution so you can help others.
Buy me a coffee ☕ paypal.me/paulnewton or donate to eff.org
Confused? Busy? Buy a custom solution paull.newton+shopifyforum@gmail.com
0 Likes
Highlighted
Tourist
8 0 1

 

Thank you, Paul, for helping out! I have added the domain redirect code the them.js. I'll try the code for when JS is disabled tomorrow morning.

 

But here is a question for you: How are they able to do this? This is done without copying a site's content, any changes I make to my site immediately show up on their site. Can a 2nd and 3rd criminals like these guys accomplish the same thing over and over? How are they exactly doing this, do you know? Thank you.

 

 

 

0 Likes
Highlighted
Shopify Partner
2471 129 406

This is an accepted solution.

Possibly it's just a DNS alias, if namecheap responds with solid answers please update.

 

For now all they've done is point that domain name to your site, so any changes will update because it is your site which is loading just with the wrong domain name.

 

https://www.namecheap.com/security/domain-phishing-security-attacks-guide/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/infosec-guide-takin...

Problem Solved? ✔️Accept and ? Like the solution so you can help others.
Buy me a coffee ☕ paypal.me/paulnewton or donate to eff.org
Confused? Busy? Buy a custom solution paull.newton+shopifyforum@gmail.com
0 Likes
Highlighted
Tourist
8 0 1

 

Thank you for your continued help!

 

They seem to have backed off, and now they seem to have some generic WordPress when loading their domain.

 

As soon as I discovered their site, I filed a complaint with Namecheap and Google. As a matter of fact, Google promptly removed their indexed pages two days ago.

0 Likes