My entire store has been cloned/mirrored

Zoes · ‎03-16-2021

Hi!

As the subject, I found two exact clones of my shopify store. Or should i say it's been mirrored. I tried to change some details on my website, including a warning poster, and the other two sites got updated instantly. And they have redirected most of my traffic to the fake sites.

I have contacted shopify and their domain registrar, but none of them can help. I've also reported them to google and cloudflare, haven't heard back.

Have anyone experienced the same? Is there a solution at all to this issue?

It's so scary this kind of thing can actually happen with shopify store and couldn't get any help with them.

TIA

Jivan_Suhagiya · ‎03-16-2021

Hi,
Is that separate Shopify store or redirecting to your store?
I believe they redirecting to your store. Can you please share store link of both? original and mirrored

If helpful then please Like and Accept Solution.
Email: suhagiyajivan1992@gmail.com
Skype: jivan.suhagiya
First kind of Checkout Reminder APP: https://apps.shopify.com/checkout-reminder

Zoes · ‎03-16-2021

The traffic has been directed to their websites, and they are not hosted by shopify, that’s why shopify can’t do anything.

my shopify store:

https://inzelane.com

the clones:

http://stockholm-gay-**bleep**-network.com
http://entrecineastas.com

Jivan_Suhagiya · ‎03-16-2021

did you checked your domain settings, theme code etc?
it looks like its not separate shopify store, but same store using different domain

If helpful then please Like and Accept Solution.
Email: suhagiyajivan1992@gmail.com
Skype: jivan.suhagiya
First kind of Checkout Reminder APP: https://apps.shopify.com/checkout-reminder

tim · ‎03-16-2021

@Jivan_Suhagiya the bad guys simply serve the same HTML they've downloaded from the original shop.

You can see it's not a Shopify store -- they serve jQuery from the root of their site, fro example. And their server runs on PHP...

@Zoes seen a couple of similar threads (probably in other sub-forum), looks like you have two options file DMCA complaints with google to take down their search results and try to add some protection on your site. If they mirror your pages, one option to try is to add some javascript which will check the url and break something when run on their site...

If my post is helpful, consider liking it -- it will help others with similar problem to find a solution.

Zoes · ‎03-16-2021

Thank you for the suggestions. I have reported to google, the status is still pending.

Sadly I’m good with javascript at all 😞 I’ll hire someone to do it.
You mentioned to add protection to my store, how do you suggest to add it?
Thanks a lot

Jivan_Suhagiya · ‎03-17-2021

Hi @tim
I tried something and its looks like they using Shopify resources at all
for ex. if we check cart json on http://entrecineastas.com/cart.json
even product data http://entrecineastas.com/products/70s-shorts-green-white.json
its returning real time data, not from their server
am I correct?

If helpful then please Like and Accept Solution.
Email: suhagiyajivan1992@gmail.com
Skype: jivan.suhagiya
First kind of Checkout Reminder APP: https://apps.shopify.com/checkout-reminder

tim · ‎03-17-2021

@Jivan_Suhagiya -- interesting! Seems to be a bit more complex than just a mirror.

Note that offending site has cart at http://entrecineastas.com/checkout/cart address and it does not correspond with http://entrecineastas.com/cart.json -- for example for me cart shows 3 products, but json is empty and token changes with every refresh (which should not happen).

http://entrecineastas.com/cart.js which should work on Shopify server produces 404'ish HTML.

I'd try to put something like this inside the <head> (in theme.liquid layout)

<script>
if( location.host.indexOf("inzelane") < 0 )
    location.hostname = 'inzelane.com';
</script>

This is obviously very naive code which should redirect to original site if run somewhere else. Generally should be made more complex and more obfuscated, or even loaded from the file...

If my post is helpful, consider liking it -- it will help others with similar problem to find a solution.

Bullcrunch · ‎03-17-2021

Ever since I read this post, I have been worrying. Is cloning stores a thing? Is it about to become a thing? Am I crazy to think that when I use a platform like Shopify I'm protected?

Zoes · ‎03-18-2021

@Bullcrunch that was our exact thought, thought we should have been protected by shopify. So far, we haven't got much help from shopify. Still waiting for reply from their technical support

AoPShop · ‎12-24-2021

I found this solution that David had posted and it did work. - https://community.shopify.com/c/shopify-discussions/hacker-cloned-my-store/td-p/463581/page/2

I had to remove www in the first line it did work. passing it on to you and others. excellent work by David.

DesignerJoe55 · ‎01-12-2022

@Zoes This exact same thing is happening to us right now. We have 7 websites cloning ours!

Have you had any progress at all? I see that your clone sites are still live 😞 I also see that the person who is registered on all of the domains cloning us is the same person who is doing this to you.

We were able to get two of the sites removed through the registrar, which is Regtons by writing to abuse@regtons.com. We had originally discovered 4 clones. Two with Regtons and two with GoDaddy. The Regtons sites are both down. GoDaddy has not responded. We just discovered the other three domains today, which are all through Regtons. They have been extremely helpful. Hopefully they will act fast on these new domains as well.

We've also reported the domains to Google, Cloudflare, and ICANN. None of them have responded or done anything yet.

Offending Domains:

Here is the full list of domains that are cloning ours:

knowalittle.com (GoDaddy)
circlehfishing.com (GoDaddy)
jetmaxerkekdamlasi.com (Regtons)
coteaux-aix-en-provence.com (Regtons)
ruthschris-toronto.com (Regtons)
munasmastergroomer.com (removed)
daynasmakina.com (removed)

Redirect Script

I wrote a redirect script that can be placed on our website that checks domain and redirects to another site if it matches. I first tried one that checks to see if the domain matches ours, and redirects if it doesn't. That didn't work because it breaks the shopify backend. I'm sure it could be tweaked, but for now I just targeted the specific offending domains.

Here is the script:

<script type="text/javascript">
if (window.location.hostname == "munasmastergroomer.com") {
window.location.replace("https://sites.google.com/view/webphishingalert/home"); }
</script>

You would just have to change it to match your offending domains. Yes, it needs to be placed in there for each domain. I know it's not the prettiest code, but it does work for now. I'll try to update it later. Or maybe someone here can.

I have it redirecting to a Google page that I threw together real quick. You can also redirect to your own site, but it won't actually do that. It will break their site, though, by putting it into an infinite loop. The biggest problem with using a script is that it doesn't stop Google from showing the sites in search results. But it's something.

I don't have the script in our site right now because I want the registrars, Google, etc. to be able to see the offending website.

Other Info:

These clones are sophisticated. They ping often and update quickly. Changes you make on your store are almost instantly updated on the clones. They have to ping so often that they get overloaded sometimes and go down. But not for very long.

They have scripts in place that check for your name and business info and replace it with theirs. If you add your business name into some text, you will see it swapped out for theirs on the clone site automatically.

Somehow they are able to rise through Google search very quickly to be on the first page with our site. I have no idea how they can do that, but they did. It took us quite some time to get to the first page, yet they somehow did it in a month for certain terms.

Background Info:

I'm not sure if it's relevant or not, but not long before these sites popped up we received a couple of threatening messages from someone wanting backlinks for their client, as well as 5 star Trust Pilot reviews. Stating this if we didn't comply:

"If I do not seeing a backlink in one week, I am create million toxic blog comment spam and redirect backlink to pnwjourney.com and you can saying goodbye to your Google rankings for 1 year or more."

They said they are from Bizcope in Bangladesh. These clone sites are from Czechia. So I'm not sure if they are related, but it's pretty coincidental.

I hope this is helpful for anyone else going through this, and I appreciate any help anyone has to offer. This is such a terrible situation to be in for a small business.

DesignerJoe55 · ‎01-12-2022

I haven't tried it yet, but this is a script from the other post that @AoPShop mentioned:

<script>
if (window.location.hostname.replaceAll('.','') !== "wwwexamplecom") { // remove all dots from your domain name here
  if (window.location.hostname == "{{ shop.permanent_domain }}") {
    console.log("{{ shop.permanent_domain }}"); // this prevents redirect if using the permanent_domain
  } else {
    window.location.replace('https://www.exampleshop.com');
  }
};
</script>

This looks to be a pretty stellar script compared to mine. See that thread for details on implementing it.

AstrattaAlchemy · ‎04-11-2022

I know nothing about coding, but I have at least 6 sites that have copied mine. How and where would I implement this?

DesignerJoe55 · ‎04-11-2022

Depending on what theme you are using, you may be able to add it in the theme editor. If your theme does not have that capability, you would need to add it into your theme code directly.

You would do that by going to "Actions" then "Edit Code" on your theme.

The script can be placed just below the <head> tag. Change all the green parts in it to your store's info.

AstrattaAlchemy · ‎04-11-2022

like this? (I have two domains that are linked to my store because i was in the process of rebranding)
<script> if (window.location.hostname.replaceAll('.','') !== "astrattaalchemycom" || "housepotentia.com") { if (window.location.hostname == "{{ brave-evolver.myshopify.com/ }}") { console.log("{{ brave-evolver.myshopify.com }}"); } else { window.location.replace('https://housepotentia.com/'); } }; </script>

DesignerJoe55 · ‎04-11-2022

That will create an infinite loop. It will look at the domain name and if it is not equal to astrattaalchemy.com then it will it will redirect to housepotentia.com. Since the domains don't match, it will keep trying to redirect.

AstrattaAlchemy · ‎04-11-2022

Ok, so I have two domains currently, the astrattaalchemy and the housepotentia one. both land on my shopify storefront.

So far, there are 6 different websites that stole my Shopify storefront and all designs and artwork I created.

All offending websites that stole my content are
https://synfuelventures.com (still up and running it seems

https://honesttruffles.com (getting

Error 524

Ray ID: 6fa73cd05ed80cc9 • 2022-04-11 22:42:49 UTC

A timeout occurred)

)

https://macaddictnetwork.com (getting

404 Not Found nginx

https://carlianderic.com (getting

Error 524

Ray ID: 6fa73cdf68bb192c • 2022-04-11 22:42:51 UTC

A timeout occurred)

https://yejuhomeplan.com (password protected and has one of my pieces of art on their landing page)

https://usapremierrepairs.com (password protected and has one of my pieces of art on their landing page)

how do i redirect their traffic to my site since they stole all of my conent. for example, https://yejuhomeplan.com/products/colornado-womens-ultra-light-running-shoes-dolphin-ultra-light-run... goes to the password protected landing page with artwork of mine but not that product.

achatur · ‎07-07-2022

Hi @DesignerJoe55 or anyone who wants to chime in.

Ok so, the solution above does work however it only works in a web browser. If you use `cURL` or some other CLI web url get tool, the redirect does not work. I have not found why but I'm assuming there's no window? But I am not sure yet. I am not a javascript person.. infact I dislike it very much.

Also I'm thinking this is a problem because the Google's search engine crawler will not use a browser from my understanding. So they will continue to rank on search results.. and that's bad!

So if anyone has some solutions I'd really appreciate it. Thanks.

achatur · ‎07-09-2022

Alright folks so I think I found the best solution. Redirecting is great and all however I think it makes more sense to just show totally different content. So this was my solution. Add this to your theme.liquid:

<!doctype html>
  <html class="no-js" lang="{{ shop.locale }}">
    <head>

        <meta charset="utf-8"> 
        {% if "request.origin" != "https://myhostname.com" %}
        <meta http-equiv="refresh" content="0; url=https://www.example.com/no-js-version.html" />
        <script>
          
          if ( window.location.hostname !== "myhostname.com") {
            console.log("redirecting fraud site");
            window.location.replace('https://www.somewherelese.com');
          }
        </script>
        {% else %}
        <! the rest of your HTML ->
        {% endif %}

MediaMonk · ‎01-23-2023

Can you elaborate on how to customize this for other domains?

My entire store has been cloned/mirrored

Error 524

A timeout occurred)

404 Not Found nginx

Error 524

A timeout occurred)

Community Blog Articles

Shopify Community

Support

Shopify

Quick Links