The same thing has happened to me! I have been passed around from GoDaddy to HostGator to Shopify, with all of them telling me that everything looks correct on their end, when clearly it is not. Would loved to know if you found a solution. Ive been reading forums and someone said cloudfare has been compromised?
Hello Fcbeautyco,
The solution for me was to delete the ftp subdomain DNS file in Godaddy which the malicious site was using; this took down their store. I still donāt really know how it happened but I do not think my security was breached on Shopify or Godaddy. It seems that the hackers found a way to utilise a weakness in the system which allowed them to find unused subdomains and open Shopify stores without authorisation from the domain owner.
If the fault lies anywhere, then I think it is in us for not cleaning up unused DNS files and Shopify for allowing people to open stores using an unauthorised subdomain.
The weirdest thing is- Iāve contacted GoDaddy, and Hostgator and looked at the DNS records. The hijackers have taken my cpanel.mysite.com AND my FTP.mysite.com<> and both Host Gator, GoDaddy and Shopify have absolutely no records of these sites but clearly they exist. Iāve looked over the dns settings myself and itās not there.
Itās as if there is an injected code that is making these sites? I looked into it on Google Search Console and I was able to view their verification process as a code.
Do they gained access from html-tag verification as well? Mine did that, I remove them immediately. Indeed, itās some kind of automated script injected to html DOM or something.
So Iāve been digging deep into my code to spot anything off with help from the web AND I THINK I spotted the code that was injected!
From the web " The part that stands out and might raise questions is the script towards the end that uses document.open() and document.write() based on certain conditions, checking the user agent string for specific values before deciding what content to write to the document.
This script looks like itās trying to serve different content based on the visitorās browser or possibly trying to detect certain bots or crawlers (Chrome-Lighthouse, X11, GTmetrix are mentioned, which are related to browser identification and website performance testing). The intent seems to be to conditionally load different content or resources based on whether the visitor is perceived as a normal user versus a bot or using a specific tool. This can be a legitimate practice for optimizing user experience or protecting content.
However, using document.write() can be concerning for several reasons:
- Performance: It can negatively affect the loading performance of your webpage, especially if used incorrectly.
Security: If not properly sanitized, dynamically writing content to your page can potentially introduce cross-site scripting (XSS) vulnerabilities. The document.write here is controlled and does not directly insert user input, which mitigates immediate concerns, but the practice itself can be risky if the context or implementation changes."
Iām deleting it now I will let you know what happens!
lmk how it goes!
Also, would you mind DM me the shadow gambling store that points to your url?
In my case it was unused shopify store, I immediately deleted it and didnāt get the chance to check the IP addr, I shouldāve checked it first. Now, Iām still left wondering how they got it in the first place. Possibiliities: unused google analyttics verification and (not sure) since google domain my client was using is sold to squarespace, probably thereās some vulnerability somewhere.
Hi JJL ā thank you for your kind advice. Your tip concerning having the Domain Setting in Shopify pointing to both www.MYSHOP.com as well as MYSHOP.com is key to unlocking the whole fiasco for me. I only had www.MYSHOP.com and MYSHOP.myshopify.com listed. I think thatās how the Indonesian hijacker exploited my URL. They added MYSHOP.com as a property on Google Search Console and had themselves verified as owner by adding the Google owner HTML code to their Shopify store page ā¦ then they added MYSHOP.com to their Shopify Domain setting, thereby stealing my URL for their nefarious purposes. So in my situation, it had nothing to do with my Godaddy DNS settings, but everything to do with Shopify allowing these hijackers to use a version of another Shopify storeās URL without permission. Who knew removing the WWW. in front of the store name creates such a security risk? For an average person without a computer programming background like myself, this has certainly been an eye-opening experience.
So for everyone reading this, please double check your Domains under your Shopify setting, and make sure you have both versions of your URL (with and without www) included. Set one as primary and have the others redirect to your primary within Shopifyās Domain settings!
And look at the source code on the Indonesian gambling page. If you see their Shopify store name in the source code like I did, contact Shopify and let them know. Shopify did take down the Indonesian store in my case, after I let them know which store to take down.
1 Like
Hi Alice14, thatās great news, glad you managed to get it sorted out.
Hi JJL ā I do worry that Iāve overlooked something though. Because when you link a domain on Shopify, Shopify asks you to add a TXT DNS entry to verify that you own the domain. So how was the Indonesian hijacker able to link https://MYSHOP.com to their Shopify store without my knowledge or permission? I am sure they donāt have access to my GoDaddy account, because I donāt see another Shopify TXT entry. Now that I have deleted the FTP DNS entry and taken control of the https://MYSHOP.com property, are there still more ways for a hijacker to create a subdomain on my site?
Hi Alice14, I donāt think they do have access to our Godaddy accounts (I hope!). Finding the unused subdomains doesnāt seem to be difficult, I saw that there are even youtube videos showing people how to do it!! I donāt know the details but it doesnāt seem to need access to accounts to do it. The finer details of how they point the subdomain to their Shopify store I just donāt know. Iām hoping that deleting the DNS entry for the subdomain puts an end to it.
I just want to share with everyone that apparently hijacking established Shopify domains is a āthingā in the Indonesian gambling scene in order to improve their SEO. They call it the āShopify Methodā. They talk about it on Blackhatworld forums here and here. Given the prevalence of this occurring, more of us need to alert Shopify so that their security team can put a stop to this alarming practice.
Even Wired had an episode with the Indonesian gamblers taking over one of their subdomains last year. Read here.
Thank you! Iāll try to alert Shopify as well.
Hi
a subdomain was taken over from an indonesian site for us also. Shopify Plus support just pushed the problem on us saying it was our dns issue. However, they allowed a shopify website to host a hacker and maliciously take over a domain. Shopify should not allow a subdomain to be added to a new store without authorisation of the domain owner. I believe everyone here should demand better support and security from a service we all pay a lot for. Google should ensure that tokens can be revoked by the domain admin, rather than the html snippet they use to authorise the domain which cannot be revoked. Two obvious failings.
1 Like
I agree completely! I ended up adding the other prefixes of my site onto my google search console, inspected the page source and saw that it was in-fact a Shopify website. They did this with three different prefixes of my domain. Shopify took no accountability at all, kept blaming my dns and telling me to ābe patientā even after I told them it was through Shopify. I have spent over a week now dealing with this, and cleaning it up. Iāve also had to individually submit each page onto google search console for the pages to be removed.
Adding my name to this forum, same thing happening to me - though instead of Godaddy, my domain is hosted with Google - which is now making the switch over to Squarespace. It appears to be a little tricker to try and delete the ftp portion but Iām working through the steps now. Iāve contacted Shopify as well to let them know it happened - they said to contact google/squarespace.
Also jumping on this thread to share that I just received a notification from GSC that another owner had been added with an unknown email address, but also with no subdomain. When I go to www.mysite.com and mysite.com, itās all still pointing to my Shopify store. And the ānew ownerā isnāt actually listed anywhere in my GSC users. I did have an unused token for an email address Iām familiar with, so I deleted that. But I canāt figure out exactly what the implications are of my situation, as Iām not seeing any changes to my store.
I use Namecheap, is it possible that Shopify or Namecheap interceded and kept the bad actor for snaking a subdomain? Or my domain entirely?
After looking into this further, Iāve come to realize that the issue lies with Shopify. Specifically, there seems to be a problem related to their mysite.com/vendor list. If you havenāt disabled this feature, third parties can redirect your website traffic to their own page. In my case, a casino appeared as https://www.mysite.com/vendor/casino88, and all their products were displayed from there. If you donāt utilize Vendors to showcase your products, I highly recommend disavowing any links that begin with https://www.mysite.com/vendor/ in the Google Search Console.
1 Like
In case anyone in future or past still facing this kind of issue, here is the solution:
This or similar code is automatically added to your website (document) on page load, it usually added because of an extra āsite ownerā added in your google search console. And google search console doesnāt let you remove ownership of that extra or stranger owner email unless you delete above code from your website.
Here is what starts the complete process.
What adds above code automatically is a link tag here inside ātheme.liquidā file:
This code above start the process. but itās a main part of your shopify store because verifies your ownership and page redirects that shopify has - backend stuff - this is not the problem here.
Go to your domain provider e.g godaddy, namecheap, or any other:
There go to dns records you will see a TXT record named - in my case - google-site-verification=yh1rFkJx8lErpIPigRyQM6GU3_EMzZmY5RHAo1qQZEE
You just need to remove that and then try to remove owner from search console, it will be done after 5-6 minutes wait at most..
Simple Steps
-
Go to Godaddy or any other domain provider youāre using.
-
remove TXT record you have ownership of - above image shows example of record added (match it first and then delete)
-
try now to delete ownership from google search console. it will be done