15

While checking my website's traffic, I found a referring website that had sent over 400 visits to my site. When I clicked on the URL of the referring website, the site looked almost exactly like my own website.

I investigated the URL and found it had been created 12 days earlier. While I am having an attorney send a "take down" letter to Tucows, OVH, Privacy, Inc. and Exabytes (abuse reports to all of these have resulted in no action), my question is:

Why was this domain, www.wigsforwomenny.com, created and somehow shows the same pages as website, www.karenswigs.com? Everything is the same except for two digits in the telephone number.

Note: Layman's terms appreciated!

sleske
  • 1,622
  • 12
  • 22
Peter Sell
  • 151
  • 1
  • 3
  • 10
    You said that other domain redirects to your site, then you say two digits in some phone number differ... Care to explain? – Cthulhu Sep 07 '17 at 17:56
  • 2
    `wigsforwomenny.com` returns a 403 for me. – Arminius Sep 07 '17 at 18:00
  • Our telephone suffix is 2555 while the fake is 2785. All other numbers are the same. – Peter Sell Sep 07 '17 at 18:40
  • 3
    `wigsforwomenny.com` doesn't resolve for me, at all. Your abuse and takedown reports aren't doing anything because none of those providers are responsible for this, as far as I can see. – ceejayoz Sep 07 '17 at 20:25
  • @Ivan, I think that question is different. In that one, someone pointed a new domain at the victim's IP. In this question it sounds like the markup and other resources were copied, modified slightly, and hosted somewhere else. – Michael Sep 08 '17 at 00:38
  • Hi Peter, welcome to security.SE! From the comments it appears that the referring website does not send you to your own site (that would technically be a [URL redirection](https://en.wikipedia.org/wiki/URL_redirection) ), but is simply a _copy_ of your site, with small changes. I edited your question to clarify this. If I misunderstood you, please edit your question to correct. – sleske Sep 08 '17 at 09:13
  • 1
    Have you tried phoning their number? – MattP Sep 08 '17 at 10:53
  • 1
    The closure as a duplicate is _wrong_ IMHO. The [linked dupe](https://security.stackexchange.com/questions/83362/how-can-i-stop-someone-from-displaying-my-website-on-his-domain) is about _creating a DNS alias_ for a site. This is about _copying a site_ . That is a different problem, because it causes different problems (e.g. modification of content), and because the defenses will be different. I flagged to reopen. – sleske Sep 08 '17 at 15:06
  • @sleske it looks like a similar enough problem that the same solution applies. – schroeder Jan 03 '18 at 18:37

4 Answers4

25

I don't think they are actually redirecting to your site. If it was a true redirect, then the phone number couldn't be different. My guess is your website was scraped and copied to another site. They registered a new domain and used the content of your site. Then they created some spam SEO links to trick Google into moving them up higher in the rankings to get traffic to their site. They purchased a new phone number that is very similar to yours and the plan is to wait for the phone to ring. When it does, they take an order over the phone and now they have stolen someone's credit card number. This could go one for days or even weeks before Google figures it out and shuts them down.

It may be too late now, but I'd call the phone number and see who answers.

TTT
  • 9,122
  • 4
  • 19
  • 31
  • Busy signal. Verizon number but they say otherwise. Question: would "scraping and copying" be able to include changes to the site? I put up our Closed for Labor Day notice and it appeared on the other site instantly. – Peter Sell Sep 08 '17 at 14:19
  • Since your change propagated immediately that means the scraper is continuously running. What happens if you change something on the page that already has a difference? (Like a link or phone number?) Does the change still propagate but the difference remains? – TTT Sep 08 '17 at 14:29
21

I think this guy is wig-freak, LOL, no for real I'm almost sure that this guy doesn't know what he is doing. I can see that actually he is just mirroring existing wig-websites and changing some of the links, but meanwhile he is forgetting to change other links which are redirecting to original website.

These are some of his domains:

hairextensionsforthinninghair.net
dresslilywigs.net
humanwigshair.net
ardawigs.net
lace-wigs.org
africanamericanwigs.org
sistawigs.org

He literally copied your website:

view-source:http://www.karenswigs.com/about-us/

view-source:https://webcache.googleusercontent.com/search?q=cache:K3d5h4qvrmgJ:wigsforwomenny.com/about-us/+&cd=2&hl=en&ct=clnk&gl=en&client=nonofyourbussines

Only that he changed minor things. Like in this example:

FAKE:

http://sistawigs.org

ORIGINAL:

https://www.annabelleswigs.co.uk

You can contact him directly: https://domlab.net/contact/aestmaneual@hotmail.com

WHOIS:

Admin Name: wan saz
Admin Organization:
Admin Street: xiamenghetian
Admin City: xiameng
Admin State/Province: fujian
Admin Postal Code: 361000
Admin Country: CN
Admin Phone: +1.8613323456790
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: aestmaneual@hotmail.com
Mirsad
  • 10,005
  • 8
  • 33
  • 53
  • How were you able to determine this? This is incredible! He's hitting websites of people we have worked with. – Peter Sell Sep 08 '17 at 14:32
10

If you google for wigsforwomenny you will see results with blog spam that links to it. Someone is probably gaming Google's links in order to make their fake site seem reputable. Instead of generating a fake wig site, though, they simply set their referrer to point to a legitimate site - yours. That way if someone does follow through their link spam, it still ends up looking like it's legit.

Question, though: did you hire a "Search Engine Optimization" company to promote your site in Google, perhaps just before August 25th? If so, they may be the ones responsible for generating the blog spam.

John Deters
  • 33,650
  • 3
  • 57
  • 110
6

I get a 403 when trying to access the site.

This is total speculation, but:

  • Whoever did this went to the trouble of using a service to hide their whois information. This is not something I normally see with malware or fraud-- they usually just put fake information. This implies to me the operator intends on actively managing this asset.
  • Whoever did this is using Cloudflare. They really want this fake "site" to stay up.
  • You happen to be in e-commerce.

If I had to guess as to what's going on here, I'd say they are using Cloudflare to pretend to be your site and using something like VigLink (a native Cloudflare app) to redirect references to your products to various third-party affiliates.

Basically, they make money per-click pretending to run your wig shop and sending all your sales elsewhere.

Ivan
  • 6,288
  • 3
  • 18
  • 22
  • I don't think they're sending sales elsewhere, otherwise karenswigs would not be the target of the redirect. – John Deters Sep 07 '17 at 18:09
  • No, no-- karenswigs is (theoretically) the landing page. From there they inject affiliate links everywhere and when you click on any of them, it would take you to another site to try to make a conversion. Again, it's all speculation since the site is down. – Ivan Sep 07 '17 at 18:11
  • try googling for wigsforwomenny and you'll see tons of blog spam that points at the fake site, meaning the fake site is the landing page. Peter reported there were hundreds of referrals, also indicating the fake site was the landing page. I don't know why they maybe redirected to the legitimate karenswigs unless it was to hide their tracks by appearing legitimate to someone who clicked the link. – John Deters Sep 07 '17 at 18:18
  • 1
    I get that-- they have to drive traffic to the fake domain in order to make money from it, hence the SEO spam. Once on the fake domain, it returns what appears to be a legitimate site (karenswigs), except on this apparently legitimate site I bet you there were affiliate links injected everywhere. They even went to the trouble of using a relevant domain name. This reeks of passive income building to me. – Ivan Sep 07 '17 at 18:22
  • It is down. Hmmm. None-the-less, I want to know who did this and sue them. Thanks everyone! – Peter Sell Sep 07 '17 at 18:44
  • 5
    Good luck, but if the attacker isn't in the USA you're almost certainly only wasting money on a lawyer. Trust me, nobody outside the US cares about spammers who hit US web sites. – John Deters Sep 07 '17 at 18:46
  • 1
    Ivan - they were using Cloudflare though Cloudflare denied it. In fact everyone initially denied having any association with this bogus domain. ICAAN folks were nice but did not suggest a take down letter. – Peter Sell Sep 07 '17 at 18:52