Forgot your password?
typodupeerror
Crime Security

How Do I Fight Russian Site Cloners? 208

Posted by kdawson
from the cloned-and-pwned dept.
An anonymous reader writes "I used to run a small web design service, the domain for which I allowed to expire after years of non-use. A few weeks ago, I noticed that my old site was back online at the old domain. The site-cloners are now using my old email addresses to gain access to old third-party web services accounts (invoicing tools, etc.) and are fraudulently billing my clients for years of services. I've contacted the Russian site host, PayPal, and the invoicing service. What more can I do? Can I fight back?"
This discussion has been archived. No new comments can be posted.

How Do I Fight Russian Site Cloners?

Comments Filter:
  • fight back (Score:5, Insightful)

    by toxygen01 (901511) on Friday April 16, 2010 @09:47AM (#31871916) Journal
    check the dns domain registrar of theirs and report domain abuse.
    that's what whois information is about too.
  • More To It? (Score:3, Insightful)

    by s7uar7 (746699) on Friday April 16, 2010 @09:49AM (#31871950) Homepage
    How do they know which third-party web services you used to use, unless it's one of your old clients?
  • by Bourdain (683477) on Friday April 16, 2010 @09:50AM (#31871972)
    Wouldn't it just be cheaper/easier to just never let even remotely valuable/vulnerable domains expire since it costs so little to keep renewing them?
  • Contact the FBI (Score:3, Insightful)

    by Orga (1720130) on Friday April 16, 2010 @09:55AM (#31872040)
    I assume this is a form of wire fraud, international at that.
  • by HikingStick (878216) <z01riemer.hotmail@com> on Friday April 16, 2010 @09:56AM (#31872062)
    To ease your conscience, pull together your old contact list and let your former clients know that you've not been running the business (or charging for services) for years. Advise them of the current scam, and hope they get your message before they pay the bad guys.

    While I have your attention, shame on you for letting your business go dark without tying up the loose ends (e.g., informing your customers). I feel for your customers.
  • Re:More To It? (Score:1, Insightful)

    by Anonymous Coward on Friday April 16, 2010 @10:00AM (#31872130)

    It probably wasn't difficult at all, really. I would guess that he signed up for all those services with a fairly generic e-mail address like mail@domain.com, companyname@domain.com, clients@domain.com, etc., which they've probably re-created. Once those addresses started getting e-mail from the third-party services, they were in.

  • by uglyduckling (103926) on Friday April 16, 2010 @10:01AM (#31872134) Homepage
    Yes!! You've hit on the perfect answer. Hindsight and a time machine can solve any problem. Bravo!
  • Re:ICANN (Score:5, Insightful)

    by v1 (525388) on Friday April 16, 2010 @10:12AM (#31872268) Homepage Journal

    the problem I see with this though is it's not like the domain was stolen. He allowed it to lapse while having email addresses on that domain still recognized by clients. They legally registered it, and are now making life hard for him. He screwed up, and can't go running to the authorities for that alone. Now clearly they're being fraudulent WITH the domain, but they obtained it legally, so that makes it a lot harder to legally take away.

  • Re:ICANN (Score:5, Insightful)

    by Rich0 (548339) on Friday April 16, 2010 @10:22AM (#31872414) Homepage

    Additionally, it doesn't sound like he even wants the domain back. He just wants people to stop using it to impersonate him.

    Suppose I own a domain, and want to stop using it. No big deal - I let it lapse. I don't want to pay for it - I don't need it. However, if somebody were to register it expressly for the purpose of impersonating me, I'd certainly care about it!

    The same thing can happen offline. Suppose I buy a home and phone number that used to be owned by Bill Gates simply so that I can impersonate him and clean out his bank accounts or whatever. Should Bill Gates need to dispute my purchase of the home? That isn't what is at issue.

    The problem is fraud, not domain ownership in this case.

    The real solution is to not tie identity to a domain. Sure, you can deliver based on a domain, but emails should be encrypted to a certificate, and signed by a certificate, and identity should be based on that.

    For whatever reason it seems like we live in this fantasyland where security and authentication is an afterthought in almost all internet protocols...

  • Re:ICANN (Score:4, Insightful)

    by MobyDisk (75490) on Friday April 16, 2010 @10:27AM (#31872464) Homepage

    They are committing fraud.

    If you sell your house, and I move in, that does not mean that I can legitimately use your credit card just because I have your mailing address.

  • by wvmarle (1070040) on Friday April 16, 2010 @10:35AM (#31872552)

    I didn't immediately think "insider" but now you mention it... it makes total sense of a very unbelievable story.

    Oh well yet another story that doesn't pass a reality check, and in good kdawson fashion no supporting links or so. Here we go:

    The fraudsters copied the web site (that was presumably off-line for a long time). Trivial if it is all static pages, not trivial to impossible if it includes a lot of server-side scripting and you do not have access to the server directly. And quite unlikely that a web site is copied and kept archived by would-be fraudsters hoping that in the future the owner lets the domain expire so they can bring it back on-line? No. It just doesn't happen.

    Then they need to know which third-party services you used. And that you were so trusting that you use a third-party web service for invoicing in the first place.

    Then they know your clients (potentially through the third-party invoice service).

    Then they have your passwords (I may assume password protection).

    And how come your old accounts at those invoicing services are still accessible in the first place? From the fact that you let your domain expire after "years of non-use" I take it your business has closed years ago too. Third-party web services usually require payment, especially specialised stuff like invoicing. Not likely they keep that active without it being paid for.

    So Russian hackers? No. Insider job? That's where you should look first indeed. Start with former employees I'd say.

  • by ottothecow (600101) on Friday April 16, 2010 @10:49AM (#31872750) Homepage
    I am not sure they would have to replicate the pages exactly. Just take whatever shows up on archive.org and and slap a current date on it.

    The cloners are not trying to recreate your business--they just have to make it look like the business still has an active website. Then they use the emails that they now control to get back into old accounts.

    As for knowing which third-party services were used, there may be some indication on the archived site or there may be something available with enough googling--maybe they find a former client from a "site design by..." tag and social engineer some answers out of them (they don't have to be an insider or client themselves...they just use your old email address and ask a former client). There can't be that many providers of some of these services that were active when the business was running and are still active now...just start using lost password forms.

    They might have to reinstate your old payments, but a few months of invoicing service is a drop in the bucket compared to what they could then invoice your clients for (and bigger corporate customers might not ask questions before cutting a check to a company already in the system).

  • by Quantumplation (1692804) on Friday April 16, 2010 @10:50AM (#31872760)
    <sarcastic troll> They did it on CSI... </sarcastic troll>
  • by ArundelCastle (1581543) on Friday April 16, 2010 @10:59AM (#31872840)

    The site-cloners are now using my old email addresses to gain access to old third-party web services accounts (invoicing tools, etc.) and are fraudulently billing my clients for years of services.

    Assuming your domain's e-mail has been bouncing for *years*, how in the hell did perfect strangers a world away(?) dig up your data? This sounds like something that happens after an unshredded trash rummage.
    1. How do they know what all your internal e-mail addresses were?
    2. How do they know what your web services were?
    3. How do they know who your clients were?
    4. How do your clients believe you're still doing work for them after years of silence?
    5. How are these web services still holding your account data after years of inactivity? Invoice tools ain't free.

    Hard to believe we're getting the whole story here. I think Ask Slashdot just got phished.

  • Re:More To It? (Score:5, Insightful)

    by patSPLAT (14441) on Friday April 16, 2010 @11:23AM (#31873188) Homepage

    1. take over domain
    2. setup catch all email account
    3. wait for "we wish you were still our customer" email
    4. take over old billing accounts
    5. repost site from archive.org
    6. start tracking down clients perhaps with search for 'site designed by xxxxxxx' and send bills

    It's a pretty smart scam.

  • by KDR_11k (778916) on Friday April 16, 2010 @12:03PM (#31873712)

    Forget the Italians, they know the rule: Never fight a land war in Asia.

  • by EdelFactor19 (732765) <adam.edelstein@NoSpAM.alum.rpi.edu> on Friday April 16, 2010 @12:09PM (#31873796)

    what are you talking about?

    His clients aren't going to the site, the cloners are using the access to third party information obtained through the sites email fraudulently bill them. When old clients (some might not be any more) all of the sudden see themselves being billed for years of service that they never recieved/paid for or got, who do you think they are going to believe?

    Someone telling them there is a scam going on, which would explain the behavior?
    Or someone telling them ignore him, everything is fine we are just billing you for no real reason?

    What happens when they pick up the phone to follow up with a complain?

    He doesn't need a way to prove who is to the customers, he has proof that he paid for the site domain originally and needs to contact the third party service providers to get that account cut off and redirected to him

    Shame on you for not updating contact information when you let the domain expire. forget the open customer accounts within your 'profile' I'd be willing to bet that all of the transactions and everything else are tied to an account of his OWN with the 3rd parties, and various bad bits of information that have now been stolen the biggest problem is that the third party services are treating the activity as legit.

  • put this in bold (Score:5, Insightful)

    by Onymous Coward (97719) on Friday April 16, 2010 @02:05PM (#31875434) Homepage

    This is the fundamental thing to take away from this incident, and, while it may be obvious, it deserves stating plainly:

    Domain control / email address control is an authentication tool.

    We've brushed by the concept in prior conversations about validating new user sign-ups.

    Implications include, as in this scenario, human verification by looking at a web page of a familiar domain, human verification by email correspondence with a familiar email address, and password resetting when in control of an email address; SSL certificate-based identity (if the decrypted certificate can also be acquired), URL -referenced data validity (executables for download), and probably a number of other authentication/control mechanisms reliant on domain/address -- your ideas are solicited.

    DNS hijacking, then, should be a serious concern. DJB warned about cache poisoning via brute-force source port + transaction ID spoofing in 1999. A long time went by before the issue got enough publicity (in 2008) to force the major DNS software purveyors to clean up their acts. This guy needs to be taken seriously.

Chairman of the Bored.

Working...