Cloning websites for profit

A few suspicious-looking domains have been recently registered, hosted on the same IP address (206.54.190.169). Some of these clone websites deliberately replicate the name and design of its original counterpart. Are they friendly twins or evil clones? Let’s find out.

If you just want to know about why would someone clone a website, go straight to the analysis.

Hey, isn’t that Dinheiro Vivo?

Our story starts with a heads-up via Twitter. There was this domain, vivodiheiro[.]com, resembling the well-known Portuguese financial news website Dinheiro Vivo (dinheirovivo.pt).

The name of the publication seemed a bit weird. Maybe the original website’s owners bought it for some SEO purpose? If so, were they careless enough to let the obvious typo go unnoticed (‘diheiro’ instead of ‘dinheiro’)?

This is what the real Dinheiro Vivo website looks like (as of October 2019):

The real website of “Dinheiro Vivo”

And this is what the clone looks like:

The evil twin: “Vivo Dinheiro”

It looks like someone replicated the entire website with a few exceptions, specially the logo, which was redesigned to match the clone/fake brand… One can only guess why. A Wicked sense of humor, perhaps? Whatever the reason, it’s already enough to sound the alarm.

‘It’s a clone… Fake news!’

Copying another website’s design is suspicious enough but let’s try to gather more evidence, however.

Another obvious element differentiating both websites is their TLD: the original is .pt (as usual and expected), whereas the clone is .com. On its own, however, this could mean nothing (e.g. the real website could be working on an international version of its publication).

The suspicion of fraud is reinforced after checking the WHOIS records for the clone website:

WHOIS for “vivodiheiro” .com (via ICANN)

According to the records, “vivodiheiro” was registered on NameCheap quite recently, in September 12, 2019. On top of that, the domain renewal occurs within a year.

Except for startups and other exceptions, most businesses buy domains for longer periods than a year. Simultaneously, fraudsters register their fake domains for the shortest time period possible.

Another interesting piece of evidence is that these people kept the real website’s Google Analytics tracking code in their clone website’s code.

Fraudsters (left) vs original. Wonder if the folks at dinheirovivo.pt noticed anything unusual on their Google Analytics?

The fraudsters also didn’t even bother changing Dinheiro Vivo’s dozens of data partners, which you can see in the cookies pop-up details:

Whether the original profits from the fraudulent, no clue.

Scanning the clone

That WHOIS info is useful but not enough. That’s why the next step was paying a visit to one of my favorite websites, urlscan.io (see Phishing). It allows you to safely preview any URL, if available. It shows you a screenshot of the website, domain and IP information, etc.

So here was vivodiheiro on urlscan:

If you’ve managed to read this far, this is where the research nightmare begins. If we check whether there are other domains on the same IP address (206.54.190.169), this is what we see:

There’s our little fraudulent website… With a lot of friends.

The owner of the IP is some WZCOM-US – WZ Communications Inc., US, a company which may be tied to Russia. Suspicious enough?

We can also observe the same strategy in other clone websites on the same IP specially because they use a similar name and/or copy the design. For example, coimbradiario[.]com is a clone of diariocoimbra.pt, another Portuguese news website.

There are clones of websites from the US, Italy, Portugal, the Netherlands, France, Germany, and who knows where else:

Columns show the clone websites, their real counterparts, and the latter’s Twitter accounts, if available (probably I missed a couple which actually exist).

All of these have been registered on NameCheap:

They all expire within a year.

Analysis: the malicious goal of clone websites

There is nastier stuff which envolves phishing campaigns, malicious scripts and whatnot… But let’s just analyze the situation above.

As with most online fraud, the ultimate goal in this case seems to be profit. For this business model to work, fraudsters need to increase the value of the domain in order to resell it later.

Why clone a lesser-known website?

If the goal is profit, why don’t they clone Spiegel Online (GER) or Expresso (POR)? Because if someone was to clone the high-profile Portuguese weekly paper Expresso’s website, the whole thing would be way more expensive.

Simulating a similar domain name methodology used by the fraudsters, let’s go for the domain jornalexpresso[.]com:

Ouch.

That’s right, it’s over €3,000. Sure, we could buy it. However, we’d better make sure that our fraudulent strategy was good enough. We’d have to be able to profit from it as quickly as possible (especially before we’re caught).

Also, the higher the profile of a victim, the likelier it is for us to fail. Let’s consider this instead: in most countries, how many high-profile news websites are there, compared to more local news websites?

Why clone a news website, specifically?

Although one can’t really say for sure, I’d guess it’s because a news website is expected to have a lot of traffic, even if immediate. Consequently, the click farming is more likely to pass undetected by most crawler robots.

The goal here is to increase the domain value, in order to sell it later for a profit. There’s no need to clone more complicated webpages.

A validation attempt

More quantity and lower-profiles: this seems to be the winning criteria to choose the victims for this campaign.

Let’s try this with an example and go to Viseu. A known local news website is “Diário de Viseu” at diarioviseu[.]pt. Do they use Google Analytics? Yes:

Let’s follow the methodology above. We want a .com domain with a similar name, so we’ll start by checking the reverse:

Oh look, a light investment…

Ten Euros is very different from three thousand! A fraudster with a plan could definitely consider this lower-profile domain.

Ten Euros is what the pedrosaurus.com domain cost. For the sake of the argument, let’s imagine the 82 USD (~74 euros) the Free Valuator site says it’s an approximate estimation of the domain’s current worth. That’s +640% just for adding content to the website.

Increasing the value of the domain

To increase the value of our domain, fraudsters are probably focusing on two key elements:

  • Content
  • Popularity

The content will be copied from the original website.

The popularity goal means getting a good position in search results, and fast. Besides the credibility the original website might be sharing with the fraudulent one, fraudsters can [shamefully] use a click farm to rank it up.

Remember the example with this website’s ROI above? If fraudsters manage to add a lot of (copied) content to their new website, and aggressively send (fake) traffic to it, we could estimate that it would be worth way more within the expiration date of one year.

What can website owners do?

Definitely review and approach this seriously, and take whatever time is necessary to safeguard your website. Below are a few actions you should consider taking.

Prevention

  • Be vigilant regarding other domains where you’re receiving visitors (whether it’s Google Analytics or some other tool)
  • Consider investing in fraud prevention tools, especially domain monitoring (Sucuri, Netcraft, Domain Tools, etc.).
    • If you’re running on a tight budget, at the very least set up Google Alert, a Google Sheet with all the domain names you can think of plus an importxml formula, etc.
  • Use rel=canonical tags on your content to tell crawler bots that the content is indeed yours.

On detection of clone websites

  • Check Google Analytics (just out of curiosity)
    • Make sure your default View excludes traffic from the fraudulent domain
    • Create a View that only shows activity for the fraudulent domain, just to see what’s going on
  • Check the WHOIS of the domain. Report it to the registrar and/or the company hosting it.
  • Report to Google. If applicable, block the fraudulent domain in AdSense. You really don’t want fake activity influencing your stuff.
  • Exclude the fraudulent IP in your .htaccess file (this tells your hosting provider that you want to block it):
order allow,deny
deny from XXX.XXX.XXX.XXX
allow from all

Unfortunately, fraudulent activity online is part of the online ecosystem. The important rule of thumb here is: it’s good to have a plan for when things go sour. For example, big companies probably monitor newly registered domains that include their brand name in order to prevent phishing and other sort of potential risks.

Most of all, don’t panic.

Please feel free to share any corrections and/or suggestions in the comments below (or emailing me at p@pedrosaurus[.]com). Thanks for reading!

Note: this situation has been reported to NameCheap, I’ll update this post in case there’s any pertinent development.

Leave a Reply

Your email address will not be published. Required fields are marked *