A Member’s Identity and Website Stolen
A member’s business Identity and Intellectual Property stolen!
One of our members recently received a phone call from a friend asking him if he had moved. What happened was that the friend had mistyped the URL of our member’s website and ended up with a .com instead of his .co.uk. The friend immediately telephoned and it was at this point that our member Peter Cornwell of Special Wedding Cars discovered his website had been cloned and could potentially be used to scam brides in California. Peter immediately contacted us to see if we could do anything about it and how had they managed to clone his site? The answer to the second part soon became apparent when it was found that his site is coded in straight html. To clone an html site is relatively simple. All you have to do is right click the page, click ‘view source code’, copy that code and paste it into a document. This can then be transferred later to legitimate site building software such as Dreamweaver or some of the free site building software that is available. If the scammer is a real professional they could use certain software that we won’t name and the entire site will be stolen and up on line in three clicks.
By the time you read this we expect to have had the site www.specialweddingcars.com removed by the hosting company GoDaddy of Scottsdale, Arizona. We have also asked GoDaddy to have the URL transferred to Peter.
So how did we do it?
- Using the Whois system we traced the Registrar for the URL as the giant GoDaddy hosting company based in Scottsdale, Arizona.
- The same system gave us the Registrant, purporting to be Jeremy Gould of Stony Mountain Road, Anzac, Alberta, Canada.
- It also gave us the telephone number at the time of registering as 001 780 334 2227 and the email address as firstname.lastname@example.org.
- The date the URL was registered was 3rd May 2013
Having discovered this information we needed to do the same for Peter’s website so we could prove that it was the first site, which we did.
We also ran a check as to when the cloned site was known to be published; by using the ‘Wayback Machine’ we found that it was online on or before 4th July 2013 as that is the first date it was trawled by the machine. Peter’s site was dated 5th February 2007 so is obviously preeminent.
We then traced the telephone number on the .com cloned site (1-213) 627 8199 to a company in Los Angeles called A2z Trading of 560 S., Los Angeles St, Los Angeles, California; they apparently trade in leather goods. White pages confirmed that it is an active number for A2z Trading. However we could not find a website for them so it is a bit of a dead end.
The telephone number in the Whois for the .com cloned site for the Registrant Jeremy Gould, 001 780 334 2227 was traced to a Burger Bar in Anzac, Alberta, Canada. The address of which, 240 Stony Mountain Road, Anzac, Alberta, seemed to almost match with the Whois address. The burger bar had a website www.burgerbar.ca but this is no longer online. Again we used the ‘Wayback Machine’ and dug out their last website in the hope of finding if Jeremy Gould had a link with them. Regrettably there was no mention of any names. So we tried Whois in the hope that the URL might still be active. The Whois shows that the URL is held by godaddy.com as the registrar but no other information was available. The URL was still active but expired on 2nd April 2014.
Finally, we had a go at the Whois email address email@example.com but Google told us that it does not appear in any current website, nor could we find it in any archived site. Regrettably there is no archive of email addresses and their owners anywhere. Using Google we tried to locate anyone in Anzac called Jeremy Gould but again no luck.
We tried the Canadian telephone directory www.canada411.ca, no Jeremy Gould listed in Anzac so we tried a reverse search by putting in the telephone number to see where that took us. It did of course take us to the Burger Bar in Anzac, yet another total dead end.
Having found as much information as we could, we then created an email for Peter to send to the Registrar and supposed host for the cloned site: The GoDaddy Corporation of Scottsdale, Arizona.To: firstname.lastname@example.org Subject: Identity theft and theft of Intellectual Property. Dear Sirs, My name is Peter Cornwell, owner of a wedding car hiring company trading as ‘Special Wedding Cars’ in the UK. I wish to report business identity theft and infringements of my intellectual property rights, having just discovered that my website www.specialweddingcars.co.uk has been cloned and with just a few amendments is now on www.specialweddingcars.com which you are hosting.
My URL was purchased on 29th August 2006 and the .com URL was purchased by someone purporting to be Jeremy Gould on 3rd May 2013 registered as living in Anzac, Alberta, Canada and is hosted by your good selves. We are now aware that the .com site was online on or before 4th July 2013.
If this Jeremy Gould exists he has a lot to answer for. He is a total idiot in not changing a lot of detail on the site having cloned it, as it still shows that wedding cars are available through him in these towns and villages:
Altham, Bacup, Barnoldswick, Barrowford, Baxenden, Beardwood, Billington, Bolton by Bowland, Brierfield, Brockhall Village, Brownhill, Chatburn, Chipping, Church, Clayton-le-moors, Cliviger, Colne, Cornholme, Crawshawbooth, Darwen, Downham, Dunsop Bridge, Earby, Eccleston, Edenfield, Ewood, Fence, Great Harwood, Haslingden, Helmshore, Hoddlesden, Holme Chapel, Huncoat, Hurst Green, Intack, Lammack, Langho, Longridge, Lower Darwen, Lydgate, Mellor, Mellor Brook, Mitton, Oswaldtwistle, Nelson, Padiham, Pendle, Rawtenstall, Read, Revidge, Ribble Valley, Ribchester, Rishton, Rossendale, Roughlee, Sabden, Samlesbury, Sawley, Shadsworth, Simonstone, Slaidburn, Stonyhurst, Sunny Bower, Sunnyhurst, Todmorden, Trawden, Waddington, Walsden, West Bradford, Whalley, Whitehall, Whitewell, Wilpshire, Worsthorne, Worston.
All of them are in the county of Lancashire, England and they all form part of my operating area. Also the photographs shown are my cars and it can be seen on several that the registration numbers (tags) on the cars are British not American.
Finally, if you ignore the email address given in the header on the illegal site and you click on the contact button and then the ‘active’ enquiries email address it will open your email client bringing up my personal email address email@example.com. It will also bring up a subject line reading: “enquiry from www.specialweddingcars.co.uk”. I therefore ask you to immediately remove this illegal site from the internet, furthermore I would ask you to inform me as to how I can make a claim for the .com address which uses my trading name of some seventeen years.
Another very important inconsistency is that Jeremy Gould left the logo on his illegal site attesting to being a member of the National Association of Wedding Car Professionals, which of course he is not, but I am. The logo is still live and links to the NAWCP website. The NAWCP is the only professional association representing the wedding car industry and is therefore pre-eminent in the UK and are in fact UK Government Stakeholders. Their Chairman David G. Jones is up in arms about the identity theft and cloned site as he recognises that US brides are potentially being scammed for many thousands of dollars and it would appear from the cloned site that the NAWCP is involved. I am aware that he is currently seeking legal opinion over this matter and will no doubt be in touch.
I look forward to your prompt action in this matter, you have my email address and my telephone number is 0044 1254 888557.
If you would like to contact the chairman of the NAWCP his email address is firstname.lastname@example.org and the telephone number is 0044 1252 875222.Yours Sincerely Peter Cornwell Special Wedding Cars
We must point out that GoDaddy is an internationally respected web hosting company and is in no way implicated in this potential scam.
Before you ask both the NAWCP and Peter what steps we will be taking to bring this scam to the attention of the relevant authorities. In Alberta it is the Royal Canadian Mounted Police and in Los Angeles the FBI. An early draft of this document was emailed to them on Tuesday 1st April 2014 as well as the fraud section of the UK police. Consequently we have not called either of the traced telephone numbers; we are leaving that to the appropriate authorities.
We have now had a response from GoDaddy to Peters email. The essence of the email is that they are the registrar but they are not hosting specialweddingcars.com. That was an error on our part for assuming the registrar was also the host for the web site, it usually is. Consequently we apologise to GoDaddy for making the erroneous assumption. GoDaddy very helpfully supplied us with the IP address of the website 18.104.22.168
We then contacted the American Registry for Internet Numbers (ARIN). We had two telephone conversations with them and explained Peter’s and the NAWCP’s problem and they kindly informed us that they issued IP address 22.214.171.124 to webhostingpad.com and that servercentral.com provided the hosting servers. We immediately contacted Server Central as the de facto host and spoke to a very sympathetic gentleman Padraic Connelly who examined both sites and immediately saw the potential fraud said “don’t worry I will pass this straight through to our abuse centre”.
Thankfully Padraic was as good as his word.
Server Central’s abuse department have confirmed receipt of the email and allocated us a reference number and we wait for the outcome.
Peter also sent an email almost identical to the GoDaddy email and very quickly had a reply from ServerCentral’s abuse department confirming that his claim is being looked at. All we can do now is wait.
Today (Saturday 12th April) on checking specialweddingcars.com we found the following statement posted.
It looks like complete success, but we must wait for final written confirmation. Using Whois we found that the .com URL registration is due to expire on 3rd of May this year, we doubt that the owner will respond to Webhostingpad. Which means the URL will come up for sale in the near future giving Peter the chance to buy it.
Should you check your site? – YES – no one else will
How can you find any duplicate content of your site?
You too can discover if there is any duplicate content from your website floating around the internet by going on to www.copyscape.com and typing in the URL of your front page. If there is, it could easily be advertising sites that you have subscribed to and just copied and pasted part of your website wording. If they are ranking higher than you in Google for the content in question, you need to get on to the advertising site and change the wording. Why? Because Google marks you down in ranking terms if you have on your site, what looks like duplicate content you’ve copied from the other web site. It is possible that you have several other sites where you own the URL, and you have copied your prime site to them. If so you need to drastically rewrite those sites as it is duplicate content in the extreme and Google really does not like that and probably won’t even rank them. You could in fact delete the site content and use it for a ‘301 redirect’ to your main site. If you want to have your secondary sites ranked then you must not have any duplicate content, wording or photographs. In Peters case we discovered that an advert placed on ‘AdSell’ had been picked up by Google first so they considered that wording (copied and pasted from Peter’s front page) was the first instance and Peter’s front page was the duplicate content. Consequently his ranking is well down on where it should be. So Peter will have to re-write the advert, having done that it could easily be six to eight weeks before he see’s any improvement in his ranking. We now know how this happened and that it was not Peter’s fault. He is taking steps to remedy it. It would appear that it was his web developer’s error.
Search Engines also help in tracing duplicate content
If you take a line or two of text that’s original to your site and put it into your favourite search engine and some other site(s) comes up ranking before yours, then you’ve got a problem and you should call in a professional to sort it out because it’s quite often indicative of a series of problems on your site. If the other site(s) containing your phrases are ranking below you for the same phrase, then there’s no problem for you from that point of view, there probably is for those other sites and that’s their problem, not yours.
To trace the first trawl of a website and archived websites
If you need to trace the date a URL was first known to be used you can always join the ‘Wayback Machine’ at www.archive.org/web. You can also, if you join, view previous iterations of virtually any website. It is free to join but a donation would be appreciated as the archive is currently storing over 404 billion web pages and that costs serious money. If you join you can view all the various iterations of the sites in chronological order.
If you need to use ‘Whois’
- For UK URL’s go to: http://www.nominet.org.uk/uk-domain-names/about-domain-names/domain-lookup-whois/whois-tool
- USA go to: http://www.internic.net/whois.html
- For all other countries use Google search and type in “Whois + the country name”
What information will Whois give you?
Whois will usually give you the following information:
- Date the URL was registered
- Name of the Registrar the company looking after the URL. Quite often the hosting company
- Name of the Registrant
- Address of the Registrant
- Telephone number for the Registrant
- Fax number for the Registrant
- Email address for the Registrant
- Also the same details for the Administrator and the Technical Administrator
There are a few caveats: These details are from the time of registering the URL. The Registrant can opt for most of the details to not be on public view. If that is the case getting hold of that information could be very hard indeed, and may well require a court order.
What should you do if you find your whole site cloned?
If you do have this disastrous occurrence like Peter you need to use all the tools mentioned to get as much information as possible. You must also do the same for your own site. If you unfortunately used an unscrupulous “web designer” it is possible that your site is the cloned one! So go to Whois and check the date your URL was registered long with the clone site, her we are assuming that yours is the legal site, If possible find the IP address of the illegal website and you might as well get yours for future reference. Then you need to trace the hosting company, for that you need the IP address, this is very simple to acquire just go to the following website: http://www.site24x7.com/find-ip-address-of-web-site.html. In the top box type in the URL you are checking. Then transcribe the numbers in the second box to the third box, click on ‘Find IP’ and presto the IP address should come up in very short order. This is a free service.
How do you find the hosting company from the IP address?
You can use www.ip-lookup.net again a free service. On the first page if you scroll down a little you will find a box ‘Lookup an IP address’ type in the IP you wish to check click the ‘Q’ and the answer will very quickly come up. This is quite a complex page in the case of 126.96.36.199 it said Host: email@example.com. Servercentral is the host. From the selection of links below click ‘Domain owner info (Whois / Abuse)’ and all the details you need are listed. You will find the address of the hosting company, telephone numbers etc., and very importantly the email address to send details of your problem in this case firstname.lastname@example.org
What can you do to help stop your site being cloned?
How can I avoid having my website easily cloned? Simply make sure your site is not built using Hypertext Markup Language (HTML). So what should you use? One of the best languages is php (Hypertext Preprocessor) within a content management system (CMS) as this requires a serverside database where html does not. On our own website we use WordPress, a CMS system, in conjunction with php. For this to be completely cloned the scammer would first have to hack the server on which it is hosted and retrieve the database and a lot more besides. Having said that, individual pages can be copied but they would be totally flat with none of the originals interactivity. The NAWCP hosts with UKFast.net Limited who host for some of the largest websites out there including the likes of Virgin and the NHS. This means that their servers are extremely secure, more so than a lot of international companies, who use their own servers. Look what happened to Sony, T•K•Maxx and many others. So check with your website developer as to what code they used to create your site. If it is coded without using a serverside database system (CMS) i.e. html, get a quote to recode your site and host more securely.
Remember your site will only be as secure as the servers that host it. So seek top quality professional advice. The less you pay the less security you are likely to get. It that old adage you get what you pay for.
Many of you have taken both the .co.uk and .com URL’s, which is a very good idea but it won’t stop cloning. It will mean that any cloned site would be well down the status list of URL domains. But scammers can use any URL domain out of the many hundreds, maybe thousands available; none of us could possibly afford to purchase all of them.
How do you find out more?
We have asked Stuart Morrison of Business Web Mentor the NAWCP’s own website developers to put together a paper of what is considered best practise for the development of modern secure websites. This we will publish as soon as we receive it.
NAWCP secure hosting!
We are looking into the cost of taking a secure server with UKFast that could host all of our members websites if they so wished. This would give you the site security you need to help stave off attacks on your own site. You would have total control over your site along with your developer. No one else would have access without the correct password. The passwords once issued by the server can’t be retrieved a new one would have to be requested if lost. We estimate the cost would be in the region of £10 to £12 per month. This will only go ahead if there is enough of you to defray the cost. Please email us if you are interested in the NAWCP providing a server.
This article has been viewed by our legal advisor Neil Morley of Travis Morley Associates of Long Eaton, Nottingham and suggested amendments made.
Who has been sent this article?
An early draft of this file was sent to the FBI in San Francisco at 16:16 on Tuesday 1st April. We received the following message from them at 17:20 on Tuesday 1st April “Your message was deleted without being read on Tuesday, April 01, 2014 4:20:08 PM UTC.”
An early draft of this file was sent to the Royal Canadian Mounted Police in Alberta at 15:55 on Tuesday 1st April. We received the following response on Wednesday 2nd April at 19:55. “Please contact your local police service and ask them to make a request for assistance from the appropriate Canadian law enforcement agency”.
An early draft of this file was sent to email@example.com at 16:02 on Tuesday 1st April as yet we have not had a response.
A second draft was sent to all three on Saturday 5th April with no response
We will also be sending them the final version just prior to publishing on our website.
All sent today – Sunday 13th April at 12:49. Should we receive any replies of substance we will let you know. We doubt we will receive any as regrettably Peter’s and the brides of California rate way down the scale of cyber crime.
If you wish to have a printable copy of this report, click below
GET THE STRENGTH OF THE NAWCP AROUND YOU