The Shopify Copying Hack Lurking in the Shadows – Are You Prepared?

By Andrew Lance | CEO

For many small business owners, Shopify has proven to be not only a lifejacket but a state-of-the-art speed boat on the way to profit. With the global eCommerce market forecast to hit nearly $5 trillion this year, more and more businesses are leaping to the digital platform, and who can blame them? For Shopify Plus merchants with annual sales between $1-$500 million, average year-over-year growth has exploded to 126%. Like anything online, though, eCommerce stores are vulnerable to hacking. For the past year, a disturbing new Shopify cloning hack has lurked in the shadows, draining businesses of their profits and stealing consumer’s financial information.

Shopify Site Cloning Tools are Helpful but Potentially Malicious

Shopify’s app store provides thousands of tools to make Shopify store owners lives easier. Some of these tools are applications that allow owners to duplicate their store down to the product inventory. Having the ability to copy one’s entire site can be extremely helpful. For example, it makes it easy to create new stores for different currencies or languages to reach new customers. However, anyone can copy your Shopify store. Anyone.

For Jennie, this is where her nightmare began. Last month, she looked to see where her online clothing store ranked under its Google AdWords when she noticed something odd. Her site was not at the top, but a site with a near-identical name to hers was- a shadow site. It looked 100% identical to Jennie’s eCommerce storefront, had nearly the same domain name, and had all of the same inventory and pricing. A hacker had duplicated her Shopify store. Now, the shadow site was siphoning off Jennie’s unaware customers.

For unsuspecting customers, the experience on the shadow website is the same; they can browse the shop, scroll through wares, and add products to their carts. Even checking out seems normal. Customers view their inventory and enter all of their information, including their address and credit card details. Up until this point, there are still no red flags. However, once customers hit submit, they receive an error message saying their order cannot be fulfilled; meanwhile, their credit card information is funneled off, saved, and stolen by the shadow site.

Jennie and her online clothing store quickly realized the devastation of this scheme. She is not the only one to face this issue. Recently, a substantial Reddit thread has appeared online with multiple people complaining of the same problem.

Sidechain has recognized the sudden prevalence and severity of the Shopify Cloning Hack and is working with clients to resolve the problem. So, what do you do if your Shopify store falls victim to the copying hack?

Solutions If Your Shopify Suffers the Copying Hack

Jennie contacted Sidechain to report this issue and to seek solutions to shut down the copycat site. Sidechain immediately recommended sending a cease-and-desist letter and reported the website to the internet service provider. Additionally, Sidechain began working to secure both Jennie’s and her Shopify store’s online presence. The hackers (likely the same ones who duplicated her store) then tried to reset the passwords to her store. The attack failed due to the solutions put in place by Sidechain, but they continue to send out probes to see if there are weaknesses in the armor of Jennie’s digital security. Had she not reached out to Sidechain, her online defenses would likely have been overrun.

Unfortunately, there is little in the way of recourse once you fall victim to the Shopify Copying Hack.

According to Sidechain CEO Andrew Lance, “there is nothing that prevents someone from registering a domain name that sounds like another. There is nothing that prevents them from running a program that clones one website into another. Websites are public; they’re there for the taking if somebody wants to.” In the end, there is very little that can be done after the fact, outside of taking legal action.

The only solution is to be proactive in securing your digital storefront and your customer’s valuable information.

Couldn’t I Report the Site to Google or Shopify?

It might seem like the solution is to report the problem to Google. The search engine does have a webpage to which you can report phishing operations. However, once you submit the URL of the shadow site, there is no feedback. There are nearly 300 million active internet users in the United States alone, and Google holds 88.1% market share, meaning the search engine has about 265 million active customers. In short, there is unlikely to be a resolution from contacting the search engine.

You might have more luck contacting Shopify, but even then, you would be hard-pressed to find a solution. A customer service representative from Shopify responded to a complaint in the Reddit thread mentioned above detailing this same issue people were having. The solutions were minimal:

“Hey Dave, *********** here with Shopify Technical Support; it’s a pleasure to meet you. *********** brought me up to speed on the issues you’re having with that custom domain showing your storefront. We’ve seen situations like this come up before where there are some bad actors cloning storefronts. They would use hosting providers and instant redirects from the real store, so anything that’s updated on the store is represented on the clone store in real-time. This can also be seen in the analytics as referrers from the web source as well.

Shopify Dave continues on to outline a number of reactive and proactive steps, but outside of reporting the site to Google’s phishing monitor, inserting some weak code that can be circumvented by the hackers, or seeking legal action, Shopify had no solutions. Clearly, once you suffer from the Shopify cloning hack, you are at the mercy of your hackers and major multinational companies with little in the way of support for your small business.

Three Important Steps to Secure Your Shopify Site

It is not all doom and gloom, though, because you can protect your business yourself by taking the following proactive steps before hackers target you.

1. Implement Basic Digital Security Tools

The first step is to implement basic security tools to protect yourself from malware that can compromise your websites or your access to them. There are plenty of website scanners dedicated to identifying malware. Once you choose one, it is essential to continuously utilize it because phishing sites can pop up any day.

2. Seek Out Legal Recourse to Deter Attackers

When your digital assets are used without authorization or in violation of your trademark or copyrights, it is essential to take legal action to deter other would-be-attackers from taking advantage of your vulnerabilities. Having the ability to take legal action ahead of time could save your business valuable days and weeks of frustrating work.

3. Have a Cybersecurity Partner in Your Corner

The reality is, in the digital age, anything you put on the internet can be duplicated, hacked, or stolen if someone has the skill and desire to do so. It is scary but true. That is why it is crucial to have a cybersecurity company to reach out to before issues arise. Having an expert team in your corner allows you to focus on your day job- building your business and growing your brand without dealing with the fear and uncertainty of questioning whether you are doing enough to protect yourself. The cybersecurity firm will focus on ensuring your digital defense is air-tight to prevent attacks like the Shopify cloning hack from happening to you. They are also adept at the tactics and procedures required to remediate attacks that occur to your digital storefront. It is best to remember, it is not a case of if, but when an attack will occur. When it does happen, your business cannot afford to let one minute go by without taking the appropriate actions to recover.

Protect Your Online Business from Cyber Threats

If you are looking to protect your online business from the Shopify Copying Hack or other digital threats and want a cybersecurity partner in your corner, check out Sidechain’s free security assessment, specially created for Shopify store owners. You’ll find out ways you can better secure your digital storefront, so you can focus on growing your business.

Are you sure your data is safe?  Learn More:

Contact Us

About Us

 

Speak to an expert

Thank you for reaching out. One of our experts will be in touch with you.