Shopify scam you can’t protect your store from, but can reduce the effect
For e-commerce merchants, the stores’ websites are their brainchildren. Hence, they care a lot about their ideas and time invested in getting websites launched. When someone copies you is frustrating enough. But it’s even worse when someone is mooching on your business and damaging it along the way. And that’s exactly what scammers have been doing to Shopify merchants for the last three years by mirroring their stores.
How does the scam work?
Recently one of our clients was checking keyword requests in Google and noticed something strange. Alongside his website, search results showed two other stores with different URLs, but apart from that were completely identical to his store. The whole navigation, design, inventory – everything was the same. When he made any changes to his website, they immediately appeared on the shadow stores. He also started to receive angry calls from shoppers saying their card was charged even though the website showed the error page instead of confirming the purchase. Our client couldn’t find any recent sales in the Shopify dashboard either.
What our customer encountered is a store mirroring. Problem is not uncommon. We found several threads on Reddit and Shopify Community where multiple merchants complained about the same situation.
What is website mirroring?
A mirror site is a copy of all the files that make up your website (CSS and JavaScript files, images, text) and is hosted on another server. The mirror website has a different URL but otherwise is completely identical to the original website. A mirror can be a static that needs to be updated manually or a fully automatic clone that stays current with the changes of the original website without human intervention.
Why do scammers create mirrored websites?
We don’t know this for sure, but we have several hypotheses.
Hackers want to get the credit card details of the store’s customers.
Attackers are stealing website traffic. They can monetize it via ad networks like Google Ads.
Someone wants to harm the store owner’s reputation.
What can you do against it?
Unfortunately, if you notice that your store is mirrored, there is not much you can do. Neither Shopify nor hosting providers are willing to deal with these cases. Shopify claims it’s not in its power to prevent or reverse these scams. Merchant can send a takedown request to mirror website hosting providers, but there is a long process and there is no guarantee they will do it.
When we investigated the case, we found out that the mirror website domains were registered through GoDaddy. The mirroring was implemented via Cloudflare’s reverse proxy. We helped our client to file a claim on both platforms. The answer was similar - due to their policies, they would run their own investigation, but wouldn't reveal the results to the complainant.
Another thing the store manager might do is to send to report the problem to Google. The search engine even has a page where you can report phishing operations. But considering that Google has millions of users and complaints, it is also unlikely a solid and fast solution to the problem.
The only fast and working fix we found for our customer is a redirect script. Inject the code to the theme.liquid to break the mirror website:
<script> if (window.location.hostname.replaceAll('.','') !== "revautoclubcom") { // remove all dots from your domain name here if (window.location.hostname == "rev-auto-club.myshopify.com") { console.log("rev-auto-club.myshopify.com"); // this prevents redirect if using the permanent_domain } else { window.location.replace(atob('aHR0cHM6Ly9yZXZhdXRvY2x1Yi5jb20='));} }; </script>