How we Discovered and Dealt with Someone Impersonating our Company

Yesterday we discovered a site impersonating us (upollo.ai) with an exact copy of our site on the same domain name with a different top level domain (eg. upollo.XX). I have redacted the original domain and will be using the .XX extension in place of the original top level domain (TLD) used by the impersonator.

How we discovered it​

We saw a strange referrer in our analytics that had our company name in it, we didn’t own the domain, we thought maybe someone simply made a typo or it was a domain squatter. To our surprise when we looked at the site we saw our own site staring back at us!

The pages were identical apart, all the links went to our original site, but they had changed our footer.

Strange choice to leave the kangaroo in, but this whole thing was a bit strange.

Trying to understand the who, when, where and why​

The first step we took was to understand who registered the domain. A general whois search wasn’t helpful as this particular TLD required you to use their tooling to show you any detailed information.

With the detailed whois data we found the domain was registered to our company name, in our language, with a gmail address which impersonated our business and a reference to a town in Ireland.

This information wasn’t particularly useful in helping us stop the impersonation, so now to have a look at when the impersonation started to see if that gives us any clues.

We saw the domain was registered on July 13th so that gave us a starting place, looking at the last modified headers for the page it was updated on July 14th and finally the referral from that page came minutes after the page was last updated on July 14th.

Looking at our logs we could see that the user who was referred by the impersonating site was coming from an AWS IP in India and that they had their language set to EN-IN.

Next up we took a look at where the site was being hosted.

Via a quick check of DNS we could see Hetzner was the hosting provider, and from the whois information Key-Systems was the domain registrar.

The why​

Before we could take action, we needed to have some possible reasons why someone would be impersonating our business.

We had heard from our lawyers that a number of Australian and global businesses had been impersonated and that their customers had been asked to change the account where they pay their invoices to an attacker-controlled account.

Phishing was also a concern, but at the time of detection, the login links on the impersonators site were all directed to our real login page.

We looked to see if the domain was set up to send mail by checking for MX DNS records. You can use tools such as MXToolbox to look this up. We found records which indicated that sending email pretending to be us may have been part of their plan.

We do a lot of analysis of email addresses as part of helping our customer identify customers who are good candidates for outreach to convert them to a paid plan or expand their usage, so this was a good reuse of that knowledge.

Taking action​

We knew three providers the impersonator was using, Hetzner, Key-Systems, and Gmail, plus one which we strongly suspected they were, AWS.

All of these services have abuse contact details for exactly these scenarios, except for Gmail which will not handle impersonation or similar requests themselves.

For others in this situation you have a few different things you could focus on for filing these abuse reports, phishing, copyright and trademark. Copyright can often be the clearest and easiest in cases like this and often providers have clear processes around it. Talking to a lawyer in these situations is highly recommended.

The reports themselves don’t need to be anything complicated, we included some basic facts about what was going on and why this was abuse. The reports were no more than 3 paragraphs.

We filed abuse report requests with Hetzner, Key-Systems and AWS and got responses from Hetzner and Key-Systems within 24hrs.

How it ended​

Roughly 12 hours after we first noticed and ~10 hours since we filed our first abuse reports the impersonator site suddenly showed down for maintenance.

A few hours later we got this response from Hetzner:

How do we make sure another one doesn't pop up?​

We can’t, however we found a great way to monitor for when or if one does. Crt.sh is an amazing tool that lets you query the certificate transparency logs that the majority of SSL certificate issuers use when issuing a new certificate. We were able to query this using their advanced search and see if any other domains had popped up and monitor it via the RSS feed it provides.

Thankfully no more have popped up so we hope this is the end of it and we can go back to focusing on helping our customers grow their businesses.