Why have people uploaded our old website to our old domain?
August 2, 2018 7:13 PM   Subscribe

Our organization recently moved our website from one domain name to another. For whatever reason, we did not keep the old domain name and it expired ~6 weeks ago. Cut to today and we found out that someone registered the old domain and uploaded an old version of our website to it. Images, links, everything, presumably pulled from archive.org or something similar. Why? And help?

First of all, why would they do this? We don't get a ton of hits each year, though people do periodically link to our site. Are they hoping to hold the domain for ransom? Inject some sort of virus or spyware or something to infect unsuspecting computers? Serve their own ads? (We're a nonprofit program in a university, FWIW)

Secondly, is there anything that we can do? We've contacted the registrar and the web host for the obvious IP violation and are waiting to hear back from the legal team at the university...but are there any options that you can think of?

Ugh. Thanks.
posted by griseus to Computers & Internet (8 answers total) 1 user marked this as a favorite
Since the domain registrar and hosting are likely 2 separate accounts it is possible that if it was renewed at the same registrar and your hosting account was still active that then it would just work again as the DNS would point to the old hosting site. Are you sure it isn’t your own hosting account serving up the page?
posted by ridogi at 7:29 PM on August 2, 2018 [1 favorite]

Interesting idea! But unfortunately, that doesn't seem to be the case. As far as I can tell, the hosts are different (assuming https://www.hostingchecker.com) is accurate.
posted by griseus at 7:35 PM on August 2, 2018

Is it a domain that has been around for years? Does it rank highly in google for any key terms? Does it have a lot of external links pointing to it? There are some SEO strategies that prescribe buying expired domains and then manipulating them to get some SEO juice to other sites they own. (I’m not super knowledgeable on how it works, I just know it’s something i’ve heard about). And it’s probably worthwhile for SEO reasons to keep the site “up” as far as google is concerned until they can start harvesting the back link profile or redirecting. Older domains with lots of sites linking to them can be valuable for SEO purposes as google values them differently than new sites.
posted by cgg at 7:41 PM on August 2, 2018 [4 favorites]

Most likely it's for SEO manipulation per cgg but possibly to serve malware. It is possible but less likely that they might also be using it for social engineering - adding a login page to steal credentials or using the domain to send e-mails to convince the recipient to do something they shouldn't and recreating the web site in case the user thinks, "that's odd, didn't they change domains?" and goes to the old one to see. That is slightly more likely if you happen to do something with international students who might be of interest to foreign governments.

If you were lucky, it might just be an oddball community member that liked the old domain and wanted to recreate it (unlikely, but weirder things happen, especially with universities).

In contacting the register, you have a clear bad-faith use of the domain, so the registrar should hand it over pretty easily, especially with the force of a university's lawyers behind you. In theory, you can also get them to give you the contact information of whoever did it, but it's almost certainly fraudulent. It's still worth grabbing, as many scammers use the same or similar information so if there's similar things with other sites related to the university. In that case, you'd know that someone was targeting the university rather than just having your former site as a target of opportunity. If the university has access to something like DomainTools (check with your security group), they can mine that kind of information if you're really worried about it.

Unless you see other copycats pop up with similar domains, you're probably fine doing the takedowns and keeping the old domain registered for a while but without a web site. Eventually the value of the domain for SEO will drop and you could let it lapse.
posted by Candleman at 8:07 PM on August 2, 2018 [6 favorites]

Phishing is my first thought. Does it have any login forms, or anywhere else someone might upload sensitive data?
posted by dilaudid at 8:11 PM on August 2, 2018 [3 favorites]

For completeness in theorizing, there's also the possibility of a watering hole attack, where a person or organization who is somehow known to visit your old domain is being targeted to be infected or misled.
posted by XMLicious at 9:15 PM on August 2, 2018 [1 favorite]

Whatever it is the new domain owners are doing, you need to assume ill intent, respond forcefully and issue a DMCA takedown request to the host. The suspicious site is using your organization's website materials (however old) and that's a clear violation.

Have you scoured the suspicious site and checked to see it's entirely the same? Have phone numbers and any contact email addys been changed?

You don't say what your org does, but if it you have clients that use your website, you need to make sure they are all aware of your new site's url, and make clear that the old url is not yours anymore.
posted by Thorzdad at 6:49 AM on August 3, 2018

Also BTW in relation to watering hole attacks and other best practices, if you haven't already done the following things for your new domain and web site you should:
  • make certain SSL/TLS/https:// is set up on your web host (the organization Let's Encrypt can help get free certificates trusted by all browsers)
  • make sure your HSTS policy is turned all the way up, automatically requiring https:// urls for all visitors
  • make sure the HTML of your pages contains canonical link elements pointing to the https:// url of each page at your real public domain (another basic thing this helps with is if one of your staging or development servers for the site is accidentally exposed to the internet, if their HTML has canonical links pointing to the real domain then search engines won't think they're separate sites with the same content)
  • set up Google Search Console to index URLs at https:// instead of http://. (As of earlier this year, Search Console still doesn't really "know" about https and requires you to set up http and https as though they're two different web sites and do some weird custom stuff to indicate that https is the preferred one.)

posted by XMLicious at 1:04 PM on August 3, 2018

« Older Mood swings in my relationship   |   Can anyone help me deal better with my time... Newer »
This thread is closed to new comments.