How to Protect Your Business from Website Cloning / Mirroring
Your business may be a mundane B2B business like ours, and you may think that you do not have to protect your website from attacks like cloning. You would be wrong. Eventually, your site may get cloned; it happened to us. This could be done by
- attackers trying to steal your traffic
- your competitors
- 3rd parties who may not like what you publish
We explain our experience, how cloning works, LLMs‘ impact on cloning, and how to protect yourself once it happens:
We learnt about cloning by getting cloned
Someone bought a misleading domain name that looks similar to ours and mirrored our entire website.
Now the mirror website is down, but you can see a screenshot below.
The domain was bought about a month after we published an article about a crypto project. It could be due to that article or another reason:
This was unethical and incompetent. All we needed to do was:
- Look up the new website’s IP
- Block it via Cloudflare
Why do attackers clone websites?
The aim is to steal traffic. Search engines may redirect your traffic to clones, which clone operators can monetize through ad networks like Google Ads. Alternatively, they could modify the clone to mislead your readers by inserting their own content.
How does cloning work?
Attackers can use a variety of tools (e.g., HTTrack) to create a copy of your website. This copy may be dynamically updated, which was the case in our attack.
What can you do against it?
As usual, we will suggest defense in depth to ensure that cloners put in as much effort as possible with limited benefits. As a preventative measure, you should improve your capability to identify clones and make it easy for your users to identify your website:
- Link extensively between your own articles. The cloner may not change these links, which would mean that even visitors who arrive at the clone can click a link to arrive at your website. This helps you:
- Become aware of the clone through your website analytics solution, as you will see traffic from it. They will probably buy a domain name similar to yours, making it easy to notice.
- Win back your readers quickly after they arrive on the clone.
- Link between your different domains. It is trivial to read your links and replace the internal ones with URLs in the clone. However, if you own a website on a different domain, the cloner will likely not replace the links to that domain and will instead warn you about the clone.
- Invest in your branding. The more memorable your logo, font choices, and visual layout of your website, the better your readers will remember it. Therefore, they may be less likely to be confused by cloners when they arrive at a domain that is different than yours that includes your material.
These help you identify as soon as you get cloned. Here is how to deal with a clone when you discover one:
- Try to block it from crawling your website. These are worth trying, but will not stop sophisticated cloners, so do not spend too much time on these steps:
- Make a trivial change on your website and check the clone to see how frequently they refresh their clone. If it is a static clone, move to the second step, as there is not much you can do to take it down via technical measures. If it is a dynamic clone
- Discover the IP of the clone website. There are numerous free online tools for that.
- Block its IP if it is regularly crawling your website. However, if the crawler is based on another server, this may not work. Then, it may be worth looking at IPs that regularly crawl your website and block them. Of course, you do not want to block legitimate users or search engine bots, so tread with caution in blocking.
- Make a trivial change on your website and check the clone to see how frequently they refresh their clone. If it is a static clone, move to the second step, as there is not much you can do to take it down via technical measures. If it is a dynamic clone
- Contact every provider the clone website relies on, including its domain provider, host, or CDN. Send them a take-down request and clearly explain the attack. Sharing your copyright and trademarks along with the take-down request will expedite the process.
How will LLMs change website cloning?
Our website was copied verbatim, but now bad actors can easily change these as they copy your website:
- The wording and images on your website are using generative AI
- The internal links use simple rules
Such clones would be extremely difficult to detect, and they could easily claim that what they created is a novel website, not a copy. Probably the only remaining defense is to ensure that your brand is recognized in its domain.
Hope that was useful! We usually write about AI; feel free to explore AI use cases in business.
Cem's work has been cited by leading global publications including Business Insider, Forbes, Washington Post, global firms like Deloitte, HPE and NGOs like World Economic Forum and supranational organizations like European Commission. You can see more reputable companies and resources that referenced AIMultiple.
Throughout his career, Cem served as a tech consultant, tech buyer and tech entrepreneur. He advised enterprises on their technology decisions at McKinsey & Company and Altman Solon for more than a decade. He also published a McKinsey report on digitalization.
He led technology strategy and procurement of a telco while reporting to the CEO. He has also led commercial growth of deep tech company Hypatos that reached a 7 digit annual recurring revenue and a 9 digit valuation from 0 within 2 years. Cem's work in Hypatos was covered by leading technology publications like TechCrunch and Business Insider.
Cem regularly speaks at international technology conferences. He graduated from Bogazici University as a computer engineer and holds an MBA from Columbia Business School.
Be the first to comment
Your email address will not be published. All fields are required.