
Ask HN: How to deal with someone ripping off your design? - hirokitakeuchi
We recently noticed that two websites have recently ripped off the design, code and copy of our site, gocardless.com.<p>How did we notice? We started getting Sentry errors as they had even gone so far as to rip our JS files!<p>Before we get in touch with them, we wondered if anyone had any tips on getting these guys to stop.<p>Sites in question:<p>http://secure-broker-online.eu/ 
http://resinternationalgroup.com/
======
timdorr
It's actually quite easy: Find their host and, if they're in the US, issue a
DMCA notification:

    
    
       $ dig resinternationalgroup.com
    
       ;; ANSWER SECTION:
       resinternationalgroup.com. 18788 IN	A 66.206.15.100
    
       $ dig -x 66.206.15.100
    
       ;; ANSWER SECTION:
       100.15.206.66.in-addr.arpa. 3600 IN PTR cpanel.siteplot.com.
    

Send the email over to support@siteplot.com. If that doesn't work, go up to
their datacenter:

    
    
       $ whois 66.206.15.100
    
       ...
       OrgAbuseHandle: NETWO5887-ARIN
       OrgAbuseName:   Network Admin
       OrgAbusePhone:  +1-509-209-8000
       OrgAbuseEmail:  network@cyber-world.com
       OrgAbuseRef:    http://whois.arin.net/rest/poc/NETWO5887-ARIN
       ...
    

Email it over to network@cyber-world.com or support@cyber-world.com.

Here's a good template from Scribd:
[http://support.scribd.com/entries/22980-DMCA-copyright-
infri...](http://support.scribd.com/entries/22980-DMCA-copyright-infringement-
takedown-notification-template)

~~~
escaped_hn
That would be an abuse of the DMCA since its just a design (see Flat-Ui).

~~~
DanBC
No.

This is directly using (even hotlinking some assets) the OPs copyrighted
materials.

FlatUI had 3 icons that were "similar"[1] to icons in LayerVault. There wasn't
any clear copying of assets.

[1] for some values of similar, including "not similar".

~~~
Beltiras
Oh, the hotlinking of assets is murder waiting to happen. Show him whatfor!

~~~
potatolicious
The hotlinking is caused by a straight-up copy of OP's JS files. This is a
pretty clear cut case of copyright infringement - a DMCA takedown is not
abusive here.

------
huhtenberg
I'm going to bet that this is a setup for the phishing scam. Random addresses
and phone numbers, fake endorsements, blatant design rip-off - it all points
rather unambiguously at a quick-and-dirty attempt at creating a believable
online presence. It could've been just a designer's "sketch" or a proof of
concept for a client if it weren't for _two_ clones. This indicates that this
is a redundant setup, with possibly more clones floating around, but with the
JS files fixed.

Your best bet would be to contact the hosting providers and say just that.

If this is indeed a part of the scam operation, you should also prepare
yourselves for a website redesign, because if the scam gets on its way, then
your visuals may end up being associated with the scammy websites rather than
with your genuine business.

~~~
pc86
The secure broker website has already been flagged by my work firewall as a
phishing site.

------
stuartmemo
I'd stop worrying about it and concentrated your energies elsewhere. By
thinking about stuff like this you're focussing less on your own product,
which is the important thing. If people are copying you, then you're most
likely ahead of the competition anyway.

~~~
dabeeeenster
Given that they just did a big upgrade that has broken their API I would
agree, and we're one of their biggest fans and customers!

------
ratherbefuddled
There is something fishy here.

The Secure Broker Online company is not registered with Companies House in the
UK.

The Kensington Gardens Square street address is that of a hotel and the CA
address looks fake too from StreetView.

I would guess somebody's nicked your design to create a fake portfolio for a
CV, or it's being used for fraud.

~~~
minikomi
Also the address of Tofman Energy Services ... ?
<http://www.tofmannenergyservices.info/Contact%20Us.html>

------
charliepark
Just add this to your JavaScript onload (and replace "yourdomain", of course):

    
    
        if(window.location.origin.indexOf("yourdomain.com")<0){
          window.location.href = "http://yourdomain.com";
        };

~~~
Mahn
...unless they copied the JS files instead of linking to them directly, of
course. Note to self: add remote self-destruct function within any JS I ship.

~~~
benmanns
Second note: Make it time delayed (set statically to something like 2 weeks
from compile time). Then, when they use the script in development it works,
but in 1-2 weeks it breaks in their production site. Otherwise, they will just
find out why it isn't working and remove the self-destruct function.

------
markdown
OT, but I'd like to suggest an improvement in your FAQ:

> Who is GoCardless for?

> Anyone can use GoCardless...

As far as I can tell from the rest of the website, you are a UK startup, and
your service is useless to Taifusi in Samoa or Raj in Bangladesh.

------
sageikosa
The classic counter-punch to resource linking is to make some of the resource
grabs dynamic based on the referrer. I remember one site host who realized
someone was using his images for avatars on various forums, and changed the
contents to p0rn.

~~~
bradleyland
You've got to be _really_ careful when doing something like this. Basing the
decision to display porn to users based on the value of the referrer (or any
technical factor for that matter) is asking for trouble. Valid visitors'
browsers _should_ send your site as the referrer, but what if your check fails
and a legitimate users is shown porn instead? What if you introduce a bug that
causes many, or all, of your users to see porn instead of the intended
content?

Serving porn from a business oriented domain is never an option, IMO.

It sucks when someone rips off your content, but you have to carefully
evaluate the _real_ impact it has on your business, not just the emotional
impact that it has on your sense of ownership.

~~~
sageikosa
I agree, doesn't have to be p0rn; just the example I remember.

------
testing12341234
Add a check to the javascript files for those domains, then have it execute a
while(1);.

This is semantically the same what Google does with their JSON responses [1]

[1] - [http://stackoverflow.com/questions/2669690/why-does-
google-p...](http://stackoverflow.com/questions/2669690/why-does-google-
prepend-while1-to-their-json-responses)

~~~
csomar
Nope, it's not the same. Google doesn't check for the domain; Google does this
to prevent cross site scripting. (Accessing the JSON as a JavaScript file).

The OP doesn't have a JSON, he has a JavaScript file.

------
lucb1e
The other comments already indicate it's a fake, so I wouldn't worry about it
too much. I myself would have some fun with the Javascript files that they're
hotlinking; have it break the website or do something funny (cornify). They
have no reason to complain. And I'd ask them if they could stop copying my
website (perhaps propose a reasonable time, like a month, but do nothing
afterwards). Then I'd let it be.

------
jcutrell
I actually set up a quick Heroku deploy to help identify when people are
downloading our code and running it on a different domain than ours (just
sends us an email). Most of the reckless folks stealing our stuff don't
identify the little bit of JavaScript I've thrown in there, and we get a lot
of these alerts. It also sends us the domain the code is running on. Of
course, we aren't worried as much about localhost.

The JS also replaces the content on the page, and shows a "you shouldn't be
doing this" kind of alert; we've had a TON of hits on this. It happens
literally daily.

We have yet to file for DMCA takedown - good plan for those who are legit
stealing.

However: I have a strong opinion on these things.

Specifically, if people are stealing your stuff, see what you can do to
innovate past them. Ideas will always be stolen; edge and innovation can't be
stolen.

Sometimes it's legit to call people out. Sometimes DMCA takedowns are needed.
Sometimes, it's time to man up and beat the system. One step ahead, and all
that jazz.

~~~
ameen
Any particular reason why you've been repeatedly targeted by such individuals?
Some of them could be related and if targeted might cease abusing your code.

~~~
jcutrell
Well - it probably has to do with the fact that the site was featured on
awwwards.com and a few other CSS-gallery type sites. Not 100% sure, though;
the attention comes from all over the place.

------
Tzunamitom
Send them a cease and desist letter - you can find free templates online
([http://www.free-legal-document.com/copyright-cease-and-
desis...](http://www.free-legal-document.com/copyright-cease-and-desist.html)
is one I just found).

The more professional you can make it look the better chance you won't have to
resort to a solicitor.

~~~
kanamekun
You don't have to necessarily resort to a solicitor/lawyer in this scenario.
If they are using your exact HTML/CSS/JavaScript and don't quickly respond
and/or comply, you can always file a DMCA takedown notice:

[http://www.smashingmagazine.com/2009/12/18/my-website-
design...](http://www.smashingmagazine.com/2009/12/18/my-website-design-was-
stolen-now-what/)

Most hosts will quickly take down the website, giving you a cost-effective way
to stop the issue. However I'd strongly encourage you to pursue a more
friendly approach first, to give them a chance to do the right thing. (The
site owner may not be the one who actually stole the design.)

~~~
wheaties
I'll add that if they're a legitimate site they'll be mortified but if they're
an illegitimate site, they'll quickly move to open up shop somewhere else.

That said, if they're costing you money because of your sentry issues or
causing you support issues that you can document, you have just cause for a
lot of actions.

------
hellweaver666
You can prevent hotlinking of your JS and CSS files using your server config
(for instance, in .htaccess on Apache). That will make it harder but it won't
stop them copying the files locally. Lots of tutorials to prevent this are a
quick Google away. You could even serve up an alternate CSS file for offenders
that warns them from hotlinking your resources by prepending something to the
body tag that is styled like a massive warning box and hiding everything else.

------
xhedley
The business problem isn't the ripoff, it's the fraud in your business space
of easy online direct debit set ups. If lots of fraudsters set up in this area
with convincing sites, your customers' customers will worry about providing
their bank details. Suggest talking to your sponsoring direct debit bank about
shutting the fraudulent sites down. Or you could report to
actionfraud.police.uk but I suspect your bank has better connections.

------
csomar
Here is my suggestion:

1\. Send a DMCA notice [<https://news.ycombinator.com/item?id=5367936>].

2\. Blank their page with JavaScript. While it's legal to redirect the traffic
to your site (it's YOUR JavaScript and there are no Terms for its use), you'll
probably mislead people and make them think that you are the phishing site.
Not worth it, in my opinion.

------
cwisecarver
Use the "is this my domain" javascript trick and then remove all elements from
the DOM. Better yet, location.href them somewhere else.

------
petenixey
I'm guessing that the traffic from this will alert them pretty soon so either
way you'll want to take action quickly Hiroki.

Might be fun to hellban them, alter your JS to show visitors nothing when they
visit their sites. Won't last for long but if you only do that for visitors
with fewer than 3 visits then it'll take them a little while to figure it out.

~~~
solistice
I'm not sure about the legality of this option, nor the alternative I'd
suggest. Instead of hellbanning their site, try redirecting their traffic to
your own site.

------
glimmung
I notice they're using eBay, AutoTrader and Gumtree logos. Don't know about
the other two, but have known AutoTrader come down like a ton of bricks on
muppets who abuse their brand - dob 'em in!

(Although if they are as shady as they look, there may not be an entity to
come down like a ton of bricks on - this looks like fraud to me)

~~~
glimmung
More brand abuse here: <http://secure-broker-online.eu/company>

The FSA, RBS and Wells Fargo might want to be aware of this, too.

~~~
culshaw
CEO of Auto Trader might have something to say too <http://secure-broker-
online.eu/escrow-process>

------
ep103
As a side note, where are those gray icons at the bottom coming from? I needed
a light bulb like that on my last project, and ended up having to slap
together something on photoshop

------
andyhmltn
I would take comfort in knowing that the sign up form at
<http://resinternationalgroup.com/> is impossible to finish :-)

------
amarco
<http://resinternationalgroup.com/> \- Looks to have a live operator that you
can talk to and ask questions as well?

------
jentulman
I wonder if Ebay, Autotrader and Gumtree might also be interested in throwing
some weight behind this given how prominently their brands are featured on the
landing page.

------
kmfrk
<http://www.plagiarismtoday.com/> has all the information you need in
notifying affiliates and filing a DMCA.

------
dquigley
Well they do have a live chat on those two pages. Might as well make use of
it! Or you could contact their live chat provider and mention the copying.
They might care.

------
zeeg
First time I've seen this use-case for Sentry :)

(I didn't actually see Sentry within the source code, was I missing
something?)

------
Peroni
Secure Broker Online: 1-8 Kensington Gardens Square , London, W2 4BH

Knock on their door and ask them directly.

~~~
kaolinite
Seeing as the two rip-offs are seemingly the same 'service' and yet have very
different addresses, I suspect the addresses are fake.

~~~
Peroni
It appears you're right. The address above is actually the Phoenix Hotel.

------
apeace
It's simple. Make money off your idea before they do. Good luck!

------
the1
submit a DMCA takedown notice. and blog about how mean people are when they
complain about it.

