An apparent malicious website that is using Cloudflare for DNS is somehow redirecting to our Wordpress website which also uses Cloudflare.
The apparent malicious site is https://awellfashion.com and it is redirecting to our site https://jolynneshane.com. Every post and every comment posted on jolynneshane.com appears on the awellfashion.com. Similarly, you cam post a comment on the malicious awellfashion.com and it is coming over to our main site at jolynneshane.com.
Our jolynneshane.com site is hosted on wpengine and they have scanned the site and removed any malicious code they found but the issue still happens and seems to happen at a DNS level because the site is a live mirror.
Any thoughts? I did open an abuse/copyright ticket for notification to the domain provider but it seems like some kind of dns hack.
DNS cannot do what is happening here. The attacker is likely running a reverse proxy on their origin server that loads your site using their domain. If you have concerns about user accounts being targeted, which is a definite possibility, you might consider writing up a warning page about the imposter domain and link to the warning page prominently from your home page, and possibly any login pages. To avoid promoting the attacker’s domain, I would frame the message around instructing visitors to only use jolynneshane.com to acces the site as anything else is not genuine and can put their security at risk.
Thanks for the response. I placed a DCMA takedown notice through Cloudflare and the site is now down. Before going down, it changed from cloning our site to cloning another blogger. I have not seen any security exposure to our site yet so still not sure how the site is being mirrored but I will review your reverse proxy suggestion.
While I’m sorry that you had to work through the scenario you shared with us, it made me aware of an attack vector that I had never considered. I am glad for your sake that they have moved on to another target. I wish I had thought of pushing some unique requests through their server sooner. That may have enabled you to locate their origin server. Of course they could also have been using multiple proxies to hide their origin. I hope you don’t experience anything similar in the future.