What to do if your online shop is attacked by criminals: an IT lawyer’s view.
In times of digitalization it is extremely attractive to offer your products online – this has several advantages. No sales room is needed, the offers are available around the clock and there are no annoying sales talks. Sounds good at first? Of course, it is! As long as there are no problems with the web shop…
A real life example of how an online shop can be hacked
Here’s what happened to one of our clients, who runs an online shop in Germany. The client was faced with complaints by angry customers who wanted to know where the ordered goods were which they had ordered through an online shop weeks and months ago. Completely surprised by this, our client had no record of such orders.
What had happened?
Fraudsters have picked our client’s online whop to completely rebuild his web shop in every detail. In other words: They cloned his online shop. The product descriptions, the product pictures and an extremely appealing layout were adopted. Even the imprint was taken over to give the impression that the company of our client operates the website here.
After the order process had been completed, the website – which of course had a completely different domain – displayed a summary of the order and immediately asked the customers to pay. Since the order entry seemed fully legitimate, many customers also promptly paid. It was not even surprising that the payments should be made via bank transfer and the IBAN did not start with DE (for Germany). In reality, of course, the money went to a bank account somewhere in the Baltic States, which had nothing to do with our client.
The customers, which had fallen for this online fraud, which had nothing to do with our client, were still mad at our client. Obviously, our client could not ignore this web shop identity theft.
But what is to be done in concrete terms in the event of such abuse?
First of all, a so-called Whois query should be carried out to find out who is behind the corresponding page. However, it is important to know that the information can be manipulated very easily in the context of a Whois query. What is not so easily manipulated is the registrar’s entry. Based on this information we were able to find out that the website is hosted in the USA.
Okay, but then how does this information help me?
With the information, i.e. who the registrar is, it is very easy to contact the website provider. Here we could quickly submit a so-called DMCA takedown request, so that the website is taken off the net.
Is such a DMCA takedown request enough to take a website off the net?
Usually, yes. This registrar was (to put it mildly) a particularly lazy registrar. This required the involvement of the U.S. registrar regulatory agency (ICANN).
What does ICANN do?
It is ICANN’s job to address these issues. After we filed the complaint, that is, the registrar did not move, we received a commitment within 96 hours that the problem would be addressed. With this trick, it is quite easy to get even the laziest registrar to deal with the problem.
Within four days after we contacted ICANN, the website was already offline.
Do I have to pay attention to anything in such a procedure?
Yes, there are many things to consider. For example, it should be clear how to write a DMCA takedown request. Also, it is to know what happens if the registrar is located in a country other than the USA (this is already much more complicated in Russia) and much more.
In such cases, it is strongly recommended to consult a lawyer experienced in IT law if you need or want to remove the website from the Internet quickly.
Especially in case of problems with a foreign registrar it is hardly possible to get the situation under control quickly without a lawyer – with appropriate experience.
If you have any questions about IT law, data protection, online commerce or other internet related legal issues, do not hesitate to contact German lawyer and IT law expert Stephan Hendel.
Having a Canadian family background, Stephan is fluent in English and is well aware of the different business mentalities of Anglo-American as well as German entrepreneurs. Our German and international clients appreciate Stephan’s pragmatic hands on approach.
Within the Cross-Channel-Lawyer network, Stephan is the expert for all legal matters surrounding IT, cyber law, data protection issues and compliance with German law.
For more on German business and corporate law see these posts:
- How to read a German Company Register Extract
- Company Forms in Germany: An Overview
- Pitfalls of German Contract Law and German Company Regulations (Part 1)
- Pitfalls of German Contract Law (Part 2)
- 3 Ways to Expand Your Business to Germany
- Establish a German Limited Company (GmbH): FAQ and Checklist
- What is a GmbH? The German Limited Liability Company explained
- What is a German “Mini GmbH” or “Unternehmergesellschaft”
- Checklist: Formation of a German Company. And then what?
- Buying a German Company: A quick Checklist
- When Starting a German Business: Don’t Forget the Trade Register Notification
- 10 Things to do when starting a German Business
- German Labour Law: Beware of Fictitious Self-Employment
- Brexit as a Business Opportunity for British SME’s
- German Business and Corporate Law Firm for British and US Clients