It's actually quite easy: Find their host and, if they're in the US, issue a DMCA notification:

   $ dig resinternationalgroup.com

   ;; ANSWER SECTION:
   resinternationalgroup.com. 18788 IN	A 66.206.15.100

   $ dig -x 66.206.15.100

   ;; ANSWER SECTION:
   100.15.206.66.in-addr.arpa. 3600 IN PTR cpanel.siteplot.com.

Send the email over to support@siteplot.com. If that doesn't work, go up to their datacenter:

   $ whois 66.206.15.100

   ...
   OrgAbuseHandle: NETWO5887-ARIN
   OrgAbuseName:   Network Admin
   OrgAbusePhone:  +1-509-209-8000
   OrgAbuseEmail:  network@cyber-world.com
   OrgAbuseRef:    http://whois.arin.net/rest/poc/NETWO5887-ARIN
   ...

Email it over to network@cyber-world.com or support@cyber-world.com.

Here's a good template from Scribd: http://support.scribd.com/entries/22980-DMCA-copyright-infri...

They seems to be in Europe though... what happens in that case?

It's still a copyright violation; the DMCA, as mentioned above, is (iirc) more related to sharing of copyrighted materials on websites that host user-generated content (such as copyrighted videos on youtube or copyrighted visuals or code on github). The DMCA doesn't apply or need to be mentioned here, as the pre-DMCA copyright laws already cover this.

The copyright violation is coming from a server hosted in the US, so it's subject to US laws.

It would be the same if I took a DVD from the US that doesn't have a copyright in another country, went to that country to copy it, and then tried to sell it back in the US. It doesn't matter where I'm making the copy, it matters where I'm distributing it.

Hopefully they will just honour DMCA regardless.

They probably rip off designs in the hope that they won't get found out. As soon as it looks like a hassle they will hopefully just move to ripping off someone else.

Even if they aren't in the US, the majority of hosts will still accept DMCAs.

No.

This is directly using (even hotlinking some assets) the OPs copyrighted materials.

FlatUI had 3 icons that were "similar"[1] to icons in LayerVault. There wasn't any clear copying of assets.

[1] for some values of similar, including "not similar".

Oh, the hotlinking of assets is murder waiting to happen. Show him whatfor!

The hotlinking is caused by a straight-up copy of OP's JS files. This is a pretty clear cut case of copyright infringement - a DMCA takedown is not abusive here.

Yes, hotlinking assets is exploitable! Someone could really have fun with that for a few weeks.

Is hotlinking copyrighted materials illegal?

That doesn't really matter in this case - the fact that the HTML references assets that are on the OP's site is pretty conclusive proof that this is a direct copy, rather than an "inspired design" or convergent evolution.

FlatUI was inspired by another website. In this case, both websites seem to have copied all the assets up to the javascript from gocardless since they received sentry notifications.

If they do the same design, but using different bits, they're not copy. But yes, they copied the design, files and everything, this changes the rules of the game. Now you can sue them for that, but you cannot stop people of using the typography, colors and layout of any design, that's called style.

It's silly the ripp-off, made me laugh.

Not sure if you read the description provided. They ripped the source code as well, not just the design. That goes under copyright, as would copying someones graphic assets. If it were using similar graphics or design, then yes, it isn't a copyright issue.

Why? They are stealing OP's copyrighted works and posting them on their website.

I'm going to bet that this is a setup for the phishing scam. Random addresses and phone numbers, fake endorsements, blatant design rip-off - it all points rather unambiguously at a quick-and-dirty attempt at creating a believable online presence. It could've been just a designer's "sketch" or a proof of concept for a client if it weren't for two clones. This indicates that this is a redundant setup, with possibly more clones floating around, but with the JS files fixed.

Your best bet would be to contact the hosting providers and say just that.

If this is indeed a part of the scam operation, you should also prepare yourselves for a website redesign, because if the scam gets on its way, then your visuals may end up being associated with the scammy websites rather than with your genuine business.

The secure broker website has already been flagged by my work firewall as a phishing site.

phishing scam websites spend a lot of effort to fake their website.. amazed.

I'd stop worrying about it and concentrated your energies elsewhere. By thinking about stuff like this you're focussing less on your own product, which is the important thing. If people are copying you, then you're most likely ahead of the competition anyway.

Given that they just did a big upgrade that has broken their API I would agree, and we're one of their biggest fans and customers!

There is something fishy here.

The Secure Broker Online company is not registered with Companies House in the UK.

The Kensington Gardens Square street address is that of a hotel and the CA address looks fake too from StreetView.

I would guess somebody's nicked your design to create a fake portfolio for a CV, or it's being used for fraud.

Also the address of Tofman Energy Services ... ? http://www.tofmannenergyservices.info/Contact%20Us.html

It appears the phone number they use is also the number for the Phoenix Hotel that uses that address.

Just add this to your JavaScript onload (and replace "yourdomain", of course):

    if(window.location.origin.indexOf("yourdomain.com")<0){
      window.location.href = "http://yourdomain.com";
    };

The question would be if they just grabbed a static snapshot of the site and are using that or if they are actually still pointing back to some of the stolen sites files. If they are pointing back to the stolen sites JavaScript files then yes it would be very easy to redirect the traffic back to their site. Given that the code resides on their server they are completely within their rights to do so as well. I would also minify the JavaScript file as well, so the change is not immediately apparent to them. Make them work to figure out why the code they have stolen is not working.

...unless they copied the JS files instead of linking to them directly, of course. Note to self: add remote self-destruct function within any JS I ship.

Second note: Make it time delayed (set statically to something like 2 weeks from compile time). Then, when they use the script in development it works, but in 1-2 weeks it breaks in their production site. Otherwise, they will just find out why it isn't working and remove the self-destruct function.

I think, better approach would be to change your HTML files and link them to newer version of JavaScript files. But, in old JavaScript add a virus code that blanks the page or do some kind of notice

You just linked to a domain registrar, please use example.com in examples.

I'm having a hard time trying to picture people on HN reading the comment and thinking "cool! yourdomain.com! I wonder what's in there!"

OT, but I'd like to suggest an improvement in your FAQ:

> Who is GoCardless for?

> Anyone can use GoCardless...

As far as I can tell from the rest of the website, you are a UK startup, and your service is useless to Taifusi in Samoa or Raj in Bangladesh.

The classic counter-punch to resource linking is to make some of the resource grabs dynamic based on the referrer. I remember one site host who realized someone was using his images for avatars on various forums, and changed the contents to p0rn.

You've got to be really careful when doing something like this. Basing the decision to display porn to users based on the value of the referrer (or any technical factor for that matter) is asking for trouble. Valid visitors' browsers should send your site as the referrer, but what if your check fails and a legitimate users is shown porn instead? What if you introduce a bug that causes many, or all, of your users to see porn instead of the intended content?

Serving porn from a business oriented domain is never an option, IMO.

It sucks when someone rips off your content, but you have to carefully evaluate the real impact it has on your business, not just the emotional impact that it has on your sense of ownership.

I agree, doesn't have to be p0rn; just the example I remember.

The less offensive form of this kind of hotlinking prevention is to provide a small-sized image with the URL of the website it was taken from, or a hotlinking notification, not pr0n unless you want to offend unsuspecting visitors. The person that hotlinks an image for usage as a forum avatar won't even realize it most of the times because his browser cache kicks in.

IIRC, other users on the forum started complaining that the offending user was using pr0n, he (or the forum owner) then complained to the person from whom content was being leeched who promptly told them to suck it.

Add a check to the javascript files for those domains, then have it execute a while(1);.

This is semantically the same what Google does with their JSON responses [1]

[1] - http://stackoverflow.com/questions/2669690/why-does-google-p...

Nope, it's not the same. Google doesn't check for the domain; Google does this to prevent cross site scripting. (Accessing the JSON as a JavaScript file).

The OP doesn't have a JSON, he has a JavaScript file.

The other comments already indicate it's a fake, so I wouldn't worry about it too much. I myself would have some fun with the Javascript files that they're hotlinking; have it break the website or do something funny (cornify). They have no reason to complain. And I'd ask them if they could stop copying my website (perhaps propose a reasonable time, like a month, but do nothing afterwards). Then I'd let it be.

I actually set up a quick Heroku deploy to help identify when people are downloading our code and running it on a different domain than ours (just sends us an email). Most of the reckless folks stealing our stuff don't identify the little bit of JavaScript I've thrown in there, and we get a lot of these alerts. It also sends us the domain the code is running on. Of course, we aren't worried as much about localhost.

The JS also replaces the content on the page, and shows a "you shouldn't be doing this" kind of alert; we've had a TON of hits on this. It happens literally daily.

We have yet to file for DMCA takedown - good plan for those who are legit stealing.

However: I have a strong opinion on these things.

Specifically, if people are stealing your stuff, see what you can do to innovate past them. Ideas will always be stolen; edge and innovation can't be stolen.

Sometimes it's legit to call people out. Sometimes DMCA takedowns are needed. Sometimes, it's time to man up and beat the system. One step ahead, and all that jazz.

Any particular reason why you've been repeatedly targeted by such individuals? Some of them could be related and if targeted might cease abusing your code.

Well - it probably has to do with the fact that the site was featured on awwwards.com and a few other CSS-gallery type sites. Not 100% sure, though; the attention comes from all over the place.

Send them a cease and desist letter - you can find free templates online (http://www.free-legal-document.com/copyright-cease-and-desis... is one I just found).

The more professional you can make it look the better chance you won't have to resort to a solicitor.

You don't have to necessarily resort to a solicitor/lawyer in this scenario. If they are using your exact HTML/CSS/JavaScript and don't quickly respond and/or comply, you can always file a DMCA takedown notice:

http://www.smashingmagazine.com/2009/12/18/my-website-design...

Most hosts will quickly take down the website, giving you a cost-effective way to stop the issue. However I'd strongly encourage you to pursue a more friendly approach first, to give them a chance to do the right thing. (The site owner may not be the one who actually stole the design.)

I'll add that if they're a legitimate site they'll be mortified but if they're an illegitimate site, they'll quickly move to open up shop somewhere else.

That said, if they're costing you money because of your sentry issues or causing you support issues that you can document, you have just cause for a lot of actions.

If/when that doesn't get a response (if they stole a design, who says they'll honor a C&D?), contact their web host.

You can prevent hotlinking of your JS and CSS files using your server config (for instance, in .htaccess on Apache). That will make it harder but it won't stop them copying the files locally. Lots of tutorials to prevent this are a quick Google away. You could even serve up an alternate CSS file for offenders that warns them from hotlinking your resources by prepending something to the body tag that is styled like a massive warning box and hiding everything else.

The business problem isn't the ripoff, it's the fraud in your business space of easy online direct debit set ups. If lots of fraudsters set up in this area with convincing sites, your customers' customers will worry about providing their bank details. Suggest talking to your sponsoring direct debit bank about shutting the fraudulent sites down. Or you could report to actionfraud.police.uk but I suspect your bank has better connections.

Here is my suggestion:

1. Send a DMCA notice [https://news.ycombinator.com/item?id=5367936].

2. Blank their page with JavaScript. While it's legal to redirect the traffic to your site (it's YOUR JavaScript and there are no Terms for its use), you'll probably mislead people and make them think that you are the phishing site. Not worth it, in my opinion.

Use the "is this my domain" javascript trick and then remove all elements from the DOM. Better yet, location.href them somewhere else.

I'm guessing that the traffic from this will alert them pretty soon so either way you'll want to take action quickly Hiroki.

Might be fun to hellban them, alter your JS to show visitors nothing when they visit their sites. Won't last for long but if you only do that for visitors with fewer than 3 visits then it'll take them a little while to figure it out.

I'm not sure about the legality of this option, nor the alternative I'd suggest. Instead of hellbanning their site, try redirecting their traffic to your own site.

I notice they're using eBay, AutoTrader and Gumtree logos. Don't know about the other two, but have known AutoTrader come down like a ton of bricks on muppets who abuse their brand - dob 'em in!

(Although if they are as shady as they look, there may not be an entity to come down like a ton of bricks on - this looks like fraud to me)

More brand abuse here: http://secure-broker-online.eu/company

The FSA, RBS and Wells Fargo might want to be aware of this, too.

CEO of Auto Trader might have something to say too http://secure-broker-online.eu/escrow-process

As a side note, where are those gray icons at the bottom coming from? I needed a light bulb like that on my last project, and ended up having to slap together something on photoshop

I would take comfort in knowing that the sign up form at http://resinternationalgroup.com/ is impossible to finish :-)

http://resinternationalgroup.com/ - Looks to have a live operator that you can talk to and ask questions as well?

I wonder if Ebay, Autotrader and Gumtree might also be interested in throwing some weight behind this given how prominently their brands are featured on the landing page.

http://www.plagiarismtoday.com/ has all the information you need in notifying affiliates and filing a DMCA.

Well they do have a live chat on those two pages. Might as well make use of it! Or you could contact their live chat provider and mention the copying. They might care.

First time I've seen this use-case for Sentry :)

(I didn't actually see Sentry within the source code, was I missing something?)

Secure Broker Online: 1-8 Kensington Gardens Square , London, W2 4BH

Knock on their door and ask them directly.

Seeing as the two rip-offs are seemingly the same 'service' and yet have very different addresses, I suspect the addresses are fake.

It appears you're right. The address above is actually the Phoenix Hotel.

It's simple. Make money off your idea before they do. Good luck!

submit a DMCA takedown notice. and blog about how mean people are when they complain about it.