We’ve seen a lot of phishing notifications about bogus copyright infringement targeted at company employees. Attackers have also started to implement these attacks via website contact forms, which makes them seem more authentic than when using a cold email body. Also, emails including a contact form template are more likely to bypass spam filters and end up in an inbox.
The social engineering emotional trigger is the threat of consequences for not following instructions. These attacks threaten website owners or employees with legal action for alleged copyright infringement. We have seen attackers claiming to be professional photographers, licensed photographers, experienced photographers, illustrators and also qualified illustrators. Whatever the case, the attacker claims that they own images displayed on the accused website and thus the host of the site is infringing on their copyright.
The attackers then demand payment in order to avoid going to court. Links in these emails, which purportedly offer “evidence” of your copyright infringement, actually contain either trojans for installing malware on your system, or a redirect to a credential harvesting site.
What is the attacker’s goal and how are they trying to achieve it?
The attacker wants your information, your money, or both. Their first step to getting it is by scaring victims into clicking the malicious link or downloading a document. This will open up a number of possibilities for the attacker: access to your device; encryption of files; spying on your activity; or stealing your information, as the link could redirect to a credential harvesting page that entices the victim to enter payment or login information, which all goes straight to the attacker. Most of the time we’re seeing these links redirect recipients to web services where the downloadable .zip file contains a javascript file called “Copyright Infringement Evidence.js” which our analysis shows as malicious files (they could contain a backdoor trojan, for example, to give attacker access to victims computer).
Phish example 1 (URLS cut out)
Phishing example 2
As you can see, these emails look quite similar, with the differences being the senders' names of and the content’s formatting. The second phish uses a contact form and links (the second link was already down when we found it and another link redirected to a file-sharing service in order to download a file ominously named, “stolen images evidence”).
Both emails have been made to look extra scary by citing legal statutes such as DMCA (Digital Millennium Copyright Act) in the text. That law actually exists and while it does protect intellectual property rights in digital media with penalties for violations, I did some research and, as per section 504 (c) (2), the actual fine is has high as $150,000. That is substantially more than the $120,000 and $110,000 fines threatened in emails 1 and 2. Oh attackers: the devil is in the details…
How to defend yourself and spot these copyright infringement phishing mails
Real notices of copyright Infringements can happen. Knowing the difference between legit and bogus claims will keep your personal and corporate systems safe from breaches.
First off, the claim in these copyright infringement phishes is incredibly obscure. Real notices will usually come from attorneys and are super specific so there would not be room for confusion.
In real cases, the concerned copyright holders are usually pretty reasonable. Mistakes happen, and they would likely reach out to talk through specific objectives with themselves or a legal representative. Rarely would someone go on the attack right away against a website host like in these phishing attempts, threatening recipients with legal consequences.
The final big red flag is in the links. A legit sender would not use file storage servers to send you “evidence.” Never click on a link in unsolicited cases. Just assume they are dangerous.
Staying off the hook
- Be really suspicious about attachments: Never click on or download an unsolicited or unexpected unusual attachment.
- Don’t let them scare you: Phishing email attempts frequently try to create an emotional response from you by using threatening language such as the threat to sue you and file a complaint with your web host, as in this example.
- Always be suspicious and take it slowly before acting on any communication that uses threats.
- Notice the incorrect spelling.
- If it feels phishy, it probably is. But if unsure, forward it by using the Hoxhunt button!
Hoxhunt response
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.
Explore more phishing types
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt