E-mail scams come in all shapes and sizes, with new ones keep appearing every day. No wonder, since this has always been the easiest and cheapest way to con people online — even for attackers who lack technical skills. In fact, all they need is a smidgen of both cunning and imagination. Today, we look at a crafty and rather original scheme that targets employees working with content — and their fears of copyright infringement.
That’s copyrighted! Add a link to avoid penalties
One not-so-fine day, an employee receives an e-mail from what seems to be a law firm. In it, the recipient is accused of using an image belonging to the firm’s client in violation of copyright. There are also links to both the image and the page where the awful misdeed is being perpetrated. Both these links are quite real, so this part of the story is readily believable.
Most likely, the picture is a bog-standard stock image, and it’s hard to tell straight off whether it was purchased from the rightful owner or just downloaded on the fly. And the page where it’s posted probably hasn’t seen an update for a while. In short, if the e-mail recipient really wants to find out whether the picture was stolen — and who bears responsibility in such case, this will likely entail lots of back-and-forth correspondence with colleagues and a few not very pleasant meetings.
However, after cowing the victim, the “law firm” is quick to propose a solution: its “client” won’t take action if, within five working days, the copyright owner is credited on the offending page with a link to the site given in the e-mail.
This is followed by a second round of browbeating: the e-mail senders state categorically that simply deleting the problematic image from the site is not an option. In this case, there will be blood; rather — a lawsuit. Moreover, they frame the threat in intimidating legalese. In particular, they mention the Digital Millennium Copyright Act, which does indeed cover such violations, but for some reason they refer to section 512(c) — defining the limitations on liability for online service providers — which of course has the interests of those providers in mind, not the other way round.
The attackers re-stress that deleting the image is not an option, kindly reminding the victim that a copy of the infringing page can be found in the Internet Archive and used as evidence in court.
The e-mail itself looks pretty official. The scammers took the time to add the real address of some building where the law firm supposedly representing the claimant supposedly has its office.
The domain names in the sender addresses also add credence through the use of fear-inducing words like “law” and “legal”. What’s more, the attackers don’t stay in one place, and constantly register new domains with similarly scary names.
How bad can it get?
By all appearances, the attackers’ goal is to get the victim to supply a “guilty” page with a backlink to the site they specify in the e-mail. Most likely, it’s part of some shady search engine optimization (SEO) business: the more owners of legit sites can be forced to host such links, the faster the sites of some clients they’re promoting will rise high in search results.
What’s so terrible about that, you might ask? Here’s what:
- In the most innocent case, at the other end of the link there’s a fly-by-night site, which will disappear fairly soon. When that happens, the link on your site will point to a 404 page, which isn’t great for your SEO.
- A worse scenario: the site you help to pull up turns out to be so problematic that it gets pessimized by search engines — together with all sites that are linked to it, including yours. Again, your SEO will get it in the neck (plenty more so than in the first case, above).
- Finally, the most dangerous: the promoted site turns out to be phishing or malicious. In this case, you’ll send your site visitors or customers into the arms of cybercriminals. Be in no doubt that when search engines get round to blocking the malicious resource, your site will get a healthy dose of karma.
As such, there are no good options — only least bad, and no benefits to be had for your site at all. It means that the best solution is to ignore the e-mail and its ridiculous claims. To teach your employees how to react to e-mail scams — even the relatively innocent ones mentioned above, as well as far more dangerous kinds like BEC attacks, we recommend holding regular cybersecurity awareness trainings.