Beware of Fake Copyright Violation Notifications

As you may know, when notified of an alleged copyright infringement, your response is required. In cases where no response is forthcoming and the violation is alleged to have taken place on social media, the content at issue may be removed or you may get locked out of your account. To avoid falling victim to a scammer who knows you’ll feel compelled to click on such notifications, be mindful of the following:  

  • Don’t let a sense of urgency conveyed by the language used in messages lead to a hasty response on your part. Take the time to thoroughly evaluate all messages which request that you take action. 
  • When in doubt of the legitimacy of a communication received, contact the sender via a trusted means of communication, such as an independently obtained phone number. 
  • Before clicking a link or entering any information into a web page, check the URL in your browser’s address bar to confirm that the domain information is expected and correct (e.g., nyu.edu and not nyu.com or some other variant).
  • Never login to accounts via embedded links in messages. Instead visit sites via known and trusted URLs that you type into your browser’s address bar. 
  • Never click links or open attachments in messages that you are not expecting to receive without verifying with the sender first by using a trusted means of communication. 
  • Do not download files from unknown sites or parties.
  • Be wary of attachments with .js or .exe extensions. 

There appears to be two strains of  fake copyright violation notifications circulating, one which is received on social media, designed to steal user social media credentials, and another strain, that is designed to deploy ransomware, which, if activated, will encrypt your device, and all files on your device and will spread to all connected systems. 

The following is an example of a fake copyright infringement notification that will install ransomware: 

Message alleging copyright violationImage courtesy of Techlicious

The link in this email takes recipients to a fake Google download screen, which downloads the malicious .js (Javascript) file. 

Fake Google notification "Copyright Infringement evidence is ready for download"

Please note that in terms of identifying this communication as a phish, if you take the second to last paragraph beginning with “I have a good faith belief . . . .” and do a Google search on it, you will see reports of fake copyright infringement notifications. Additionally, the file “Copyright Infringement Evidence.js’ ‘ was run through Virus Total (https://www.virustotal.com/gui/) where it shows it was flagged as malware. 

With respect to the copyright infringement notifications on social media, the following is an example of a copyright violation purportedly coming from Facebook (on behalf of the complainant). 

Fake Facebook notification of alleged copyright violation

 

When recipients hover over the “Continue” link in the above message, it shows that they will be directed to facebook.com (as expected), but where they’re sent is to a fraudulent account on Facebook, which is attempting to look like a Facebook copyright infringement notification landing page. 

Fake Facebook Copyright Infringement Notification landing page

In  this example, when a recipient hovers over the link for the Appeal Form to ascertain whether the typed URL matches the destination URL, they will notice a .CF domain, and a domain name that is comprised of numbers. Note the sense of urgency in the message here as well. If a recipient were to click the above link they would be taken to a non facebook.com page requesting re-entry of their Facebook password and a 6 digit code from their 2FA code generator, both of which may be used to gain access to their Facebook account. 

If you have a question about any messages you’ve received, please email phishing@nyu.edu

Resources: