Wrapped In A French E-mail Copyright Infringement Notice ‘Scam’ May Be Another Scam Itself

SAN FRANCISCO, September 3, 2010 — A widely-circulated report about fake online copyright infringement e-mail notifications in France that demand fines from recipients looks as if it is actually part of an underground misinformation campaign, says a US security researcher who looked into the issue for Broadbandbreakfast.com.

The “news” about the French phishing scam appears to have originated from an audience member’s question in a recent web chat at French financial newspaper site La Tribune with Eric Walter, the general secretary of the French online copyright enforcement agency HADOPI.

The web chat participant claimed to have received an e-mail notification demanding that he pay fines for illegal downloading activities. Walter responded that HADOPI would never demand fines, and that the public would be notified about these kind of scam notices promptly.

France enacted a controversial new online copyright enforcement scheme last Fall commonly known as the “Three Strikes” law. Under the law, HADOPI, the enforcement agency, sends an e-mail to the suspect about their infringement activities. If the activities continue, they receive a second letter by mail. The third enforcement action, overseen by a judge in a fast-track process,  is disconnection from the internet for anytime between two months and a year.

French authorities issued a statement this July that they’re ready to send out the infringement notices, although there hasn’t been any news of anyone receiving any messages yet.

“I’ve spoken to French security personnel, and they said that they’ve heard of the scam, and they’ve seen the articles, but none of them can find the e-mails,” said Gary Warner, The University of Alabama at Birmingham’s Director of Research in Computer Forensics. His work involves tracking online scams and other computer security issues.

“I’ve searched through my spam data mine, which is quite extensive with half a billion e-mails, and we don’t have any evidence of the scam either,” he added.

“What we do have is scam e-mails that were sent in March and April, but we think that they were intended to sway public opinion — they didn’t actually ask for any personally-identifiable information, so all we have is the person who mentioned this in a chat and a blogger who we’ve contacted, but haven’t received a reply from yet.”

The French “Three Strikes” law has been very controversial both in France, across Europe and elsewhere because opponents believe it is too draconian. Some opponents have even threatened to “subvert” the law. Ultimately, the law was only enacted after changes were made so that the final decision to disconnect users would rest with a judge and not HADOPI, the enforcement agency.

“There are quite a few people who want to harm the reputation of this organization HADOPI, because they want this whole thing to go away,” said Warner.

Asked whether spam demanding fines for legal violations is a common M.O. for spammers, Warner said that the only similar hoax he’s seen is spammers capitalizing on the Recording Industry Association of America’s legal campaign against individuals.

“When the newspapers were saying: ‘Oh, you know, grandma has been arrested because a 17-year-old in her home was trading music,’ there were e-mail based scams that said: ‘The RIAA has detected that you’re stealing music. Click here.’ It was being used primarily at that time for malware distribution. You would click the link and it would infect you with something.”