Anti-Piracy Scam Emails Target BitTorrent Users

Written by Ernesto on September 07, 2008 

A new trend is surfacing, as spammers have sent out millions of emails targeting BitTorrent users. The emails, that claim to come from MediaDefender, warn the receiver that he or she has been logged using BitTorrent and points them to an attachment supposedly containing evidence, but which is in fact infected with a virus.

spamOver the years BitTorrent has attracted some shady figures. We’ve reported on malware ridden BitTorrent clients and media players, a BitTorrent site that infects its users with spyware, and several other scams.

Although most scams can be avoided easily when a few simple rules are followed, they still manage to trick thousands of novices every day - and this is not going to end anytime soon. Since BitTorrent has become more or less mainstream, with millions of users worldwide, it also proves an interesting target for email spammers.

The latest scam, unlike the others we have reported on before, is one that is sent by email. The email is disguised as a message from the anti-piracy company MediaDefender (using their logo etc.), and warns the recipient that his or her download behavior has been logged. The email has a report attached with more details about the infringed material, which turns out to be a virus (A Mytob worm which installs a trojan, and allows outsiders to gain access to your computer).

Pirate Spam Email

Dear User!

Your recent internet activity was logged on the following sites:

* Btjunkie
* SumoTorrent
* isoHunt
* Btscene
* Mininova
* Fenopy
* Monova
* Yotoshi
* GetInvites
* Btmon

We have attached a report about the copyrighted movies, music, softwares you
downloaded or searched on these webpages. We strongly advise you to stop any
future activities regarding the downloading of illegal content or you can
expect prosecution by 17 U.S.C. §§ 512, 1201?1205, 1301?1332; 28 U.S.C. §
4001 laws.

Sincerely,

MediaDefender Inc.

To the more experienced and BitTorrent savvy users it is clear that the email is a scam. First of all, MediaDefender has never been involved in anti-piracy enforcement. The only thing they do is spoofing, flood BitTorrent sites with fake files, and the occasional DDoS attack on Revision3.

In addition, the email claims to have data on what the user searched for on the sites, which is irrelevant and practically impossible. It seems that the spammers should have done some more research on the topic. A good spammer would have included The Pirate Bay in the list of sites instead of Getinvites, which is a BitTorrent invite trading site, and not a search engine

A related scam email, sent out by the same group of people judging by the style and format, is also targeted at filesharers and threatens to suspend their Internet connection. The email claims to be sent by the Internet service provider consortium, and again includes an infected attachment with a report.

The email is a clever scam that shows how mainstream BitTorrent has become. The emails are sent out randomly, but many recipients, scared by be cut off by their ISP, or sued for downloading copyrighted material, might open the infected attachment without realizing that it is a scam.

Previously: Danish File-Sharers Not Responsible For Wi-Fi Theft

Next: Top 10 Most Downloaded Movies on BitTorrent (wk36)

40 Responses

1 Sep 07, 2008 at 13:09 by Hogwash

If anyone gets a notice from mediacenter via e-mail and falls for it. They deserve to be scammed.

2 Sep 07, 2008 at 13:32 by Fck spammers

Shit spammers are everywhere, if they dont flood bittorent sites than they will flood emails.

fuck anti-piracy groups and those assholes who upload infected files for the MONEY!! Fuck you spammers

Few screenshots of fake/infected uploads:

http://img148.imageshack.us/img148/5905/fake4yp9.png
http://img120.imageshack.us/img120/6097/fake9zu0.png
http://img296.imageshack.us/img296/8058/infected2bd6.jpg
http://img296.imageshack.us/img296/7478/infected4iu2.jpg
http://img45.imageshack.us/img45/6999/infected5bt0.jpg
http://img391.imageshack.us/img391/5977/infected7gg2.jpg

3 Sep 07, 2008 at 13:33 by Anonymous

I thought this would be comming long ago. I’m still predicting the faux MD/RIAA spam letters complete with webpage to put in your credit card numbers.

You know just like the real ones, but the money goes to gready little … wait that doesn’t differenciate it at all. :D

4 Sep 07, 2008 at 13:46 by Yo man!!

Heyy I am second…. Yayyy

5 Sep 07, 2008 at 13:55 by cc

a real mail from **AA also a scam . I don’t see much different

6 Sep 07, 2008 at 13:56 by rofl

come on man dont come with those shitty comments like im first and im second, tired of that ****

and btw my comment is so you are thirth… Your response is awaiting moderation. :S

7 Sep 07, 2008 at 14:08 by LMFAO

LMFAO at mininova.org being on the list. What fruitloops, mininova uses thepiratebay’s tracker.

8 Sep 07, 2008 at 14:27 by lol @ 3

nice one, number 3

9 Sep 07, 2008 at 14:27 by Anonymous

@ #3: indeed **AA (and branches in other countries) are pure scam as well and someone should mark them as scam/spam/trolling

- zanfr
http://www.kruhm.org

10 Sep 07, 2008 at 14:35 by hehehe

good for bt
bad for mafiaa

11 Sep 07, 2008 at 14:37 by Anon

I’ll add the first mildly intelligent comment to this post.

As the use of torrents and the internet grows with the general public you will also get your fair share of idiots.

Not to call everyone who is new to torrents an idiot, but people will still click the attachment EVEN though they might not have heard of half of the sites listed.

First Myspace, then Facebook, icanhascancer etc. Now they move from Limewire to torrents.

It’s good and bad news for the normal public tracker user, good because you will possibly have more content but definitely more peers.

Bad because certain aspects of torrenting will need to be dumbed down for the general populace to understand.

“Fort porward what? LoooL I dun no wut im dOiNg LOL FTW I just want to download lol not s33d. ROFLAIDS.”

Public torrent sites are great for idiots, ratio doesn’t have to be maintained and is a good learning ground for those who want to stick at it and end up on the private sites.

12 Sep 07, 2008 at 14:55 by p3aCe

so what does the infected file do

13 Sep 07, 2008 at 15:23 by Concerned citizen

it farts and smells bad thats what it does

14 Sep 07, 2008 at 15:23 by Mememe

Wow, just noticed that 305,000 ppl read the RSS feed - and I’m proud to be one of ‘em!

Probably the funniest bit is there ain’t an IP address on da letter! WTF? Um… does an IP ever count as evidence? Coz my shitty broadband modem keeps booting me offline every hour or so (it’s about to die, ya see…) and renews with a different IP addy. RIAA/MPAA Pricks.

Wait, MPAA = Megacorporate Pricks (up yer) Arse Association? Naaaww..

Oh, and hoooray! I’m last! until someone else posts a message…

15 Sep 07, 2008 at 16:21 by baka pinkuu

My money’s on this being from the real MAFIAA. It’s a win-win situation from their perspective.

1) They get to send malware to “pirates,” which IIRC was on meevee’s wishlist of things to do. 2) If people automatically delete crap purporting to be from the MAFIAA, that means they have a better chance of getting people who won’t know they’re being sued and can’t defend themselves.

16 Sep 07, 2008 at 16:50 by www.eZee.se

If only there was some way to get all the domains (MediaDefender.com, riaa.org, mpaa.org etc) on the email blacklists so that no email sent from those domains ever hits an inbox… not only would it solve this problem but make me a very very happy person :p

CJ
http://www.eZee.se

17 Sep 07, 2008 at 17:01 by Anonymous

I for one hope this trend continues. I’ve got no pity for pirates.

18 Sep 07, 2008 at 17:10 by pink panther

Cool! File sharers have been left out for a long time by scammers, almost like second-class citizens of the Internet. Great to get into the mainstream. Why let CNN subscribers have all the fun?

19 Sep 07, 2008 at 17:34 by Just Me

MediaDefender Inc. can suck my dick!

20 Sep 07, 2008 at 18:02 by new defence

You can say I did not open the letter
(if you unlucky enough to get the real deal)
For fear of it being spam/virus.
:p

21 Sep 07, 2008 at 18:27 by #YLS#

To be honest I think this could work in the pirates favour.

I’ve always said that the anti-pirate’s work is more like a con trick than a legal defense. This could ultimately show that in the end there is no difference between the two.

22 Sep 07, 2008 at 20:27 by Frank

If anyone gets a notice from mediacenter via e-mail and falls for it. They deserve to be scammed.

Disagree.

23 Sep 07, 2008 at 20:56 by ...

People shouldnt even use emails anymore, their pointless beyond belief.

Use a simple email for site registration and all that but never bother using email to contact people or send/recieve emails from people.
Use a instant messaging service, or send a SMS, or make a phone call.

Anything is better then email, dont use it!

24 Sep 07, 2008 at 21:14 by Anonymous

“LMFAO at mininova.org being on the list. What fruitloops, mininova uses thepiratebay’s tracker.”

Mininova doesn’t use anyone’s tracker in particular. You can upload a torrent to it from any tracker.

25 Sep 07, 2008 at 22:10 by Antinymous

I think this scam actually relatively good. Although I was 95% certain it’s spam, after reading the WHOLE text, it was the first time in years that I looked at the attachment. Unfortunately, it was just some zipped executable. So I still have to keep record myself about what I upload and download. Too bad.

IMS, SMS, phone instead of email? Very funny. Whoever said that doesn’t know shit about others’ requirements or the different properties of these communication technologies. Ever heard of asynchronous communication or encryption? Any idea what it might be good for? No? Thought so.

26 Sep 08, 2008 at 00:00 by InterestedObserver

It is just me, or do such activities (including virus/trojan-writing) have one common facet?

I am alluding to the simple fact that those who are engaging in multi-faceted social engineering appear to be incapable of adopting a consistently believeable standard of language.

If you analyse the above hoax carefully, it should be obvious to most people that certain grammatical errors exist, which serve as warning beacons for anyone paying attention.

A prime example of this would be the use of the verb ‘can’. In a formal document, one would expect it to say ‘may’. Additionally, persons are, according to my grammar reference, prosecuted UNDER a specific bye-law or statue, not BY. Wrong preposition, if I am not mistaken.

Just my two cents of this, but Trojan Horse authors are also particularly guilty (at times) of using flawed tactics (abbreviations, non-formal register again) to convince the uninformed to download the program’s payload under the pretence of ridding their machine of a virus.

Ever seen files on emule, where the author has padded an obvious Trojan Horse with a file called cracked.nfo? This is obviously a trick to try and fool people who can recognise these malicious programs by their size (you get a feeling after a while).

Read Mitnick’s book and you’ll see how important the people factor is in any miscreant’s activities.

Why do these people keep coming out with these scams? Simple; there will always be someone who falls for them. Sad but true.

27 Sep 08, 2008 at 00:02 by InterestedObserver

Keyboard on the blink. Sorry. Don’t have time to fix the typos, just dashed that off quickly as the thoughts came into my head.

28 Sep 08, 2008 at 01:10 by mustangx

thanks for another good heads up about the newest scam Ernesto. Not something alot of people would fall for but with the wave of letters being sent out in many countries like the U.K being very recent in the news, something like this may be taken seriously by someone knowing they did indeed do whats described in the letter. Thats the point of spamming and scamming, finding the latest realistic reasons and subjects to trick people into opening the malware. The quicker stories are pointed the better.

29 Sep 08, 2008 at 04:01 by Anonymous

Um, anyone with a brain knows that if you get an e-mail saying that you’re about to be sued for file-sharing, it comes from one of two places: The MPAA and the RIAA, that’s kind of obvious. MediiaDefender only works for them, they don’t sue people.

30 Sep 08, 2008 at 06:22 by Путин

It takes approximately 1 minute for your comment to appear on TorrentFreak after it’s posted.

31 Sep 08, 2008 at 07:02 by morgan

That http://www.eZee.se spam is starting to get a little old…

32 Sep 08, 2008 at 08:20 by Anonymous

no experienced torrent user would need to use any of those sites

33 Sep 08, 2008 at 09:49 by parkside

too late I already got it.

34 Sep 08, 2008 at 12:34 by Josh Summers

LOL, Sounds like something the MPAA or RIAA would do. Wouldnt surprise me at all.

Jeffery
http://www.FireMe.To/udi

35 Sep 08, 2008 at 14:21 by God

Remember,

One main argument of the anti torrenting community is “Torrenting’ is unsafe.

This is how they can justifiy you MUST by the DVD.

Simple enough.

Any tech savvy user sees that, A) Hey or she has fully updated NOD32, and B) GMAIL spam filter.

need I say more? For all you kiddies who infect yourself via bittorrent, good riddance. Keygens ALWAYS have viruses, and 419 letters will ALWAYS take many forms.

Hello, I am from Nigeria ,I am rich, please help me.

36 Sep 08, 2008 at 18:12 by @Hogwash

If anyone gets run by a car because they weren´t looking then they deserved to die. Jesus what a moron.

37 Sep 08, 2008 at 20:12 by Welshie

LOL, this letter is so obviously NOT from mediadefender…

It is too polite! If MD did send a letter, they would not warn you off from the sites… they would threaten to sue you, your family and everyone you have ever spoken too (and all that with NO evidence!)

And where was Demonoid on the list?

Bah ;0)

38 Sep 10, 2008 at 00:16 by Yatti

Not only will I never ever click a link in any Anti-Piracy email.. Im sort of glad the spammers have used MediaDefender… Hopefully they wont be around to much longer..

39 Sep 10, 2008 at 23:22 by stillkicking

This is why I read the articles on TorrentFreak. It is THE source for what is happening of importance in the P2P world.

The know-it-alls can laugh all they want but I suspect most people who share torrents would look at an email like this and believe the worse. It is well written without the usual grammatical errors or strange symbols that your typical spam scams have. It lists a number of well known sites that most of us visit. Who isn’t going to open the “evidence” to see exactly what they have on you?

Thanks again to TorrentFreak for keeping up with the news that matters.

40 Dec 23, 2008 at 10:50 by games

People fall for nigerian email scams all the time. I have no doubt paranoid pirates would fall for this as well.

Responses are closed

All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.