myBLOG-Online

New “Photo Theft” Email Scam/Malware Distribution

Photo Copyright Email Scam

Late last night, I received a message on my work Email address claiming that one of our properties was using photos without permission from the photographer, “Mel Davis”, threatening legal action if we did not “delete” the photos. The Email message also featured a link to a Google Sites webpage, which downloaded a JavaScript (.JS) file. I clicked the link using a virtual machine because no-one should open a link in an email from someone they don’t know on the everyday computer they use. Even on a Virtual Machine, I did not run the file, although I have to admit I was kinda curious about what it would do.

The first of these Email’s happened to target one of our community websites where the photos featured came from a third party, due to the property being a significant distance from where I am based out of, so we commissioned some photos from a third party company. This is the reason I looked into it, then a second came in for a community website, where I know for sure that all the photos are 100% legal, as I took them myself, which is my preference, to avoid this kind of bullshit from third-party photographers.

I cannot remember the exact file name, but it was something like “phototheft_evidence.js”, As soon as I saw it was a JavaScript file, I deleted it; and closed down the VM. There is no reason for anyone to download a .js file, it’s something that runs from a web server, on the client-side to do something interactive on a webpage. But JavaScript can also be used for nasty stuff like malware, viruses, and ransomware. Bottom line, never click any links in an email from anyone you don’t know.

The Email reads as follows, with the links redacted; the second Email is in the featured image above;

Hi,

This is Melinda and I am a certified photographer.

I was discouraged, to put it nicely, when I came across my images at your web-site. If you use a copyrighted image without my approval, you should be aware that you could be sued by the owner.

It’s illegal to use stolen images and it’s so filthy!

Take a look at this document with the links to my images you used at <link redacted> and my earlier publications to get evidence of my legal copyrights.

Download it now and check this out for yourself:

https://sites.google.com/<redacted>

If you don’t delete the images mentioned in the document above within the next few days, I’ll write a complaint on you to your hosting provider stating that my copyrights have been infringed and I am trying to protect my intellectual property.

And if it doesn’t work, you may be pretty damn sure I am going to report and sue you! And I will not bother myself to let you know of it in advance.

Both messages had a phone number attached, which I will not publish, as I suspect it’s a random number and I don’t want the person who owns that number getting bombarded with phone calls. The names and Email addresses used were Melinda Davis (Mphotographer292@yahoo.com), and Melika Robinson (Melphoto796@hotmail.com). Both messages were the same, except for some small wording changes.

Being someone who is webmaster for literally hundreds of websites and listings, I see all sorts of scams in my Email, but this is the first time I have seen someone trying to scam or infect computers with malware, using a cease and desist of photography that has not been licensed from the photographer. As a photographer myself, I protect my work, that is why I took the time to even look into it, as the company who we paid, might not have had the correct licensing deal with the person who actually took the photos.

A bit of advice, if you do use a photographer, ask for a contract which details what is agreed to in terms of number and type of photos. Also, the contract should detail the usage rights, where you can use the photos, and the timeframe in which you can use them. In the majority of cases, the photographer will retain the copyright to the photos. If you don’t have a legal contract, you leave yourself open to a photographer coming back to you later demanding more money to continue using the photos or even taking legal action. A photography contract is designed to protect both the client and the photographer.

To be clear, most photographers are honest, hard-working people, but there are some unscrupulous photographers out there, so insist on a contract and read it in its entirety, to protect yourself.

Update (Jun, 4 2021): It seems that this scam has evolved; it is no longer just from “Mel”, the name variation has grown significantly, and more official-looking legal statements are being used, and the link being shared has changed to Google’s Firebase, instead of Google Sites, which was used previously to share the JavaScript file. But, the biggest evolution is the ‘scary’ official-looking legalese verbiage used.

Here’s the latest example of the new email being sent out;

Hi!

My name is Cheryl.

Your website or a website that your company hosts is infringing on a copyrighted images owned by myself.

Take a look at this doc with the links to my images you utilized at <link redacted> and my earlier publication to find the proof of my copyrights.

Download it now and check this out for yourself:

https://firebasestorage.googleapis.com/<redacted>

In my opinion that you deliberately violated my rights under 17 USC Sec. 101 et seq. and can be liable for statutory damage as high as $140,000 as set-forth in Section 504 (c) (2) of the Digital millennium copyright act (”DMCA”) therein.

This letter is official notice. I seek the removal of the infringing materials referenced above. Take note as a service provider, the DMCA requires you, to remove and/or deactivate access to the copyrighted materials upon receipt of this notification letter. In case you do not stop the utilization of the aforementioned copyrighted content a lawsuit will likely be started against you.

I do have a strong faith belief that use of the copyrighted materials mentioned above as allegedly infringing is not approved by the copyright owner, its agent, as well as legislation.

I declare, under penalty of perjury, that the information in this letter is correct and that I am currently the copyright owner or am authorized to act on behalf of the owner of an exclusive and legal right that is allegedly violated.

Regards,
Cheryl Miller

06/04/2021

Here are a few names and email addresses used in recent emails to our properties.

Beth Kilgore – Kilgoreshot582@hotmail.com
Tameka Sterling – Sterlingphoto862@hotmail.com
Amy Ray – Raystudio119@hotmail.com
Cheryl Miller – Millerstudio588@gmail.com

I have not replied to any of these email addresses, but I believe they are auto-generated and not real.

Techlicious has done a deeper dive than me, downloaded, extracted, and ran the Javascript file through a virus/malware checker, read more about Techlicious’ Josh Kirschner diagnosis of what the download is here; for those who TLDR, its ransomware, so don’t click it, or you will be very, very sorry!

A solution to block this kind of email from WordPress sites that use Contact Form 7.

I have found a solution that blocks all messages sent through your forms that contain links. See “Contact Form 7: block all URL’s in contact forms” for details of the code and my changes to it for expanded functionality, WordPress and Contact Form 7 are very popular, so hopefully this will help some of you.

37 thoughts on “New “Photo Theft” Email Scam/Malware Distribution

  • ssmmdd commented on December 17, 2020 at 21:28

    Makes me want to send an e-mail to them telling them to remove their crap from my website lol.

  • m commented on March 18, 2021 at 13:18

    Same message received from:
    Mel Robinson – Mshot544@aol.com
    Full first name – Melisha

  • Another one today;

    Melainie Hervey – Melgallery486@yahoo.com

    I wonder if these are real email addresses, or just made up to spam web forms?

  • Dan Simmons commented on March 26, 2021 at 11:28

    Received the same email 25 March to a very small nonprofit, charity website. Came from a “Mel” (no last name); email Menikon526@hotmail.com; originating IP address 64.130.87.72, in a small range belonging to NTS Communications, LLC, in Texas, USA.

  • Sarah burns commented on April 2, 2021 at 16:43

    Just got :Mephotographer605@hotmail.com

  • David commented on April 12, 2021 at 19:18

    I just got hit with this same email, and after some research I found this article. Thanks for posting and helping me put a lid in this nonsense.
    DB

  • Cathy commented on April 13, 2021 at 14:01

    Here’s mine. They are all from Mel no last name with different IP addresses. I received 3 this past weekend, 2 in one day! Emails are not real.
    I tried asking nicely what needed to be taken down and they all bounced back. We are a chapter of the American Sewing Guild.
    Thank you for posting this article and to everyone who responded.

    Meshot618@hotmail.com
    Melnikon486@yahoo.com
    Mephoto673@aol.com
    Mnikon928@gmail.com
    Mgallery705@gmail.com
    Mephoto753@aol.com

  • Thank you everyone for posting the names and email addresses of the many Mel’s. My hope is that the more people commenting and leaving the email and the full name from these emails, the more likely potential victims will find this post and not be affected.

    Here are another 7 names and email addresses from the past week.

    Melynda Johnson – Meshot225@gmail.com
    Mel Shaw – Melshot747@gmail.com
    Melaida Moore – Mnikon864@hotmail.com
    Melecia Ellis – Mnikon412@aol.com
    Meladia Smith – Melphotographer4719@yahoo.com
    Melaina Sanchez – Mphotographer1930@aol.com
    Melaenis Gonzalez – Mshot4019@aol.com

  • Terri Lewis commented on April 20, 2021 at 04:48

    Just received this one today.. happy I found this thread!

    Mphoto8189@hotmail.com

  • Greg commented on April 21, 2021 at 06:12

    Mel Tiger Mnikon1390@yahoo.com here is a new one
    Thanks for the thread

  • Kellie commented on April 23, 2021 at 09:23

    Thank you for this article. It was helpful in confirming that what a client was receiving was a hoax. I did the same thing.. Unzipped it on an isolated machine.. found the java script.. and said ” Nope” and deleted it and a full scan before reconnecting to the network. ( Canada )

  • Theresa commented on April 27, 2021 at 12:05

    Here is one from today. Thanks so much for yoyr article. I knew it had to be a scam.

    Melphotographer8161@aol.com

  • Tom commented on April 27, 2021 at 17:00

    I did click on the link via my iPhone in a rush at the airport (stupid). Got this Google error, “An unknown error has occurred”. Not sure what can happen to my phone now. I didn’t see anything download, not sure how to tell. Am I screwed?

  • Tom commented on April 27, 2021 at 17:27

    PS I checked my FILES app on my phone and nothing was downloaded. Think I dodged a bullet? 🤞

  • We recieved the same from
    Melika (Mel Davis) at Mhd1082@hotmail.com.

    I tried to respond to her email, but it bounced as a bad address. I also clicked on the other link, but got a 404 error, so it must already have been discovered as a scam and removed. Glad I wasn’t able to open anything!

  • Tom, you’re fine, it seems that Google are on top of this for the moment, the last one I tested in a Virtual Machine was also a dead link. But, I’m sure that won’t always be the case, please, please, please never click on any links in emails, especially from someone who sends it through a form on a website.

  • Tom commented on April 28, 2021 at 20:46

    Whew, that’s great news Jason, thanks for putting my mind at ease.

  • Louis commented on April 29, 2021 at 16:50

    Thanks all!
    We too have received the same threat from a Megallery9032@hotmail.com. She/he used the name of a legitimate professional photographer which I was going to contact via photography website when I saw this posting.

  • Elysha commented on April 30, 2021 at 09:39

    Thanks for this blog post! I got one today from Mel Robinson Mshot2697@yahoo.com

  • Mehak Walia commented on May 3, 2021 at 02:38

    happened with me today, how do i protect my phone and computer after opening the email

  • Robin commented on May 3, 2021 at 09:40

    Yes, thanks for this post. I just received one on May 2nd, 2021.

    Name: Mel Carter (called herself Meleana within the letter)
    Email: Mshot8386@aol.com

    Is there any way to report this? Thx!

  • Mehak: all I can advise is to make sure you have anti-virus software installed, that is fully up to date, and run a full scan of your system. Also download and run Spybot: Search & Destroy to see if you have any spyware on your system.

    Robin: It seems like the names, email addresses and phone numbers are all fake, so there’s little you can do, reporting abuse to email providers will do little if the email address does not exist.

  • Bill commented on May 5, 2021 at 09:47

    The Mel-odrama continues! Received one today from Melanka Burns – Mehd9813@aol.com. The linked “document” hosted on Google gets a 403 Forbidden result, so they are continuing to block it.

    Thank you for posting this. It saved us from a lot of hand-wringing!

  • It seems that Mel has given up, now we have a variation on the theme, I have received 3 new messages in the past week;

    Kristin Taylor – Taylorhd396@gmail.com
    Sarah Brown – Brownshot553@yahoo.com
    Leticia Ferguson – Fergusonhd579@hotmail.com

    The new message reads as follows.

    Your website or a website that your company hosts is infringing on a copyright-protected images owned by myself.

    Check out this document with the links to my images you used at [redacted] and my earlier publications to obtain the evidence of my copyrights.

    Download it now and check this out for yourself:

    https://sites.google.com/ [redacted]

    I believe you have willfully infringed my rights under 17 U.S.C. Section 101 et seq. and could be liable for statutory damages as high as $150,000 as set forth in Section 504(c)(2) of the Digital Millennium Copyright Act (”DMCA”) therein.

    This letter is official notification. I seek the removal of the infringing material referenced above. Please take note as a service provider, the Digital Millennium Copyright Act requires you, to remove or disable access to the infringing materials upon receipt of this notice. If you do not cease the use of the aforementioned copyrighted material a lawsuit will be commenced against you.

    I have a good faith belief that use of the copyrighted materials described above as allegedly infringing is not authorized by the copyright owner, its agent, or the law.

    I swear, under penalty of perjury, that the information in the notification is accurate and that I am the copyright owner or am authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

  • My latest admirer is Katie. I tried being nice and emailed her, it bounced back. Big surprise there. It’s basically the same message as the post above this one. I’ve has three from Mel this past week.

    Katie Polcher
    Polcherstock382@hotmail.com
    http://bioju
    184.153.192.208

  • Chimaine commented on May 27, 2021 at 11:52

    I got one. It was for my quilting website but also being a photographer red flags went up. So thanks for this article.
    Melinda Melphotographer3547@aol.com

  • Dan Simmons commented on June 16, 2021 at 14:50

    Hi again, Jason. Another new one just two hours ago, this of the new more “legalese” wording and the link to a “firebasestorage” resource. From, this time, Katrina Springer, Springerstock903@hotmail.com. The webform these have used include a “send me a copy” option for the person filling out the form. I can only assume that these are SaaS ransomware attacks because they always tic the “send me a copy” option, which of course generates a return email error because the address is fake…so it doesn’t seem the probing attempts are being done by anyone clever enough to actually code effective ransomware. :-/ And thanks for the link to Josh Kirschner’s evaluation; that’s a big help.

  • New name and email : Jennifer Mills (Millspix738@gmail.com)

Have Something To Say About This Post? Please Comment Below!