Hacker News new | past | comments | ask | show | jobs | submit login
Scam Alert: Fake DMCA Takedown for Link Insertion (fosketts.net)
199 points by zdw on Jan 24, 2022 | hide | past | favorite | 71 comments

I work in hosting. A large number of DMCA requests that I've seen are very nearly scams. All somebody has to do is not like content that you host, claim copyright, and issue a DMCA takedown request. The onus is on the site owner to prove that they own the material and file a counterclaim. It's often easier for them to just take the content down, sadly.

I've wondered why there isn't a potential cost to false claims to disincentive them. It costs time for someone to respond, so to file a claim there should be a deposit put in escrow, where if the takedown fails then the money is given to who was claimed against - else it goes back to copyright holder who made the claim.

Yes, the DMCA has received criticism for this lack of balance since it was proposed in the 90’s. It’s a very valid point that neither of the US political parties seems willing to reform around.

I wonder how people make money off of this (if they do)

Maybe it's about power. Censorship is a form of power.

It's about SEO. Taking down competing content.

Charging money to submit free removal requests has been a thriving business since at least the early days of Web 2.0.

Pay to remove negative SEO crap maybe?

And pay to remove/deindex pages that rank higher than yours.

They can just counter claim and the hoster has to put it back up, they don't need to prove anything


Are you referring to scams where they don’t hold copywrite?

Not true. There is no onus on the site owner or anyone else to prove they own the material before filing a counterclaim.


I can only confirm that as owner of a moderately visible website, you have a massive target on your back. In my case, it's a niche site about a particular hobby that is relatively successful (within that niche).

There's the daily grind of ignoring the obvious affiliate link begging emails. I have a well developed bullshit detector from being on the web since 1996. As it appears, I still wasn't skeptical enough.

I get this email written by an old lady explaining how my site brought her grand daughter tremendous joy. It was very well written, and felt very genuine. It had a "realness" to it as it had such an informal style and it clearly wasn't generated as it had detailed, human-selected specifics about my site.

Anyway, the request was to have a look at this other site she found. I opened it. It looked OK. Relevant for the field, no obvious visual scam signs, just pretty shallow content.

I figured to not do anything. I figured it to just not be that interesting, it still took several days for me to let it sink in that it was another link/scam attempt.

I guess I still had some humanity left in me that could be exploited. That is the point I'm getting at: the human damage of all this hostility. You're under constant attack without relief, and can only manage the problem by becoming a monster yourself. Somebody so cynical that they assume every interaction is hostile.

And there's the daily cleaning of spammers joining the site. As small site owner, you can't take a break. There's no such things as weekends. It's non-stop. They're not bots, they're people in click farms so there's no mechanism to prevent them from joining.

There's the non-stop hack attempts as is evident from web server logs. And the occasional ransomware email.

Mind you, I'm talking about a completely non-commercial hobby project. The threat level for even just that is completely disproportional. You're trying to run this small genuine thing yet the world aims to destroy it, every hour of every day.

Now scale that up to a large site, or imagine being a Facebook moderator.

> You're trying to run this small genuine thing yet the world aims to destroy it, every hour of every day.

I feel you. I have a server exposed to the internet, and pretty much the only thing in my access log is PHP/cPanel/MySQL exploit attempts. My guess is that you just port scan the entire internet and go fishing.

Not that this is much consolation, but keep in mind that it's not the world that aims to destroy your small genuine thing, but instead a tiny army of unscrupulous jerks.

Yep, and the Wordpress /wp-admin login attempts, even if you don't even run Wordpress. You'll see these attempts in less than an hour when launching a new web server so definitely is automated.

You're of course right about bad actors not representing "the world", but when 99% of interactions is hostile, one's perception of reality changes.

Imagine being an actual Nigerian prince and trying to talk to people on the internet.

You pretty much just have to treat any cold-contact as highly suspect, no matter how legitmate it seems. Always verify.

You’re one step away from the “old lady” cultivating the relationship over several weeks before asking for a link…

Now you peaked my interest, what's your website?


oh yeah, thanks

The entire shady industry that exists because of Google’s search algorithm always amazes me. It’s just layers and layers of deception (even “normal” SEO, too).

Amazon referrals and reviews exhibit a similar pattern

I've started noting sites that I trust when looking for reviews and recommendations and always go there first. If it's a site I'm unfamiliar with, I glance through the links. If they are all Amazon links I just move on without bothering to read any of their justifications.

Nearly all the time it's just crap talking about a product the "reviewer" hasn't even used, but has good reviews on Amazon or some other junk.

It's not a perfect system, most Serious eats articles would not make it through, but it's been helpful in avoiding total crap.

> I've started noting sites that I trust when looking for reviews and recommendations and always go there first.

I normally look into Reddit & YouTube for such reviews because it is always people who have the authentic experience with it. Often I would find people responding to reviews in the comments and it helps to get a different perspective on the products. If it didn't have it, then I go on my trusted review sites.

As long as there is a game, the players will find a way to gain advantage.

The lawyer profile faces instantly give the site a fake vibe as they look like those generated by GANS AI.

You don't even need to look at the faces to see that the site is fake. Look at the phone number on this page: https://taylorwilsonsmith.com/contact

(212) 555-1979

The 555 prefix is used for directory assistance or for fictitious phone numbers (e.g., in movies):


When I called the number, I got the expected intercept message: "We're sorry, your call can not be completed as dialed..."

It gets even better... If you search for the two phone numbers on that page together, you'll find them on a whole bunch of sites, all presumably fake businesses:


That's the contact info for Mason Donald King!


It gets even better. On the front page of Taylor Wilson Smith it says

> Davis Robbins is a leading independent international law

When they were making their fake Taylor Wilson Smith site someone apparently had a copy paste error and included some text from their fake David Robbins site [1].

The fake Taylor Wilson Smith firm and the fake Mason Donald King firm both say they are at One Penn Plaza, New York, NY 10119. It is easy to find the tenant list for that building and there is, or course, no tenants with either of those names.

Another thing they botched when making up these firms is that none of the fake attorneys at Taylor Wilson Smith are named Taylor, Wilson, or Smith. Similar for the fake attorneys at Mason Donald King.

Davis Robbins, which has the same fake phone numbers as the other two, is at least at a different address, 12 Fremont Ave, Staten Island, NY 10306.

That's not even an office. It's a single-family house in a residential neighborhood.

Like the other two fake firms, none of their fake attorneys match the names of the firm.

[1] https://www.davisrobbins.com/

Also, how many real law firms specialize both in copyright litigation and divorce? Yet the TWS, MDK and DR firms all do - and they just happen to have exactly the same list of six Practice Areas. The three sites were all hastily cloned from the same template. Not very convincing at all.

Invent your own law firm!


Dewey, Cheatham and Howe.

They have an office in harvard square..


It really doesn't matter how obvious it is if you follow the easiest rule of not getting scammed:

- If anyone initiates contact with you, don't trust any claims they make about their identity.

If you only trust real law firms, verify that independently with whatever authority determines which law firms are real. People need to stop using "can make a professional-looking website" as a proxy for "not a scammer".

What characteristics signal this to you? I took a glance at the lawyers'* photos and can't easily determine that they're AI generated. I probably wouldn't give it a second thought if I didn't know ahead of time that they were generated.

It's the typical GANS face layout, with a blurry background, eyes centered and cropped to the face. It's certainly possible those are could be real people, but in my experience law firms usually have upper-body shots of the lawyers with their arms folded, or standing together as a team or with a client.

I wouldn't catch these at first glance, but the older gentleman specifically stands out to me with the

1. tuft of hair above the right eyebrow

2. teeth far offset from center

3. soap-bubble colored noise around the hair features

These aren't unusual on their own (except #3 maybe) but all together they make the photo seem fake.

A really easy clue (as is the case on that site) is if the location of the eyes are aligned almost perfectly as if to the pixel.

The crop is super unusual for professional photos. No photographer is going to cut into the subject's chin

This one is easy to tell. Look at her earrings, they don't match and the one on the right side of the photo seems to be blending in with something


Also I thought this was a woman:

“ Hannah has spent the past twelve years making New York City his home.”

These days you can't assume anything.

I remember seeing a guide on how to detect generated faces, and the signs to look for were:

* glasses looking weird (ie. the inside of the frame not matching with the rest of the face, or optical effects not being replicated)

* hair

* teeth

I looked at the pictures and they look reasonably real. Maybe the neural networks gotten better?

the follow-ups and improvements have been impressive for sure, and posted here at some point.

I'm not great at this but in general - Eyes exactly centered in the middle of the photo - Earlobes/ears are different, e.g. attached vs unattached lobe on either side - Boundaries of hair are confused/fuzzy

Along with that, the single texture background always blurry, sometimes with discontinuities are usually a good give away too.

The teeth and lips is an easy one, noticable on the "Brian Dodd" image. "Chris Donnelly" has weird skin texture around his mouth.

"Kara Morgan" has mismatched earrings. That's typical.

Hannah Shields' left (our right) earring is particularly egregious.


I thought it was the worst one as well

In each scam group, a member of team specialises in, making websites, for instance. Others are good at phishing, talking like a call center worker, and the list goes on. The info on how todo this is sold on dark web. So those scammers likely didnt even build these fake websites, they bought the templates.

To fix this, Google needs to stop relying on links as a search engine ranking factor--or at least not rely on it as much.

Because of stuff like this Google doesn't rely on links much any more, but these scammers and SEO nuts aren't going to stop because of that fact. To them, they just need more links to make up for it.


More simply: "Any observed statistical regularity will tend to collapse once you use it to determine how much money somebody makes"

They will never stop doing this. They have stopped relying on it as much (by changing how sites are scored based on perceived authority), but it just shifts the manipulation techniques accordingly.

Blacklisting everyone who did this from their index would be a start

Although I guess then they'd send out fake DMCA takedowns requesting people put links to their competitors...

Google’s original crème de la crème is PageRank: the idea that links to your page have more weight than keyword spam. They don’t seem to want to abandon that idea.

They can't; the web is too large to work without it, and it is (legitimate) links that make it possible to distinguish a well-known site from a pop-up plagiarist that just copies all of the text. But for it to work on the modern web you need to be able to distinguish high-quality links from bogus link-farm links.

It's more that they seem unwillingly to admit that purely automated methods don't achieve optimal results when they're being fought by equally automated scams. They could bump their overall ranking quality significantly by blacklisting known bad-actors that scrape real sites and put up hollow shells of barely edited, machine-munged plagiarism, yet do not.

And that’s fine. PageRank is/was a genius idea that should still be used today. But they need to do more. When I search something and half the results are Markov Chain like blogspam full of ads, I have to wonder where the effort is going into those things (definitely not AdSense /s).

If anyone can combat it, Google can. It doesn't seem that hard to me to assign low (or negative) weight to links that suddenly appear on a page that hasn't otherwise changed in years, for example. Or links to the same site on pages that otherwise have nothing to do with each other in terms of content/subject. I'm sure it's harder than that, but all those engineers ought to be earning their six figure salaries.

But how do you translate that into (short term) OKRs and work that engineers can build a career upon as an achievement (for promotion)? I think there is a cultural mismatch between how engineers grow and what they work on at Google versus the quality of the search results. There seems to be very limit upside and huge potential downside to working on this at Google.

That said, I don't work for Google and my conjecture is based on the hand wavy details (from engineers that do/have) posted online.

You should copy-paste the entire email text into your article. The first thing I would do when receiving an email like this is Google a sample of the text, hoping to find something like your post confirming that it's a scam.

Great idea! I just updated the post with the entire text (unlinked)!

OP here. Thanks for the comments and suggestions! I updated the post to include the full text of the email as well as a link to this discussion.

I wonder if anyone has any suggestions about what we can do to stop this kind of thing. Should we complain to someone or just warn people online? Is there anything that can be done to head off this kind of thing?

They use full forms (“I am”) in the email but then at the end write “we’ll” - not something I’d expect to see in a legal notice!

What would the response be if you complied but added noindex nofollow to the IMG tag?

Probably nothing since you can't noindex or nofollow img tags. If you mean an "a" tag then they would definitely be annoyed but would also probably be confused when they see the "noindex" since that won't do anything

The article indicates they were asking for attribution in the form of an anchor tag.

rel="noindex" has value, as would "UGC"

Likewise the page would could have noindex as top level meta field.

But I think you got what I was getting at anyway.

I don't think noindex on a backlink will really do anything. But yeah sponsored, UGC, and nofollow all do the same to Google

Noindexing the page with the backlink doesn't mean it won't be crawled, it just means it probably won't be indexed so I don't think that will do anything either

> it just means it probably won't be indexed so I don't think that will do anything either

Of course it would do something, it just wouldn't be the best way to do it.

The goal is not to prevent Google from getting to that site, it's to prevent the backlink value of the anchor tag from a good PageRank site.

Either way it all seems like you're trying to find a weird quibble here. I was simply presenting two ways to devalue linking as a thought exercise. They would both work.

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact