A new type of malware is riding the wave of file-sharing pre-settlement letters by infecting BitTorrent users' machines and then demanding payments in order to make imaginary lawsuits go away. ICPP Foundation try to give the impression they are RIAA and MPAA affiliated but the whole thing is a scam to extort cash and obtain credit card details.

ICCP Foundation claims to be an international company operating out of Switzerland. They say they are “committed to promoting the cultural and economic benefits of copyright” while assisting their partners to fight “copyright theft around the world”.

In fact what they really do is operate a scam to extort money from BitTorrent users.

Right at this moment we are unsure of the exact route of infection, but somehow malware (probably in either fake file or attached virus form) is displaying a “copyright violation alert” on the victim’s screen, locking it, and redirecting users to the ICPP site where they are told they have been caught infringing copyright.

There they are warned their offenses could result in 5 years in prison and a $250,000 fine and are given the option to take the (fake) case to court. They are also offered a chance to make the whole thing go away for the payment of a ‘fine’ of around $400. Victims are also prompted to give their name, address and full credit card details – it is unclear how this information is further abused but it doesn’t look good.

If they select the court option, they are scared with this screen:

So that that this evil software (believed to be located at C:\Documents and Settings\Administrator\Application Data\IQManager\iqmanager.exe) more accurately targets BitTorrent users rather than just random users, it appears to scan the user’s hard drive for .torrent files and displays these as ‘evidence’ of an earlier infringement.

In order to boost their credibility, icpp-online.com claim to be affiliated with influential partners – the RIAA, MPAA, and The Copyright Alliance. Of course, this is a complete fabrication.

This whole approach seems very similar to that employed by so-called ‘rogue software‘ or ‘scareware’ which attempt to frighten users into parting with cash for often useless software. And it seems the links to malware don’t stop there.

A WHOIS on the ICPP-Online domain reveals some contact data which shows up elsewhere in connection to other questionable activities.

Details on this new threat are scarce at the moment, so if any readers can discover more about this malware or the operation behind it, please collate the information and send it over to [email protected]