Fake online RIAA / MPAA extortion scheme
p2pnet view Crime:- Vivendi Universal, EMI, Warner Music and Sony Music’s RIAA has developed online extortion to a fine art, so it’s somehow appropriate that it and Hollywood ‘trade’ association the MPAA themselves star in an online extortion scheme.
As Finnish security expert Mikko Hypponen puts it onĀ F-Secure, “There’s a new extortion trojan in circulation.
“This one attempts to steal victims’ money by bullying them to pay a ‘pre-trial settlement’ to cover a ‘Copyright holder fine’.”
The victim is told an ‘Antipiracy foundation scanner’ has found illegal torrents.
If he refuses to pay $400 (via a credit card transaction), “he might face jail time and huge fines.”
And it all looks so real because making the threats, supposedly, are infamous corporate bullies and extortionists the RIAA, alongside the equally infamous MPAA and Copyright Alliance.
“And the warnings will not go away”, says F-Secure, continuing >>>
They will reappear every time the user reboots his system.
All of this is completely fake. There is no “ICPP Foundation”, and the messages will appear even if the system contains no illegal material whatsoever.
Most importantly: Refuse to pay money to these clowns! If people pay them, the problem will only grow bigger.
The group behind this have even set up an official-looking website at icpp-online.com.
The domain is registered to Mr. “Shoen Overns”. The same e-mail address ovenersbox@yahoo.com has been seen before in various other domains, connected to Zeus and Koobface scams.
If you click on the Reports shown by the application, you’ll end up on pages such as these:
We tried calling the (Italian) phone number listed on the page: +39 (06) 9028 0658. Unsurprisingly, it goes nowhere.
These pages are hosted at 91.209.238.2, which according to WHOIS belongs to EBUNKER-NET, a “High protected Somalia network”. It’s running in Moldova.
There is no obvious credit-card payment system connected to the site; they just seem to collect the credit card information.
If you are hit by this trojan, DO NOT PAY. Instead, use an antivirus program that is capable of detecting it to remove the trojan. F-Secure Antivirus detects it as Rogue:W32/DotTorrent.A. You can use our free Online Scanner at ols.f-secure.com to check your system.
The malware is typically located in c:\documents and settings\USERNAME\application data\IQManager\iqmanager.exe. We’ve seen two versions so far. MD5 hashes of them are cedc2c35bf967027d609df13e937946c and bca3226cc1cfea416c0bcf488082e5fd.
At the time of writing, 6:44 am Pacific, icpp-online.com was down.
(Cheers, Filip)
..… and identi.ca
First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi
F-Secure – ICPP Copyright Foundation is Fake, April 12, 2010
Use free p2pnet newsfeeds for your site. Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/feed
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details. Click here to learn what technologies might help you bypass censorship in your area.
April 14th, 2010 at 11:03 am
Genius, pure genius.
April 14th, 2010 at 1:43 pm
Frankly I don’t see the difference between this scam and the RIAA/MPAA scam.
In both cases you shall not pay!
April 14th, 2010 at 7:09 pm
And in both cases you’d be supporting criminal activity if you did pay.
April 14th, 2010 at 7:50 pm
Exactly!
April 15th, 2010 at 5:17 am
Off topic a bit, but how did the March donation drive end up and how is it so far in April? Haven’t seen an update for a while
April 15th, 2010 at 8:36 am
@ Feddak
$16.51 for April so far. Which is why I haven’t bothered to post.
Cheers!
April 17th, 2010 at 1:24 pm
Now if people get a real notice, they can ignore it and say they just thought it was one of these scams?
May 3rd, 2010 at 2:55 pm
Got us as well. Really appreciate you guys taking the time to document.