Mac malware spreads to Russian firm


Russian firm may be behind the MacDefender malware that’s scaring Apple Macintosh OS X users into buying a fake antivirus program, a security researcher said.

Brian Krebs said that leaked documents tracing the rogue antivirus to ChronoPay, which he described as a “pioneer” in the rogue antivirus business.

“Last year, ChronoPay suffered a security breach in which tens of thousands of internal documents and emails were leaked. Those documents show that ChronoPay owns the mail-eye.com domain and pays for the virtual servers in Germany that run it. The records also indicate that the fc@mail-eye.com address belongs to ChronoPay’s financial controller Alexandra Volkova,” he said in a blog post.

The mail-eye.com email address had been used to register the domains mac-defence.com and macbookprotection.com, where victims were directed to pay for the rogue software, he added.

Krebs also cited a screenshot shared with his site, which showed someone recently used that fc@mail-eye.com account to register two more Mac security-related domains that have not yet shown up in rogue anti-virus attacks against Mac users.

He said these include appledefence.com and appleprodefence.com.

ChronoPay is also Russia’s largest online payment processor, Krebs noted.

Since early May, the fake MacDefender antivirus spread through poisoned Google Image Search results, scares users into thinking their machines are infected, and has them pay for the malware.

While the attacks initially required users to provide their passwords to install the rogue programs, a new version no longer needs the passwords.

Krebs noted that a few days after the first attacks in early May, experienced Mac users on Apple support forums began reporting that new strains of the Mac malware were directing users to pay for the software via a domain called mac-defence.com.

Others spotted fake Mac security software coming from macbookprotection.com.

He said the WHOIS information for both domains includes the contact address of fc@mail-eye.com.

Krebs added the leaked documents also have given ChronoPay’s enemies access to certain online records that the company maintains, such as domain registration accounts tied to the firm.

“Both mac-defence.com and macbookprotection.com were suspended by the registrar — a company in the Czech Republic called Webpoint.name,” he said.

“Perhaps Apple will have better luck than others who have tried convincing ChronoPay to quit the rogue anti-virus business, but I’m not holding my breath. As I noted in a story earlier this year, ChronoPay has been an unabashed ‘leader’ in the scareware industry for quite some time,” he added.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Millionmars

A blog for fashionable full time working mothers.

for the love of nike

for the love of nike

between i and the sky

dress-up dreams, crafts, sunbeams & everything in between

wonderwoman45

Just another WordPress.com site

Tech

News and reviews from the world of gadgets, gear, apps and the web

Twitterpated Me

My pocketful-of-sunshine-life

Unica Hija Fasyon

by Cillalois Famero

Thirstythought

Live life out loud.

The WordPress.com Blog

The latest news on WordPress.com and the WordPress community.

%d bloggers like this: