Mac malware spreads to Russian firm
Russian firm may be behind the MacDefender malware that’s scaring Apple Macintosh OS X users into buying a fake antivirus program, a security researcher said.
Brian Krebs said that leaked documents tracing the rogue antivirus to ChronoPay, which he described as a “pioneer” in the rogue antivirus business.
“Last year, ChronoPay suffered a security breach in which tens of thousands of internal documents and emails were leaked. Those documents show that ChronoPay owns the mail-eye.com domain and pays for the virtual servers in Germany that run it. The records also indicate that the email@example.com address belongs to ChronoPay’s financial controller Alexandra Volkova,” he said in a blog post.
The mail-eye.com email address had been used to register the domains mac-defence.com and macbookprotection.com, where victims were directed to pay for the rogue software, he added.
Krebs also cited a screenshot shared with his site, which showed someone recently used that firstname.lastname@example.org account to register two more Mac security-related domains that have not yet shown up in rogue anti-virus attacks against Mac users.
He said these include appledefence.com and appleprodefence.com.
ChronoPay is also Russia’s largest online payment processor, Krebs noted.
Since early May, the fake MacDefender antivirus spread through poisoned Google Image Search results, scares users into thinking their machines are infected, and has them pay for the malware.
While the attacks initially required users to provide their passwords to install the rogue programs, a new version no longer needs the passwords.
Krebs noted that a few days after the first attacks in early May, experienced Mac users on Apple support forums began reporting that new strains of the Mac malware were directing users to pay for the software via a domain called mac-defence.com.
Others spotted fake Mac security software coming from macbookprotection.com.
He said the WHOIS information for both domains includes the contact address of email@example.com.
Krebs added the leaked documents also have given ChronoPay’s enemies access to certain online records that the company maintains, such as domain registration accounts tied to the firm.
“Both mac-defence.com and macbookprotection.com were suspended by the registrar — a company in the Czech Republic called Webpoint.name,” he said.
“Perhaps Apple will have better luck than others who have tried convincing ChronoPay to quit the rogue anti-virus business, but I’m not holding my breath. As I noted in a story earlier this year, ChronoPay has been an unabashed ‘leader’ in the scareware industry for quite some time,” he added.