Researcher Finds Russian Link To MacDefender Scam

A security expert believes that a Russian online payment company may be behind the rogue antivirus MacDefender scam, which dominated security headlines for the past few weeks.

A few days after the first attacks surfaced, users on Apple support forums reported that the Mac malware was directing them to mac-defence.com and macbookprotection.com to pay for the scareware, wrote Brian Krebs on 27 May on his Krebs on Security blog.

Both of these domains have the “distinct fingerprint” of ChronoPay in their registration records, according to Krebs.

Website Ownership

Both domains included the contact address fc@mail-eye.com in the WHOIS information, Krebs found. Several internal documents and emails were leaked after ChronoPay suffered a security breach last year, and those documents revealed that the company owns the mail-eye.com domain and operates it using virtual servers in Germany, according to Krebs. The records also indicated that the email address belonged to ChronoPay’s financial controller Alexandra Volkova. Krebs identified multiple Mac-security related domains that have not shown up in rogue antivirus scams, such as appledefence.com and appleprodefence.com.

The scams used “bogus security alerts in a bid to frighten Mac users into purchasing worthless security software,” Krebs wrote.

There are several variants of the fake AV for Mac OS X currently in circulation, with names such as MacDefender, MacProtector, MacSecurity and Apple Security Center, according to Dan Clark, vice president of marketing at ESET.

Users stumbling upon rogue sites, often through poisoned image search results or by clicking on malicious links, are displayed a window that resembles a Finder window claiming to be “scanning” their system. The site warns the user that the Mac has been infected, and should download a antivirus scanner to clean the infection. The scareware also launches pop-up windows with adult content ads every few minutes to perpetuate the impression that the user has been infected. Users are scammed into providing a credit card number to purchase the antivirus software.

Scareware Pioneer

While initially, the scareware could not be installed on the user’s computer without entering an administrator password, new variants have emerged recently that can install itself without a password if the user has “automatically open Safe files” option enabled in Safari, according to Mac security firm Intego.

Krebs has written about the Russian payment processor as the source of bogus security software in the past, calling it “something of a pioneer in the rogue antivirus business.”

ChronoPay was the core processor for trafficconverter.biz, a rogue antivirus affiliated with the first strain of the Conficker worm. The company was also allegedly processing payments for icpp-online.com, a scam site that targeted filesharing users. The scam involved sending users notices accusing them of copyright violations and threatening a “Copyright holder fine.” ChronoPay processed payments for the “pre-trial settlement,” Krebs said.

By the time eWEEK checked each of the domains’ WHOIS records, over 16 hours had passed since Krebs’ post. All the contact information appears to have been changed to “Crusader Inc” with a Yahoo email address. It also appeared that the registrar, Czech-companyWebpoint.name, had suspended all these domains.

Mac-defence.com was registered 2 May, right about when the initial MacDefender attacks began. The Macbookprotection.com was registered on May 12. The newer domains, applefedence.com and appleprodefence.com were registered 20 May, according to the WHOIS information.