A security expert believes that a Russian online payment company may be behind the rogue antivirus MacDefender scam, which dominated security headlines for the past few weeks.
A few days after the first attacks surfaced, users on Apple support forums reported that the Mac malware was directing them to mac-defence.com and macbookprotection.com to pay for the scareware, wrote Brian Krebs on 27 May on his Krebs on Security blog.
Both of these domains have the “distinct fingerprint” of ChronoPay in their registration records, according to Krebs.
Both domains included the contact address fc@mail-eye.com in the WHOIS information, Krebs found. Several internal documents and emails were leaked after ChronoPay suffered a security breach last year, and those documents revealed that the company owns the mail-eye.com domain and operates it using virtual servers in Germany, according to Krebs. The records also indicated that the email address belonged to ChronoPay’s financial controller Alexandra Volkova. Krebs identified multiple Mac-security related domains that have not shown up in rogue antivirus scams, such as appledefence.com and appleprodefence.com.
The scams used “bogus security alerts in a bid to frighten Mac users into purchasing worthless security software,” Krebs wrote.
There are several variants of the fake AV for Mac OS X currently in circulation, with names such as MacDefender, MacProtector, MacSecurity and Apple Security Center, according to Dan Clark, vice president of marketing at ESET.
While initially, the scareware could not be installed on the user’s computer without entering an administrator password, new variants have emerged recently that can install itself without a password if the user has “automatically open Safe files” option enabled in Safari, according to Mac security firm Intego.
Krebs has written about the Russian payment processor as the source of bogus security software in the past, calling it “something of a pioneer in the rogue antivirus business.”
ChronoPay was the core processor for trafficconverter.biz, a rogue antivirus affiliated with the first strain of the Conficker worm. The company was also allegedly processing payments for icpp-online.com, a scam site that targeted filesharing users. The scam involved sending users notices accusing them of copyright violations and threatening a “Copyright holder fine.” ChronoPay processed payments for the “pre-trial settlement,” Krebs said.
By the time eWEEK checked each of the domains’ WHOIS records, over 16 hours had passed since Krebs’ post. All the contact information appears to have been changed to “Crusader Inc” with a Yahoo email address. It also appeared that the registrar, Czech-companyWebpoint.name, had suspended all these domains.
Mac-defence.com was registered 2 May, right about when the initial MacDefender attacks began. The Macbookprotection.com was registered on May 12. The newer domains, applefedence.com and appleprodefence.com were registered 20 May, according to the WHOIS information.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…