Researcher traces Mac malware to Russian firm

A Russian firm may be behind the MacDefender malware that's scaring Apple Macintosh OS X users into buying a fake antivirus program, a security researcher said. Brian Krebs said that leaked documents tracing the rogue antivirus to ChronoPay, which he described as a "pioneer" in the rogue antivirus business. "Last year, ChronoPay suffered a security breach in which tens of thousands of internal documents and emails were leaked. Those documents show that ChronoPay owns the mail-eye.com domain and pays for the virtual servers in Germany that run it. The records also indicate that the fc@mail-eye.com address belongs to ChronoPay’s financial controller Alexandra Volkova," he said in a blog post. The mail-eye.com email address had been used to register the domains mac-defence.com and macbookprotection.com, where victims were directed to pay for the rogue software, he added. Krebs also cited a screenshot shared with his site, which showed someone recently used that fc@mail-eye.com account to register two more Mac security-related domains that have not yet shown up in rogue anti-virus attacks against Mac users. He said these include appledefence.com and appleprodefence.com. ChronoPay is also Russia’s largest online payment processor, Krebs noted. Since early May, the fake MacDefender antivirus spread through poisoned Google Image Search results, scares users into thinking their machines are infected, and has them pay for the malware. While the attacks initially required users to provide their passwords to install the rogue programs, a new version no longer needs the passwords. Krebs noted that a few days after the first attacks in early May, experienced Mac users on Apple support forums began reporting that new strains of the Mac malware were directing users to pay for the software via a domain called mac-defence.com. Others spotted fake Mac security software coming from macbookprotection.com. He said the WHOIS information for both domains includes the contact address of fc@mail-eye.com. Krebs added the leaked documents also have given ChronoPay’s enemies access to certain online records that the company maintains, such as domain registration accounts tied to the firm. "Both mac-defence.com and macbookprotection.com were suspended by the registrar — a company in the Czech Republic called Webpoint.name," he said. "Perhaps Apple will have better luck than others who have tried convincing ChronoPay to quit the rogue anti-virus business, but I’m not holding my breath. As I noted in a story earlier this year, ChronoPay has been an unabashed 'leader' in the scareware industry for quite some time," he added. Chronopay link to scareware Krebs said that, in 2008, ChronoPay was the core processor for trafficconverter.biz, the rogue anti-virus affiliate program that was designed to be the beneficiary of the first strain of the Conficker worm. Conficker was a menacing contagion that still infects millions of PCs worldwide. Last March, the company was at the forefront of another emerging scam, when it began processing payments for scam site icpp-online.com. The site had targeted file-sharing users and stole victims’ money by bullying them into paying a “pre-trial settlement" to cover a “Copyright holder fine." In his blog, Krebs described himself as a former reporter for The Washington Post from 1995 to 2009, who took an interest in computer security after Chinese hackers broke into his home computer network in 2001. — TJD, GMA News