Security writer Brian Krebs may have found a link connecting Russian payment processor ChronoPay with some of the recent Mac scareware software in circulation.
It appears that a Russian online payment company may be
behind the rogue
scam that has dominated security headlines for the past
A few days after the first attacks surfaced, users on Apple
support forums reported that the Mac malware was directing them to
mac-defence.com and macbookprotection.com to pay for the scareware, wrote Brian
Krebs on May 27 on his Krebs
blog. Both of these domains have the "distinct fingerprint" of
ChronoPay in their registration records, according to Krebs.
Both domains included the contact address firstname.lastname@example.org in
the WHOIS information, Krebs found. Several internal documents and emails were
leaked after ChronoPay suffered a security breach last year, and those
documents revealed that the company owns the mail-eye.com domain and operates
it using virtual servers in Germany, according to Krebs. The records also indicated that the email
address belonged to ChronoPay's financial controller Alexandra Volkova. Krebs
identified multiple Mac-security related domains that have not shown up in
rogue antivirus scams, such as appledefence.com and appleprodefence.com.
The scams used "bogus security alerts in a bid to frighten
Mac users into purchasing worthless security software," Krebs wrote.
There are several variants of the fake
AV for Mac OS X
currently in circulation, with names such as MacDefender,
MacProtector, MacSecurity and Apple Security Center, according to Dan Clark,
vice president of marketing at ESET.
Users stumbling upon rogue sites, often through poisoned
image search results or by clicking on malicious links, are displayed a window
that resembles a Finder window claiming to be "scanning" their system. The site
warns the user that the Mac has been infected, and should download an antivirus
scanner to clean the infection. The scareware also launches pop-up windows with
adult content ads every few minutes to perpetuate the impression that the user
has been infected. Users are scammed into providing a credit card number to
purchase the antivirus software.
While initially the scareware could not be installed on the
user's computer without entering an administrator password, new variants have
emerged recently that can install itself without a password if the user has
"automatically open Safe files" option enabled in Safari, according to Mac
security firm Intego.
Krebs has written about the Russian payment processor as the
source of bogus security software in the past, calling it "something of a
pioneer in the rogue antivirus business."
ChronoPay was the core processor for trafficconverter.biz, a
rogue antivirus affiliated with the first strain of the Conficker worm. The
company was also allegedly processing payments for icpp-online.com, a scam site
that targeted filesharing users. The scam involved sending users notices
accusing them of copyright violations and threatening a "Copyright holder fine."
ChronoPay processed payments for the "pre-trial settlement," Krebs said.
By the time eWEEK checked each of the domain's WHOIS
records, more than 16 hours had passed since Krebs' post. All the contact
information appears to have been changed to "Crusader Inc" with a Yahoo email
address. It also appeared that the registrar, Czech-company Webpoint.name, had
suspended all these domains.
Mac-defence.com was registered May 2, right about when the
initial MacDefender attacks began. The Macbookprotection.com was registered on
May 12. The newer domains, appledefence.com and appleprodefence.com were
registered May 20, according to the WHOIS information.