Paper Trail Links Mac Scareware to Russian Payment Processor

The Mac (s aapl) malware threat posed by Mac Defender and its variants recently got worse, thanks to a new version called MacGuard that doesn’t require a user to input their administrator password during installation. But now there’s also evidence pointing to the source of the ongoing scareware threat, thanks to information security blogger Brian Krebs.
The Mac Defender scareware threat masquerades as an antivirus program by claiming your system is infected, then asking for payment to get rid of the reported infection. It’s a common tactic used by PC malware, but is relatively unseen on Apple computers. Krebs identified a link between Mac Defender (and its variants) and ChronoPay, Russia’s largest online payment processor. In a 2009 investigation while with The Washington Post (s wpo), Krebs linked ChronoPay to rogue anti-virus operations like Mac Defender, and last year, tens of thousands of leaked documents revealed the company was very much involved in the trade.
Krebs found that mac-defence.com and macbookprotection.com were both associated with the contact address [email protected] The mail-eye.com domain is owned by ChronoPay, as are the virtual servers in Germany that run it, according to Krebs. Two new domains (appledefence.com and appleprodefence.com) related to Mac security that haven’t yet been used in Mac scareware threats are also registered using the [email protected] address, according to information received by Krebs.
For its part, ChronoPay explained in an interview with Krebs that it basically bears no responsibility for the actions of its customers as a high-risk service provider. It sets up entire businesses, including paying for registration, and hosting telephone support, opening bank accounts, and handling transactions, but it’s actually the merchants who employ its services that are the ones responsible for any issues of legally or ethically questionable behavior. I contacted ChronoPay regarding the link between it and this round of Mac scareware, but have yet to receive a response.
Krebs says that while it’s possible Apple will have more influence than others when it comes to trying to convince ChronoPay to shut down the alleged rogue anti-virus side of its business, or at least cut off the clients that dabble in that trade, it still isn’t very likely to happen. Luckily, Apple is promising a fix to protect against the malware in the coming days, and has already posted steps users can take to remove it from their systems.
As always, the best defence against any kind of malware, Mac or otherwise, is due diligence on the part of users. Only download from trusted sources, research before you download anything, and never install something marketed based on scare tactics or if you’re unsure of its origins.