Fake MacDefender Malware Originating from Russian Payment Processor

For about a month there has been a fake MacDefender malware that has been circulating and plaguing Apple computer owners. No one seemed to know where it was coming from, but finally on Friday, May 27 a computer security researcher made the claim that the fake malware could be traced back to an online Russian payment processor called ChronoPay.

“Some of the recent scams that used bogus security alerts in a bid to frighten Mac users into purchasing worthless security software appear to have been the brainchild of ChronoPay, Russia’s largest online payment processor and something of a pioneer in the rogue anti-virus business,” wrote security researcher Brian Krebs on his KrebsonSecurity blog.

The fake MacDefender and the incredibly similar scareware called MacProtector and MacSecurity tended to attack from points like infected Google Image search results. Once your computer is infected, it is incredibly difficult for Mac users to remove the malware. The issue is that the malware doesn’t have a dock icon and it attaches itself to the launch menu of the computer.

Krebs was able to trace the newest strains of the scareware back to ChronoPay by simply examining the two different domains that the software directs all of its Mac users to go to for a paid software security solution. While investigating, he found out that both mac-defence.com and macbookprotection.com were associated with the e-mail address fc@mail-eye.com. According to leaked ChronoPay documents, this e-mail address is owned by Alexandra Volkova, the company’s financial controller.

According to Krebs, both of the Mac domains listed above have been suspended by Webpoint.com, which is a Czech registrar; however, Krebs said that the fc@mail-eye.com account was used recently to register appledefense.com and appleprodefense.com. Despite this, Mac users have not yet reported being directed to either of these sites via malware like MacDefender.

“ChronoPay has been an unabashed ‘leader’ in the scareware industry for quite some time,” Krebs writes. Just in 2008, it was the core processor of a site called trafficconvertor.biz. This was an “anti-virus” program that was designed to release the first strain of the Conficker worm. It was an incredibly destructive virus that still works to infect millions of computers across the globe.

“In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove MacDefender malware and its known variants,” Apple wrote. “The update will also help protect users by providing an explicit warning if they download this malware.”

Apple also released a document with detailed instructions for Mac users on ways to eliminate MacDefender from their computers.

Find out what is going on in the Tech Army World.

What are the Top 10 Money Making Missions?

What other companies have joined and what do they do?

How do I join the
Tech Army Organization ?