The Macintosh isn’t normally associated with malware, but the latest software which has caused problems for a large portion of the user base has been traced back to Russian online payment processor ChronoPay.
The MacDefender software, a fake security suite set to cause Macintosh users to panic, forcing a sale has been so widespread, that Apple themselves intervened this week, offering help and guidance on a support page.
Security researcher Brian Krebs wrote on this blog “Some of the recent scams that used bogus security alerts in a bid to frighten Mac users into purchasing worthless security software appear to have been the brainchild of ChronoPay, Russia’s largest online payment processor and something of a pioneer in the rogue anti-virus business.”
The fake MacDefender often attacks through polluted Google Image search results and is very tricky to remove because it attaches itself to the computer’s launch menu and has no dock icon.
Krebs has said that he has traced the new strains of the malware back to ChronoPay by investigating two domains the rogue software directs Mac users to go to for a paid software security solution. Krebs has found that both mac-defence.com and macbookprotection.cmo are associated with the email address [email protected], an address that leaked ChronoPay documents indicate are owned by the companies financial controller Alexandra Volkova.
Both of these domains have been suspended by Webpoint.com, a Czech registrar. Interestingly, the [email protected] account has been used very recently to register appleprodefence.com and appledefence.com.
Krebs added “ChronoPay has been an unabashed ‘leader’ in the scareware industry for quite some time. In 2008, it was the core processor for trafficconverter.biz, the rogue anti-virus affiliate program that was designed to be the beneficiary of the first strain of the Conficker worm, a menacing contagion that still infects millions of PCs worldwide.
“Last March, the company was at the forefront of another emerging scam, when it began processing payments for icpp-online.com, a scam site that targeted filesharing users and stole victims’ money by bullying them into paying a ‘pre-trial settlement’ to cover a ‘Copyright holder fine.'”
Apple are stepping in and will be releasing an OSX patch to kill MacDefender completely.
“In the coming days, apple will deliver a Mac OS X software update that will automatically find and remove MacDefender malware and its known variants,” Apple wrote. The update will also help protect users by providing an explicit warning if they download this malware.”
KitGuru says: Hopefully not the first of a new series of attacks on the unprepared Macintosh audience.