False MacDefender malware from a Russian payment processor
For about a month now, there has been a fake MacDefender malware circulating and tormenting Apple computer owners. No one seemed to know where he came from, but finally, on Friday, May 27, a computer security researcher said that the fake malware could be traced to a Russian online payment processor called ChronoPay.
“Some of the recent scams that have used false security alerts to scare Mac users into buying worthless security software seem to have been designed by ChronoPay, Russia’s largest online payment processor and a pioneer in the field of antivirus,” writes Brian Krebs on his blog KrebsonSecurity, security researcher.
The fake MacDefender and the incredibly similar scareware called MacProtector and MacSecurity tended to attack from points like infected Google Image search results. Once your computer is infected, it is incredibly difficult for Mac users to remove malware. The problem is that the malware does not have a dock icon and attaches to the computer’s launch menu.
Krebs was able to trace back to ChronoPay by simply looking at the two different areas where the software asks all its Mac users to turn to a paid software security solution. During his investigation, he discovered that mac-defence.com and macbookprotection.com were associated with the email address [email protected] According to ChronoPay’s leaked documents, this email address belongs to Alexandra Volkova, the company’s financial controller.
According to Krebs, the two Mac domains listed above have been suspended by Webpoint.com, which is a Czech registrar; however, Krebs has stated that the account [email protected] was recently used to register appledefense.com and appleprodefense.com. Despite this, Mac users have not yet reported being directed to any of these sites via malware such as MacDefender.
ChronoPay has been an undisputed “leader” in the fear software industry for some time,” writes Krebs. Just in 2008, it was the central processor of a site called trafficconvertor.biz. It was an “anti-virus” program designed to release the first strain of the Conficker worm. It was an incredibly destructive virus that continues to infect millions of computers around the world.
“In the coming days, Apple will provide a Mac OS X software update that will automatically find and remove MacDefender malware and its known variants,” Apple writes. “The current update will help protect users by displaying an explicit warning if they download this malware.”
Apple has also published a document containing detailed instructions for Mac users on how to remove MacDefender from their computers.