Some of the recent scams that used bogus security alerts in a bid to frighten Mac users into purchasing worthless security software appear to have been the brainchild of ChronoPay, Russia’s largest online payment processor and something of a pioneer in the rogue anti-virus business.
Since the beginning of May, security firms have been warning Apple users to be aware of new scareware threats like MacDefender and Mac Security. The attacks began on May 2, spreading through poisoned Google Image Search results. Initially, these attacks required users to provide their passwords to install the rogue programs, but recent variants do not, according to Mac security vendor Intego.
A few days after the first attacks surfaced, experienced Mac users on Apple support forums began reporting that new strains of the Mac malware were directing users to pay for the software via a domain called mac-defence.com. Others spotted fake Mac security software coming from macbookprotection.com. When I first took a look at the registration records for those domains, I was unsurprised to find the distinct fingerprint of ChronoPay, a Russian payment processor that I have written about time and again as the source of bogus security software.
The WHOIS information for both domains includes the contact address of firstname.lastname@example.org. Last year, ChronoPay suffered a security breach in which tens of thousands of internal documents and emails were leaked. Those documents show that ChronoPay owns the mail-eye.com domain and pays for the virtual servers in Germany that run it. The records also indicate that the email@example.com address belongs to ChronoPay’s financial controller Alexandra Volkova.
The leaked documents also have given ChronoPay’s enemies access to certain online records that the company maintains, such as domain registration accounts tied to the firm. Both mac-defence.com and macbookprotection.com were suspended by the registrar — a company in the Czech Republic called Webpoint.name. But a screen shot shared with KrebsOnSecurity.com shows that someone recently used that firstname.lastname@example.org account to register two more Mac security-related domains that haven’t yet shown up in rogue anti-virus attacks against Mac users: appledefence.com and appleprodefence.com.
Perhaps Apple will have better luck than others who have tried convincing ChronoPay to quit the rogue anti-virus business, but I’m not holding my breath. As I noted in a story earlier this year, ChronoPay has been an unabashed “leader” in the scareware industry for quite some time. In 2008, it was the core processor for trafficconverter.biz, the rogue anti-virus affiliate program that was designed to be the beneficiary of the first strain of the Conficker worm, a menacing contagion that still infects millions of PCs worldwide. Last March, the company was at the forefront of another emerging scam, when it began processing payments for icpp-online.com, a scam site that targeted filesharing users and stole victims’ money by bullying them into paying a “pre-trial settlement” to cover a “Copyright holder fine.”
Update, May 29: ChronoPay responded by publishing a statement denying any involvement in the MacDefender attacks.
Apple has issued an official support note telling users how to avoid or remove Mac Defender malware. ZDNet also got hold an unofficial document that Apple apparently is distributing to its customer support personnel in charge of fielding complaints about the attacks. I should point out that all of the rules from my recent blog post Krebs’s 3 Basic Rules for Online Safety apply just as well to Mac users as they do to Windows folks. But #1 is the most important, and keeps Mac users out of trouble here: “If you didn’t go looking for it, don’t install it!”