Russian payment processor said to be behind Mac scareware
According to a report by security specialist Brian Krebs, records indicate that Russian payment processor ChronoPay is connected with the recent outbreak of Mac scareware. ChronoPay denies any involvement with the Mac scareware.
Krebs identified two domains used by the scareware for payments, mac-defence.com and macbookprotection.com. On consulting the WHOIS information for those domains, he found they included a contact address of firstname.lastname@example.org. Documentation which was leaked in a security breach at ChronoPay last year detailed how ChronoPay both owns the mail-eye.com domains and pays for the Germany based virtual servers that power it.
Those same leaked records also indicated that ChronoPay's financial controller owns email@example.com. Other Apple related domains were also being registered using the email address after the previous domains were cancelled by the registrar. So far though, these new domains have not been used by any known malware.
In a statement, ChronoPay denied that there was a connection between the company and MacDefender, and said it would "aggressively defend itself against any attacks on the company" and threatened legal action against any party who suggested it.
- Apple publishes Mac Defender removal details, promises fix, a report from The H.
- Mac Defender variant doesn't require admin password, a report from The H.