Pre-Order your new iMac now from MacMall (ships Oct 23) & save hundreds in tax: Apple Price Guides updated Oct 18th (exclusive coupons)
 


Thursday, August 04, 2011, 07:50 pm PT (10:50 pm ET)

Russian online payment site linked to MacDefender malware scam

After a raid on Russian payment giant Chronopay's offices, authorities have found evidence linking the company to the MacDefender fake anti-virus scam that targeted Mac users.

Security expert Brian Krebs reported on his blog that Russian cops have discovered "mountains of evidence" that Chronopay employees were providing technical and customer support for bogus anti-virus software, including MacDefender.

Police discovered "Website support credentials and the call records of 1-800 numbers used to operate the support centers," Krebs wrote. Evidence was also found linking the company to Rx-Promotion, an online program that worked with spammers to promote sites selling counterfeit prescription drugs.

Chronopay has a 45 percent share of the Russian e-commerce market and had denied involvement with the scam in May after Krebs leveled accusations against the company. Co-founder Pavel Vrublevsky was arrested in June over allegations that he hired a hacker to attack his company's rival.

“If allegations against ChronoPay are true then we should expect significant decrease of revenues received by cyber criminals in the appropriate segments of black market in the near future,” said Maxim Suhanov, a specialist at computer-forensics firm Group-IB.

Mac Defender

MacDefender-related document discovered at the Chronopay office


A recent analysis of the fake anti-virus distribution networks found that scammers were using highly profitable pay-per-install programs to deploy the malware. PPI networks reportedly charge as little as $750 for 10,000 installs.

“If you do the math, it’s almost like you’re printing money,” researcher Damon McCoy said. “You could pay the PPI networks $75 to get 1,000 fake AV installs. And if you had an average conversion rate of one in 50, making between $25-$35 on each install, that works out to about 20 sales — or conservatively $500 per one thousand installs."

Users first discovered the MacDefender malicious software in late April. Using a method known as "SEO poisoning," the malware automatically downloaded itself onto users' computers and posed as an anti-virus software in an attempt to trick users into providing credit card information. Security firms categorized the threat as "low" because the users were still required to agree to install the software and provide a password.

Malware


However, in late May, a variant of the malicious software was discovered that installed itself without administrator approval. Apple issued a security update to Mac OS X meant to detect and disable the malware.

Security researchers have applauded Apple for its recent security efforts, especially in Mac OS X Lion, while also warning that the Mac platform's increased visibility may open it up to increased threats from hackers.