A Russian payment processing firm may be behind the Mac Defender scareware - or at least be turning a blind eye to the scammers.
Security researcher Brian Krebs traced the web addresses that the Mac Defender scareware was sending users' credit card information to, and found that the domain names were owned by a firm called Chronopay. Chronopay processes payments for Russian companies.
It is not uncommon for many companies in Russia or central Europe to use firms such as Chronopay, because more mainstream companies such as PayPal won't operate there or make it more expensive. But companies like that also offer an in for scammers and criminals, because they often don't ask for the same kind of documentation that PayPal or MasterCard will.
A phone call to Chronopay was answered with a request to email questions, which were not answered.
Krebs also noted that Chronopay has shown up as the payment processor for scareware and malware vendors before. The company was connected to the infamous Conficker worm when it processed payments for trafficconverter.biz, which also told users that they could pay for a method of ridding themselves of it.
Mac Defender is a piece of fake antivirus software, or scareware, that pretends to scan for viruses, when in fact it redirects the user's browser to pornographic web sites (to convince a user that the computer is infected). It then asks for credit card information to buy a license to use the software. It is not clear yet to whom the credit card information is sent.
The security firm Intego first flagged Mac Defender on its blog on May 2. Since then a variant has appeared that can install itself on a Macintosh operating system without asking for an administrator password. It has also picked up a new name, MacGuard.
Apple has posted instructions for removing the Mac Defender scareware, even as new variants are appearing.
To get rid of the malware once it is installed one has to launch the Activity Monitor utility. After stopping the MAC Defender process (it often has names such as MacDefender, MacSecurity or MacProtector) the malware can be taken out of the Applications folder and moved to the trash. Apple says it will also publish a software update that will automatically remove MAC Defender in the coming days.
The simplest way to prevent it from getting installed on your computer is to make sure that the browser-whichever one you use - does not automatically open files on downloading them.
Mac Defender has gotten a lot of attention in part because malware and viruses for Macintoshes are rare. While Windows users have had to deal with them often, the very fact that Macs are a smaller part of the operating system market means that hackers have historically not bothered to write malware or viruses.
Several sites such as ZDNet are reporting that MAC Defender has caused a spike in technical support calls and visits to the Genius Bar at many Apple retailers.