Categories
News Software

Russian police raid points to MacDefender scam

If you wanted to know who was responsible for all that MacDefender malware nonsense a few months ago, they might have something.

After a raid on Russian payment giant Chronopay’s offices, authorities have found evidence linking the company to the MacDefender fake anti-virus scam that targeted Mac users.

Per security expert Brian Krebs’ blog post, Russian cops have discovered “mountains of evidence” that Chronopay employees were providing technical and customer support for bogus anti-virus software, including MacDefender.

Police discovered “Website support credentials and the call records of 1-800 numbers used to operate the support centers,” Krebs wrote. Evidence was also found linking the company to Rx-Promotion, an online program that worked with spammers to promote sites selling counterfeit prescription drugs.

Chronopay has a 45 percent share of the Russian e-commerce market and had denied involvement with the scam in May after Krebs leveled accusations against the company. Co-founder Pavel Vrublevsky was arrested in June over allegations that he hired a hacker to attack his company’s rival.

“If allegations against ChronoPay are true then we should expect significant decrease of revenues received by cyber criminals in the appropriate segments of black market in the near future,” said Maxim Suhanov, a specialist at computer-forensics firm Group-IB.

A recent analysis of the fake anti-virus distribution networks found that scammers were using highly profitable pay-per-install programs to deploy the malware. PPI networks reportedly charge as little as US$750 for 10,000 installs.

“If you do the math, it’s almost like you’re printing money,” researcher Damon McCoy said. “You could pay the PPI networks US$75 to get 1,000 fake AV installs. And if you had an average conversion rate of one in 50, making between US$25-US$35 on each install, that works out to about 20 sales — or conservatively US$500 per one thousand installs.”

Users first discovered the MacDefender malicious software in late April. Using a method known as “SEO poisoning,” the malware automatically downloaded itself onto users’ computers and posed as an anti-virus software in an attempt to trick users into providing credit card information. Security firms categorized the threat as “low” because the users were still required to agree to install the software and provide a password.

However, in late May, a variant of the malicious software was discovered that installed itself without administrator approval. Apple issued a security update to Mac OS X meant to detect and disable the malware.

Security researchers have applauded Apple for its recent security efforts, especially in Mac OS X Lion, while also warning that the Mac platform’s increased visibility may open it up to increased threats from hackers.

Stay tuned for additional details as they become available.