Security analyst suspects Russian online payment company behind Mac scam

An internet security writer has pointed out that a Russian online company might be behind the MacDefender scam that hogged limelight just a few days ago.

Brian Krebs, a security writer, suspected to have found a link between the recent Mac scareware attack and ChronoPay, a Russian online payment processor.

Krebs may have found a link
Krebs wrote on his ‘Krebs on Security’ blog that users started to report on Apple support forums about being directed to mac-defender.com and the macbookprotection.com by the rogue antivirus, few days after the attacks began.

Krebs claimed that both these domains have “distinct figure prints” of the Russian company, found in their registration record.

He found that both the domains had the contact address of fc@mail-eye.com in the WHOIS information.

Krebs claimed that according to several documents and e-mails that came out after ChronoPay suffered a hacking attack last year, the mail-eye.com is owned by the Russian company, and it operates the site with the help of virtual servers in Germany.

The records revealed after the data breach at ChronoPay also reveals that the e-mail address given in the registration record of both the rogue sites belonged to the financial controller of ChronoPay, Alexandra Volkova.

Krebs wrote in his blog that these rogue sites took the help of “bogus security alerts, in a bid to frighten Mac users into purchasing worthless security software.”

ChronoPay accused in the past also
Krebs said that ChronoPay processed payments for trafficconverter.biz, which is linked with the first strain from the Conflicker worm.

The Russian company was also alleged to be the processor for icpp-online.com which targeted users while filesharing.

The users were sent fake notices regarding copyright violations and a copyright holder fine was demanded from them.

eWeek checked the WHOIS records within sixteen hours of the publication of Krebs blog, but found that all contact information has been passed to Crusader Inc., along with a new mail id from Yahoo.

It is also found that all the domains have been suspended by the registering Czech company, Webpoint.name.