The Mac Security Blog

Malware

Who’s Behind the Fake Antiviruses Targeting Mac Users?

Posted on May 27th, 2011 by

With yet another version of the Mac Defender fake antivirus discovered, one may wonder who is behind this rash of attacks targeting Mac users.

Microsoft published an analysis of the malware and the URLs it uses and suggests it is created by the “Winwebsec” gang. The noted the similarity between web pages used to collect credit card numbers. And, they also said,

In addition to using similar UIs, we noticed that they even share the same payment gateway (this is the site where users are duped into giving the criminals their credit card information). Simply changing the file name from “buy.php” to “mac.php” causes the ‘branding’ to change from the Windows version to the Mac version…

Journalist Brian Krebs, in an article on his Krebs on Security blog, claims that ChronoPay, “Russia’s largest online payment processor and something of a pioneer in the rogue anti-virus business,” is involved in this scamware. He examined domain name registrations, and traced them back to ChronoPay, noting that this company was the “core processor for trafficconverter.biz, the rogue anti-virus affiliate program that was designed to be the beneficiary of the first strain of the Conficker worm, a menacing contagion that still infects millions of PCs worldwide.” In addition, this company seems to be behind “a scam site that targeted filesharing users and stole victims’ money by bullying them into paying a ‘pre-trial settlement’ to cover a ‘Copyright holder fine.'”

As we have often pointed out, malware is not written by script kiddies looking to see how many computers they can infect just for fun, but by efficient criminal organizations creating malware with the express goal of scamming people. While more information may be found linking specific companies to such malware, they remain hard to prosecute.