A recent raid by Russian police has revealed evidence that a company called ChronoPay is indeed behind the Mac OS X scareware program MacDefender, despite the company's earlier denials. But while the raid and the arrest of ChronoPay's CEO may put a dent in the company's profits, it's unlikely that MacDefender or its variants will disappear just yet.
When MacDefender first hit the scene, it was called MAC Defender, and it seemed to show up on Mac users' machines after those users followed poisoned Google Image search results. Unlike many scareware apps for Windows, however, this one was actually designed to look like it was made for a Mac, and it claimed to be able to rid the user of viruses—if only he or she would hand over a credit card number. The viruses were, of course, fake; instead, the app was merely collecting payment information so that scammers could abuse the credit cards at a later date.
When we conducted our own investigation into MacDefender, we discovered that it wasn't taking over the Mac world like some had predicted, but the scareware app had made its way into the general population to some degree. Apple soon began combating MacDefender on the OS level, and there hasn't been much news about the malware/scareware since.
But as it turns out, whoever was behind MacDefender continued chugging along, raking in money from unsuspecting Mac users until Russian law enforcement descended on the ChronoPay office in late July, as noted by Forbes Russia. And when police searched ChronoPay's office, they found "mountains of evidence" that ChronoPay employees were doing tech and customer support for MacDefender and a plethora of other fake antivirus programs, according to former Washington Post reporter and current security expert Brian Krebs
http://arstechnica.com/apple/news/2011/08/raid-reveals-evidence-of-chronopay-ties-to-macdefender-scareware.ars