Follow the money.
If you want to get to the bottom of something–whether it is a political scandal, a murder mystery, or the source of rogue AV scareware attacks against Mac OS X…follow the money.
Security reporter Brian Krebs did just that and he has connected the dots leading from MacDefender and the sudden plague of Mac malware back to a Russian payment processing company–ChronoPay.
Observant Mac users reported the domain names that the rogue AV attacks were being directed to for payment. Krebs did some digging into the WhoIs details to try and determine the owner of those domains to follow the money back to the source. It so happens that Krebs is also in possession of tens of thousands of pages of ChronoPay documents leaked in a data breach last year which allowed him to follow the trail back to ChronoPay.
It is unclear how that knowledge can be put to good use. Given the nature of international law enforcement, prosecuting attacks across national borders can be tricky.
In the meantime, Mac users should just be aware of the issue, and follow the guidance from Apple to address the threat pending an update for Mac OS X to guard against it.