Krebs did a WHOIS search of the domains -- mac-defence.com and macbookprotection.com --that victims of Mac Defender were sent to in order to pay for the phony anti-virus software. Both domains were associated with an email address associated with ChronoPay's financial controller.

A leak of ChronoPay's internal documents last year, caught by Krebs, provided further ties between the Russian online payment firm and the malware, which may be hiding under different aliases, including MacDefender, MacProtector, MacSecurity and Apple Security Center, . The documents have also signaled that two new domains -- appledefence.com and appleprodefence.com -- were registered on May 20 to ChronoPay, evidence that the Mac Defender malware, which started its Apple-unfriendly onslaught on May 2, isn't finished yet.

Apple has released with instructions on . Apple also promised an upcoming security update to OSX that should help eliminate the threat.