Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Flashback Trojan Targets Big Profits Through Google Ads Fraud Scheme

There is more to the Flashback attacks than simply infecting computers. According to Symantec, a version of the malware targets Google in an advertising fraud scheme that could generate up to $10,000 a day in profits for the fraudsters.

Symantec dubbed the variant Flashback.K. After some reverse engineering, the firm determined the malware is being used in a click fraud scheme designed to hijack clicks on legitimate Google ads and send them to websites that paid them to generate traffic.

There is more to the Flashback attacks than simply infecting computers. According to Symantec, a version of the malware targets Google in an advertising fraud scheme that could generate up to $10,000 a day in profits for the fraudsters.

Symantec dubbed the variant Flashback.K. After some reverse engineering, the firm determined the malware is being used in a click fraud scheme designed to hijack clicks on legitimate Google ads and send them to websites that paid them to generate traffic.

Flashback Click FraudSuch operations are hardly original, but can be extremely profitable. Last month, the U.S. Attorney for the Southern District of New York extradited an Estonian man to the U.S. as part of a similar scheme that altered the settings on infected computers and re-routed Internet searches so that users visited certain websites. The operation generated millions of dollars before it was shut down.

In the case of Flashback, the ad clicking component is loaded into Chrome, Firefox and Safari in order to intercept all GET and POST requests from the browser, Symantec’s Security Response team explained in a blog post.

“Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click,” according to the company.

“The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist,” the company continued. “If not, it forwards the request to the malicious server in the following form:

http://[FLASHBACK_DOMAIN]/search?q=[QUERY]&ua=[USER AGENT]&al=[LANG]&cv=[VERSION]

“Flashback uses a specially crafted user agent in these requests, which is actually the clients universally unique identifier (UUID) encoded in base64,” according to Symantec. “This is already sent in the “ua” query string parameter, so it is likely that this is an effort to thwart “unknown” parties from investigating the URL with unrecognised user-agents.”

Flashback is widely believed to be the biggest Mac botnet of all time, infecting hundreds of thousands of users.

“Ad-clicking Trojans are nothing new and in an analysis of W32.Xpaj.B last August a botnet measuring in the region of 25,000 infections could generate the author up to $450 per day,” the firm continued. “Considering the Flashback Trojan measures in the hundreds of thousands, this figure could sharply rise to the order of $10,000 per day. A very profitable enterprise indeed, and all the more reason to keep your Mac fully patched and your virus definitions up to date.”

Related: Flashback Botnet Updated to Include Twitter as C&C

Related: Everything You’ve Always Wanted to Know About Flashback

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.