There is more to the Flashback attacks than simply infecting computers. According to Symantec, a version of the malware targets Google in an advertising fraud scheme that could generate up to $10,000 a day in profits for the fraudsters.
Symantec dubbed the variant Flashback.K. After some reverse engineering, the firm determined the malware is being used in a click fraud scheme designed to hijack clicks on legitimate Google ads and send them to websites that paid them to generate traffic.
Such operations are hardly original, but can be extremely profitable. Last month, the U.S. Attorney for the Southern District of New York extradited an Estonian man to the U.S. as part of a similar scheme that altered the settings on infected computers and re-routed Internet searches so that users visited certain websites. The operation generated millions of dollars before it was shut down.
In the case of Flashback, the ad clicking component is loaded into Chrome, Firefox and Safari in order to intercept all GET and POST requests from the browser, Symantec’s Security Response team explained in a blog post.
“Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click,” according to the company.
“The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist,” the company continued. “If not, it forwards the request to the malicious server in the following form:
http://[FLASHBACK_DOMAIN]/search?q=[QUERY]&ua=[USER AGENT]&al=[LANG]&cv=[VERSION]
“Flashback uses a specially crafted user agent in these requests, which is actually the clients universally unique identifier (UUID) encoded in base64,” according to Symantec. “This is already sent in the “ua” query string parameter, so it is likely that this is an effort to thwart “unknown” parties from investigating the URL with unrecognised user-agents.”
Flashback is widely believed to be the biggest Mac botnet of all time, infecting hundreds of thousands of users.
“Ad-clicking Trojans are nothing new and in an analysis of W32.Xpaj.B last August a botnet measuring in the region of 25,000 infections could generate the author up to $450 per day,” the firm continued. “Considering the Flashback Trojan measures in the hundreds of thousands, this figure could sharply rise to the order of $10,000 per day. A very profitable enterprise indeed, and all the more reason to keep your Mac fully patched and your virus definitions up to date.”
Related: Flashback Botnet Updated to Include Twitter as C&C
Related: Everything You’ve Always Wanted to Know About Flashback