CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Flashback Trojan Targets Big Profits Through Google Ads Fraud Scheme

There is more to the Flashback attacks than simply infecting computers. According to Symantec, a version of the malware targets Google in an advertising fraud scheme that could generate up to $10,000 a day in profits for the fraudsters.

Symantec dubbed the variant Flashback.K. After some reverse engineering, the firm determined the malware is being used in a click fraud scheme designed to hijack clicks on legitimate Google ads and send them to websites that paid them to generate traffic.

There is more to the Flashback attacks than simply infecting computers. According to Symantec, a version of the malware targets Google in an advertising fraud scheme that could generate up to $10,000 a day in profits for the fraudsters.

Symantec dubbed the variant Flashback.K. After some reverse engineering, the firm determined the malware is being used in a click fraud scheme designed to hijack clicks on legitimate Google ads and send them to websites that paid them to generate traffic.

Flashback Click FraudSuch operations are hardly original, but can be extremely profitable. Last month, the U.S. Attorney for the Southern District of New York extradited an Estonian man to the U.S. as part of a similar scheme that altered the settings on infected computers and re-routed Internet searches so that users visited certain websites. The operation generated millions of dollars before it was shut down.

In the case of Flashback, the ad clicking component is loaded into Chrome, Firefox and Safari in order to intercept all GET and POST requests from the browser, Symantec’s Security Response team explained in a blog post.

“Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click,” according to the company.

“The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist,” the company continued. “If not, it forwards the request to the malicious server in the following form:

http://[FLASHBACK_DOMAIN]/search?q=[QUERY]&ua=[USER AGENT]&al=[LANG]&cv=[VERSION]

“Flashback uses a specially crafted user agent in these requests, which is actually the clients universally unique identifier (UUID) encoded in base64,” according to Symantec. “This is already sent in the “ua” query string parameter, so it is likely that this is an effort to thwart “unknown” parties from investigating the URL with unrecognised user-agents.”

Flashback is widely believed to be the biggest Mac botnet of all time, infecting hundreds of thousands of users.

Advertisement. Scroll to continue reading.

“Ad-clicking Trojans are nothing new and in an analysis of W32.Xpaj.B last August a botnet measuring in the region of 25,000 infections could generate the author up to $450 per day,” the firm continued. “Considering the Flashback Trojan measures in the hundreds of thousands, this figure could sharply rise to the order of $10,000 per day. A very profitable enterprise indeed, and all the more reason to keep your Mac fully patched and your virus definitions up to date.”

Related: Flashback Botnet Updated to Include Twitter as C&C

Related: Everything You’ve Always Wanted to Know About Flashback

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.