Flashback gang could be making $10K a day off infected Macs
Symantec spells out the malware's money-making mechanism: click fraud
Computerworld - The Flashback malware that's infected hundreds of thousands of Macs may be generating more than $10,000 a day for the hackers who made the Trojan horse, Symantec said Monday.
The malware steals clicks from ads that Google's search engine displays alongside search results.
In a blog entry posted today, Symantec published an analysis of Flashback's money-making capabilities, and concluded -- as others had earlier -- that the gang was turning a profit through click fraud.
Flashback.K surfaced in March and by early April had infected more than 600,000 Macs.
"Click fraud" describes campaigns where large numbers of people are silently redirected to online ads not normally served by the site the user is viewing. The criminals receive kickbacks from the sometimes-legitimate, sometimes-shady intermediaries for each ad clicked.
The clicks are "ghost clicks" in that they are not triggered by a human, but instead by the botnet.
That's exactly what Flashback.K does, said Symantec. After worming its way onto a Mac via an exploit of a since-patched Java vulnerability, Flashback.K loads an ad-clicking component into Apple's Safari, Google's Chrome and Mozilla's Firefox browsers.
"Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker's choosing, where they receive revenue from the click," said Symantec. "Google never receives the intended ad click."
In one code snippet shown by Symantec, a hijacked ad based on the user searching for "toys" would generate $0.008 per click, meaning that 1,000 clicks would earn the hackers $8, 10,000 clicks $80, and so on.
The Flashback gang is still earning this fraudulent revenue, even though much of the botnet has been "sinkholed" by Symantec and other antivirus companies, said Vikram Thakur, principal security response manager at Symantec. By registering as many potential command-and-control (C&C) domains used by the malware to receive instructions, security researchers prevent orders from reaching the infected Macs. The commands fall down a metaphoric "sinkhole" instead.
But in an interview today, Thakur confirmed that Flashback-infected Macs, even those that have been sinkholed by security firms, continue to produce revenue for the hackers.
"They're still making money," said Thakur, explaining that the ad-clicking component communicates to different C&C servers whose IP addresses are hard-coded into the malware. Those servers have not been sinkholed. "In fact, they're making a lot of money.
How much wasn't clear. Symantec hasn't been able to uncover the botnet revenue, but instead compared its size and money-making abilities to the 2011 "W32.Xpaj.B" botnet, a collection of 25,000 compromised Windows PCs that returned up to $450 per day to its handlers.
If Flashback's profit-making is as efficient, and with its size hovering around 600,000 Macs, by that example it could generate up to $10,800 per day, or $75,600 per week or $3.9 million over the course of a year. All tax free.
"That's a lot of money," Thakur said.
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
- iTunes is almost as big a biz as OEM Windows
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts