Mac-based Flashback click fraud campaign was a bust
Malware infected 600,000 Macs, but hackers haven't collected a dime
Computerworld - The hackers in charge of the Flashback botnet managed to generate $14,000 from their click fraud campaign, but have not been paid, Symantec said today.
New analysis of the Flashback botnet and the traffic between infected Macs and command-and-control (C&C) servers exposed the earnings and the lack of payment, Liam O Murchu, manager of operations at Symantec's security response center, said in an interview today.
O Murchu credited security companies' efforts for preventing the botnet's handlers from generating more money through click fraud.
"Lots of security companies sinkholed Flashback's domains, and this caused [the hackers] a lot of problems," said O Murchu.
Starting in early April, antivirus vendors, including Symantec, snatched potential C&C domains before the attackers did, effectively blocking orders from reaching many of the estimated 600,000 infected Macs. The commands fall down a metaphoric "sinkhole" instead.
Part of the Flashback botnet survived those efforts, however. The hackers retained control of at least 10,000 Macs, which they infected with additional code that steals clicks from ads that Google's search engine displays alongside search results.
Altogether, Flashback's creators were able to use less than 2% of the botnet to crank out ghost clicks.
Even though the percentage seems small, those Macs displayed more than 10 million ads in a three-week span; 400,000 of those ads were clicked by users. The 400,000 clicks were worth approximately $14,000.
The profit-making strategy, called "click fraud," redirects large numbers of people to online ads not normally served by the site the user is viewing. The criminals receive kickbacks from the sometimes-legitimate, sometimes-shady intermediaries for each ad clicked.
In this case, said O Murchu, it seems the Flashback gang didn't actually earn a dime.
"The traffic we've analyzed tells us that they hadn't been paid," said O Murchu, referring to the hackers' efforts to get their money. "They haven't been able to provide the information to the pay-per-click [PPC] affiliate that [was] required to be paid."
O Murchu declined to identify the PPC affiliate that served 98% of the Flashback-generated clicks, but said it appeared the PPC was legitimate and not one of the shadier such firms that essentially pawn off bogus clicks as the real deal.
Legitimate PPCs employ anti-fraud controls -- including sample traffic from the source of the clicks -- because without that verification they won't be paid by advertisers, said O Murchu.
"Cashing out is the difficult part [of click fraud]," said O Murchu, noting that while other criminal gangs have gotten away with it, Flashback's backers have not.
Previously, Symantec had estimated that the Flashback botnet had the potential to earn hackers around more than $10,000 per day. "This could have been extremely profitable," said O Murchu.
O Murchu declined to estimate the current size of the Flashback botnet.
In many cases, Macs were infected by the Flashback malware via an exploit of a Java vulnerability that Apple was slow in patching on OS X 10.6, or Snow Leopard, and OS 10.7, aka Lion.
Since Flashback made headlines early in April, Apple has issued Java security updates for Snow Leopard and Lion, as well as a malware removal tool for those operating systems and OS X 10.5, better known as Leopard.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Apple hands stock worth $12.1M to top execs in retention deal
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts