Mac Flashback Attackers Made $10,000 a Day - A report by Symantec Researchers

The cyber-criminals behind the botnet stole ad revenue from Google by redirecting clicks from infected Apple Mac systems, according to Symantec researchers.

The cyber-criminals running the notorious Mac Flashback malware were bringing in as much as $10,000 a day during the height of the botnet's activity, according to security software vendor Symantec.

The attackers behind the Flashback malware—which at one point had infected as many as 700,000 Apple Macs worldwide—essentially were stealing advertising revenue from Google by redirecting clicks from users of infected systems, members of Symantec’s Security Response group said in an April 30 post on the company’s blog. The ad revenue for those clicks went to the cyber-criminals, not Google, Symantec said.

“The Flashback ad-clicking component is loaded into Chrome, Firefox and Safari where it can intercept all GET and POST requests from the browser,” the company said in the blog post. “Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker's choosing, where they receive revenue from the click. (Google never receives the intended ad click.)”

“The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to the malicious server.”

The Flashback malware started off last fall as a Trojan horse masquerading as an update to Adobe Flash. It morphed into a drive-by exploit that infected unprotected systems that visited a compromised or malicious Website.

The exploit leveraged a flaw in Java that Oracle in February had patched in Windows PCs and other systems, but that Apple didn’t address until issuing a patch in early April. By that time, more than 600,000 Macs—more than 1 percent in use globally—had become infected, and a botnet of that size could have netted the Flashback operators as much as $10,000 a day, according to Symantec.

Symantec researchers reverse-engineered the OSX.Flashback.K variant to see how the malware operated, according to the company. If a user of an unpatched Mac visited a compromised Website, the browser would be redirected to an exploit site hosting various Java exploits, and the initial Flashback component would be installed onto the system. That component would then download a loader and an ad-clicking component, Symantec said.

“Not much detail has been said about the ad-clicking component, so we will reveal the true motivation behind the malware: the end goal of this Trojan is revenue generation,” the Symantec Security Response team wrote.

The researchers ran a search for “toys” on an infected system. After doing so, they said that they could “clearly see a value of 0.8 cents for the click and the redirection URL highlighted in red. This redirected URL is subsequently written into the browser so that the user is now directed to the new site, in effect hijacking the ad click Google should have received. … This ultimately results in lost revenue for Google and untold sums of money for the Flashback gang.”

Apple officials have been criticized for their slow response to the Flashback malware—particularly rolling out a patch for the Java vulnerability two months after Oracle had issued one—and the Symantec researchers again noted that in their blog post.

“Unfortunately for Mac users, there was a large window of exposure since Apple’s patch for this vulnerability was not available for six weeks,” they wrote. “This window of opportunity helped the Flashback Trojan to infect Macs on a large scale. The Flashback authors took advantage of the gap between Oracle and Apple's patches by exploiting vulnerable Websites using Wordpress and Joomla to add malicious code snippets.

Since the extent of the Mac infections was reported in early April, a host of security software vendors and Apple itself have launched tools designed to detect and remove the Flashback malware from Macs. However, there has been some disagreement over how strong the exploit still is. Symantec officials reported in mid-April that the number of infected Macs had dropped to 140,000, while Kaspersky Lab researchers estimated the number was about 30,000.

However, Russian antivirus firm Dr. Web, which first reported the extent of the Flashback infections, said April 20 that the number of infected Macs was still at more than 650,000, and after hearing how the company came up with its figures, Symantec officials agreed, as did Mac security software vendor Intego.