Mac botnet generated $10,000 a day for Flashback gang

Mac botnet generated $10,000 a day for Flashback gang

Summary: Flashback was robbing Google of advertising dollars by redirecting clicks from infected Mac OS X machines and stealing the ad revenue.

SHARE:
45

Security researchers at Symantec are estimating that the cyber-crimibals behind the Flashback Mac OS X botnet may have raked in about $10,000 a day.

In a new blog post that discusses the business model of the botnet, Symantec found that Flashback was robbing Google of advertising dollars by redirecting clicks from infected Mac OS X machines and stealing the ad revenue.

At its height, Flashback contained more than 700,000 Mac machines and Symantec calculates that a botnet of that size could easily generate about $10,000 a day in click-fraud.follow Ryan Naraine on twitter

Some details from Symantec's blog:

The Flashback ad-clicking component is loaded into Chrome, Firefox, and Safari where it can intercept all GET and POST requests from the browser. Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker's choosing, where they receive revenue from the click . (Google never receives the intended ad click.)

The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to [a] malicious server.

Symantec reports that the hijacked ad click is based on a user searching for "toys".

We can clearly see a value of 0.8 cents for the click and the redirection... This redirected URL is subsequently written into the browser so that the user is now directed to the new site, in effect hijacking the ad click Google should have received.

"This ultimately results in lost revenue for Google and untold sums of money for the Flashback gang," Symantec said.

Topics: Browser, Apple, Google, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

45 comments
Log in or register to join the discussion
  • This is why platforms are targeted

    Established platforms with a large user base are targeted because of the potential revenue stream and payout for organized crime. Criminals are not targeting BeOS, QNX and other niche operating systems as much as Apple and Microsoft. Like Willie Sutton, criminals target Apple and Microsoft, because "That's where they keep the money."
    Your Non Advocate
    • If Flashback infected every single Linux desktop out there

      the authors could have made at least $10.
      toddbottom3
      • Funny but likely not true... After all even Linux with it's

        small makret share numbers (Numbers no one seems to actually agree upon at any given time) represents likely millions of users across the globe. These particular users are likely heavy google users as well given their leanings and all. For instance while I"m a Mac user I avoid google like the plague and never use any of their services not a one. So even "IF" I had contracted this bot it would have done the thief's no good for they'd not get any google related clicks from me and hence no money.

        Pagan jim
        James Quinn
      • LOL!

        Nice!
        NonFanboy
      • I actually look forward to your snarky posts...

        Toddbottom3 (Sounds like some sort of a tropical bottom-feeding fish at a pet store).

        I look forward at most of your posts which for me, are entertaining and usually brings a smile on my face as I read your posts. Unfortunately, some folks out here don't see your sarcastic humor and your style of trolling.

        Of course, if you say that you are indeed serious when you post these comments, then that is something truly hilarious.

        Anyways, bottomfeeder, keep up the hard work! :D
        DarkWorks Entertainment
    • fleas come with the dog

      Amazon, Apple, Facebook, and Google are all targets these days. Not much you can do...other than respond or just be invisible and irrelevant.
      phil_simon
      • Invisible and Irrelevant?

        Golly. Irrelevant because I don't use Facepost or Bookface? Oh please. I'm not trolling for 12 year old attention whores who want me to be one of their 33,000 best friends for life. Amazon? Don't use Amazon, never did. Google? Is that an invisible or an irrelevant? Apple? Why on earth would I want anything Apple? Please reboot your computer experience, if the four you list are really, really relevant to you and you feel you need that sort of visibility you are a little silly, simple, and well there is no way to say this nicely. You sir are a freaking idiot. Good day.
        Otis Driftwood
  • So it's a good thing?

    Stealing from google that is:P

    Pagan jim
    James Quinn
  • Mac botnet generated $10,000 a day for Flashback gang

    So now the flashback gang can buy one Mac a day with that money, infect themselves, and make more money. That's quite the racket they got going there.
    Loverock Davidson-
  • And didn't Google toss Windows out of the enterprise for OS X?

    nt
    Rabid Howler Monkey
    • Wasn't that right after China hacked all the Google Window's computers

      But I understand your comment. No OS platform is safe from a zero day attack.
      kenosha77a
      • No, they hacked their way in through *one* Windows XP

        ... which had been left unpatched. They took over the computer and used it to remote control their way in to a web based database after the user had accessed it.
        honeymonster
      • @honeymonster

        Do you have anything to back that up? I'd like to see something that verifies your claim.
        NonFanboy
      • RE: No OS platform is safe from a zero day attack.

        The Chinese-based Aurora attack on Google and approximately 20 other companies was an Internet Explorer 0-day exploit.

        Flashback on OS X wasn't a 0-day. It was due, primarily, to Apple's tardiness in patching Java. In addition, Apple failed to apply their OS X sandboxing technology to Safari and the Java plug-in.
        Rabid Howler Monkey
    • I thought they got rid of Windows to go all "Linux"

      or more importantly, all Chromebook.
      William Farrel
      • RE: I thought they got rid of Windows to go all "Linux"

        Wrong. Choices were OS X or Linux:

        http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2010/05/31/businessinsider-henry-blodget-google-dumping-microsoft-windows-company-wide-blames-windows-for-china-hacking-attack-2010-5.DTL
        Rabid Howler Monkey
      • Errr....

        You mean ChromeOS.

        Shows you how much Google trusts their own OS when they don't use it exclusively [or close to] for every computer there. I guess ChromeOS is definitely a bust.
        Gisabun
  • Many more than 700,000 infected

    700,000 Apple Macintosh computers running OS X were actually sucked into the botnet but many more were infected. Remember that Flashback authors wanted this to be a stealthy infection and after the Flashback installer bypassed every single piece of protection that Apple added to OS X (ha) it proceeded to check for other applications that might make Flashback less stealthy. Flashback actually infected far more than 700,000 but removed itself if it found certain other applications like MS Office on the Mac.

    Apple's security utterly failed over 700,000 innocent Mac users. Funnily enough, Microsoft ended up saving more OS X users than Apple did.
    toddbottom3
    • Reports said otherwise

      The stated reasons to not infect computers with Microsoft Office installed is to avoid double infection, that is more easily discovered.

      Or, was the attack orchestrated by Microsoft?
      But believe in what you will. :)
      danbi
      • Let's pretend the attack was orchestrated by MS

        They still managed to utterly destroy Apple's Macintosh OS X security.

        The Apple community is very interested in trying to deflect the discussion to blaming Microsoft or Dr. Web for creating this malware. It won't work. Focus on what happened. OS X's security was bypassed in a comically easy way. Whether or not Dr. Web or MS did this doesn't really matter to OS X users whose soft, pink bellies are exposed to the big bad wolves of the Internet.

        PS You are wrong about the double infection but again, the details don't really matter. The truth is that more than 700,000 Apple Macintosh OS X computers were infected.
        toddbottom3