Unprotected users visiting a page hosting the much-discussed Flashback Trojan could be earning some serious cash for the malware’s creators, according to new research from Symantec.
In a post to the company’s Security Response blog, Symantec notes the Flashback Trojan could be earning up to $10,000 a day for the malware’s writers. First, after visiting a vulnerable site, the browser redirects to an exploit site hosting Java exploits, installs the OSX.Flashback.K variant and subsequently downloads an ad-clicking component.
The ad-clicking component – which can be downloaded and installed onto Chrome, Firefox and Safari browsers – is the real source of the money though. The attackers redirect users from Google search results to pages of their own choosing, taking away clicks for Google and instead, generating an ad click for themselves.
“The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist,” Symantec adds.
The most recent version of Flashback began infecting Mac machines last month via Java vulnerability exploits while an even more recent variant of the Trojan was found using Twitter as a backup command and control late last week.
Botnet-controlled click fraud isn’t anything new; botnets have long stolen clicks away from legitimate sites. It was only a few years ago that by shirking filters and hijacking clicks that cyber criminals were able to make millions off of exploiting online advertisers.