The Flashback malware which was found to be infecting over 650,000 Macs at its peak was earning its creators up to $10,000 a day, according to security specialists Symantec. The OSX.Flashback.K trojan, which is believed to be the largest Mac infection to date, is designed to steal page views and advertising revenue from Google.
Once installed on your machine, the trojan is able to load an “Ad-clicking component” that intercepts all search requests from your web browser and diverts your traffic to a page of their choosing, where they receive revenue from your visit.
Symantec explains how it works:
The Flashback ad-clicking component is loaded into Chrome, Firefox, and Safari where it can intercept all GET and POST requests from the browser. Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click . (Google never receives the intended ad click.)
The malware is clever enough to use a special user agent that is designed to avoid investigation:
Flashback uses a specially crafted user agent in these requests, which is actually the clients universally unique identifier (UUID) encoded in base64. This is already sent in the “ua” query string parameter, so it is likely that this is an effort to thwart “unknown” parties from investigating the URL with unrecognised user-agents.
On average, trojans like this can provide their authors with around $450 in revenue per day with around 25,000 infections. With the Flashback trojan installed on 650,000 Macs, that sum is likely to rise to around $10,000 per day.