Flashback Crooks Fluffed Money Making Scheme

The operators of the Flashback malware that infected over 600,000 machines failed to cash in on their potentially lucrative botnet, analysis has revealed.

One of the main ways the Flashback operators were thought to be making money was through highjacking Google searches to push infected users to certain pages. If users clicked on ads after being redirected to a site, the attackers would make money from Pay Per Click (PPC) providers.

Symantec originally estimated the operators of Flashback could have made as much as $10,000 (£6,160) per day. After further analysis, it appeared they couldn’t even make $14,000 in three weeks, as they failed to use much of the botnet’s power or get money out of the PCC providers.

Not cashing in the clicks

Over a three-week period starting in April, the botnet displayed over 10 million ads on compromised machines, but just close to 400,000 ads were actually clicked. This would have earned the attackers $14,000 but “the attackers in this instance appear to have been unable to complete the necessary steps to be paid,” Symantec said.

The security giant estimated the ad-clicking component of Flashback was only installed on about 10,000 of hundreds of thousand of infected Macs. This amounted to just two percent of the botnet. If the attackers had used all the bots under their control, they could have earned millions of dollars a year, Symantec claimed.

“You may not expect to see 100 percent utilisation of the infrastructure from the start, but at the same time what we are looking at here is very small utilisation,” Tom Parsons, senior manager at Symantec Security Response, told TechWeekEurope. “Two percent – that would seem particularly low, especially for something that is bound to catch people’s attention… There were probably issues in terms of executing the grand plan.

“Maybe it was a deliberate decision not to fully utilise it. Maybe they didn’t think it was going to get as much attention or even be identified, but that would have been wishful thinking.”

Parsons compared the Flashback botnet to an Android malicious network, which was using 30,000 bots every day to generate revenue by forcing end users to send premium rate texts to numbers of the mastermind’s choosing. That was around 25 percent botnet usage for revenue generating.

In both cases, the platforms used – Android and Mac OS – were relatively new and so are comparable. In the Android case though, it appears the cybercriminals were more savvy in deploying their army of bots.

“There is a huge contrast there in the figures,” Parsons added, revealing that the Android botnet is still alive and making its masters hundreds of thousands, possibly millions, of dollars. “The operator had been running that Android botnet for six months at that stage and had made hundreds of thousands of dollars and we estimated they would make at least a million dollars for one year.”

There are still plenty of machines within the Flashback botnet. Symantec revealed there are still 120,000 active infections as of today and the actual number is “likely to be higher”.

Are you a security guru? Try our quiz!