The attackers behind the Flashback Trojan for OS X may be making as much as $10,000 per day through a click fraud scheme involving Google AdWords, Symantec says. The Trojan intercepts all queries made specifically to Google's search engine and will redirect the user to a page of the attacker's choosing. Every time this occurs, the attackers make about 0.8 cents per click.
"Flashback uses a specially crafted user agent in these requests, which is actually the clients universally unique identifier (UUID) encoded in base64", explains Symantec. "This is already sent in the 'ua' query string parameter, so it is likely that this is an effort to thwart 'unknown' parties from investigating the URL with unrecognized user-agents". In other words, the attackers are going to great lengths to cover their tracks.
Flashback could have been generating quite a bit of revenue for its creators based on analyses of previous Trojans using similar click fraud techniques. As many as 700,000 Macs were believed to be infected at its height, making Flashback "a very profitable enterprise indeed, and all the more reason to keep your Mac fully patched and your virus definitions up to date", the company writes in a blog post.
How did the Trojan spread so quickly? It tricked hundreds of thousands of users into downloading what they believed was Adobe's Flash plugin for Mac. Once installed, the Trojan took advantage of a hole in Java to install itself and generate fake search engine results and run other malicious code on the infected Mac.
Symantec criticized Apple for taking so long to patch the issue and letting Flashback become as big of a problem as it is. Oracle had patched the responsible hole in Java in February, but it took an additional six weeks for Apple's patch to make it to the end user. As a result, hundreds of thousands of Macs were unwittingly infected -- many not running any antivirus protection at all.
Apple has made it a signature part of its strategy in attracting converts to boast that Macs do not get viruses. In turn this creates a false sense of security, and most do not bother to install any kind of antivirus protection. Hopefully that has begun to change as it is now clear attackers are turning their attention to the Mac OS X platform.