We’ve heard so much about the Mac Flashback Trojan in the last month, but what is its goal? Turns out it’s financial gain (who knew) in the form of ad revenue.
Security researchers at Symantec have found that the Flashback Trojan downloaded an “ad-clicking component” through a Java vulnerability. From there, it would hijack clicks on ads through Google. You know the links that show up in a yellow box at the top of your Google search query? Yeah, those make the search giant a ton of money. Ninety-six percent of Google’s overall revenue comes from advertising revenue through its search engine and other advertising programs. And when your revenue sits at $37.9 billion for 2011, cyber criminals have an incentive to steal some of that.
The people behind the Flashback Trojan may have been making up to $10,000 a day, according to Symantec. They did this by infecting the Mac’s browsers (Firefox, Chrome, or Safari). The Trojan then waited until someone searched for something on Google and clicked on an ad. From there it redirected the user to a site of its choosing, getting in between Google and the advertising click, and eventually collecting the revenue from that click.
Symantec looked at a search query for “toys” made on an infected machine.
“We can clearly see a value of 0.8 cents for the click and the redirection URL highlighted in red. This redirected URL is subsequently written into the browser so that the user is now directed to the new site, in effect hijacking the ad click Google should have received,” Symantec wrote in a blog post. “Considering the Flashback Trojan measures in the hundreds of thousands, this figure could sharply rise to the order of $10,000 per day.”
The Flashback Trojan enters a computer through a hole in Java, which Apple has since patched.