The hackers in charge of the Flashback botnet managed to generate $14,000 from their click fraud campaign, but have not been paid, Symantec said Thursday.
New analysis of the Flashback botnet and the traffic between infected Macs and C&C (command-and-control) servers exposed the earnings and the lack of payment, Liam O Murchu, manager of operations at Symantec's security response center, said in an interview.
[ For tips and tools for managing an enterprise Mac fleet, download InfoWorld's free "Business Mac" Deep Dive PDF special report today. | See InfoWorld's slideshow tour of Mac OS X Lion's top 20 features and test your Apple smarts with our Apple IQ test: Round 2. | Keep up with key Apple technologies with the Technology: Apple newsletter. ]
O Murchu credited security companies' efforts for preventing the botnet's handlers from generating more money through click fraud.
"Lots of security companies sinkholed Flashback's domains, and this caused [the hackers] a lot of problems," said O Murchu.
Starting in early April, antivirus vendors, including Symantec, snatched potential C&C domains before the attackers did, effectively blocking orders from reaching many of the estimated 600,000 infected Macs. The commands fall down a metaphoric "sinkhole" instead.
Part of the Flashback botnet survived those efforts, however. The hackers retained control of at least 10,000 Macs, which they infected with additional code that steals clicks from ads that Google's search engine displays alongside search results.
Altogether, Flashback's creators were able to use less than 2 percent of the botnet to crank out ghost clicks. Even though the percentage seems small, those Macs displayed more than 10 million ads in a three-week span; 400,000 of those ads were clicked by users. The 400,000 clicks were worth approximately $14,000.
The profit-making strategy, called "click fraud," redirects large numbers of people to online ads not normally served by the site the user is viewing. The criminals receive kickbacks from the sometimes-legitimate, sometimes-shady intermediaries for each ad clicked.
In this case, said O Murchu, it seems the Flashback gang didn't actually earn a dime.
"The traffic we've analyzed tells us that they hadn't been paid," said O Murchu, referring to the hackers' efforts to get their money. "They haven't been able to provide the information to the pay-per-click [PPC] affiliate that [was] required to be paid."
O Murchu declined to identify the PPC affiliate that served 98 percent of the Flashback-generated clicks, but said it appeared the PPC was legitimate and not one of the shadier such firms that essentially pawn off bogus clicks as the real deal.
Legitimate PPCs employ anti-fraud controls -- including sample traffic from the source of the clicks -- because without that verification they won't be paid by advertisers, said O Murchu.
"Cashing out is the difficult part [of click fraud]," said O Murchu, noting that while other criminal gangs have gotten away with it, Flashback's backers have not.