How Mac Flashback Malware Made Money From People’s Web Searches

How Mac Flashback Malware Made Money From People’s Web Searches

Malware isn’t always about stealing your personal information or roping you into a botnet. The recent Flashback malware for Mac (which infected more than 600,000 users) used a more subtle method to make money: hijacking the browser so that every search infected users made was redirected through a “pay per click” network, adding up to big bucks for the cyber-criminals. In an added twist, Twitter also played a crucial role in keeping the malware updated.

Picture by Travis Isaacs

Symantec’s security blog offers a thorough overview of how Flashback took advantage of flaws in the Mac’s Java implementation to gain access to the Safari browser in Mac OS X. What’s especially noteworthy (and interesting even if you don’t run a Mac) is how the malware sought to take advantage of that access. The post has the full technical details, but in simple terms, it worked like this:

  • Safari was altered by Flashback so that whenever a user conducted a search via Google or clicked on a Google ad, the command would be sent to central ‘command and control’ server.
  • The server would then alter the request so that the request directed to a ‘pay per click’ results page, and send that page address back to Safari. From the perspective of the searcher, results had been returned, but a payment would also be automatically made to the click-per-search account set up by the malware developer.
  • Using a single ‘command and control’ server and payment account would make the malware easy to disrupt. Each query sent to the server includes authentication information to ensure the request is from an active copy of the malware, and also allows the malware to update itself, changing the address of the ‘command and control’ server and the account money gets paid into.
  • An additional update method used by the malware searches for specific hashtags in Twitter messages, based on the current date. These won’t stand out in the general Twitter stream, but can be easily searched for.

Even with payments of fractions of a cent for each click, Symantec calculated that the malware authors could have been earning $10,000 a day or more when Flashback infections peaked.

The details of this threat serve as a reminder that malware often won’t be “in your face” and its impact can be difficult to detect. Observant users might be suspicious about a change in the appearance of their search results, but many others would probably just assume there had been some kind of redesign at Google. As ever, keeping your system patched and running up-to-date security software remains the easiest way to remain protected from malicious threats.

OSX.FlashBack.K – An Overview and its Inner Workings [Symantec Blog]


  • You’re just talking about the commercial “detox” right? Cause my girlfriend had some virus that almost completely shut down her liver and the doctor recommended her take some special “detox” pill(s) to help after her liver’s recovered a bit. I’m guessing they were actually pharmaceuticals that flush some of the body’s organs when they’re not doing the job.

  • So, once there is money involved (the pay-per-click), why was it so hard to trace it back to real humans?

    The pay-per-click people know who they paid out to, and unless they are chronically stupid, they’ll have disabled those payments anyway – none of those guys pay the instance you take a click, they all have 30-90 day payment cycles.

Show more comments

Log in to comment on this story!