Flashback Botnet Click-Fraud Operation Could Have Been More Profitable

New research shows that the mind or minds behind Flashback failed to use the botnet's full potential to turn a profit in a click-fraud scheme.

According to findings from Symantec, the botnet displayed more than 10 million ads during a three-week period starting in April. Though only 400,000 of those ads were clicked, the hackers earned some $14,000 -- though Symantec says the botmaster does not seem to have been able to actually collect money from pay-per-click providers.

Nevertheless, the ad-clicking component of Flashback was installed on only about 10,000 of the more than 600,000 machines infected by the malware, meaning that if the attackers had harnessed the full power of the botnet, they could potentially have earned millions of dollars in a year, Symantec argues.

"It is very difficult estimate how much money is being made from click fraud [overall]," says Liam O Murchu, manager of operations for Symantec Security Response. "However, we have seen multiple botnets engaging in this type of activity in the past year. Click fraud appears to be a profitable scheme for malware authors since there are so many botnets engaging in it, even though the attackers in the case of Flashback were not able to collect their earnings. The attention and visibility Flashback received may have disrupted the attackers' ability to collect their earnings."

By analyzing the traffic from the Flashback command-and-control (C&C) servers, Symantec followed the redirections used by the attackers. Compromised computers pass users' search keywords to the attackers, who then contact various pay-per-click (PPC) services and route the ads from the PPC providers to the compromised computer. To create conversions, the Flashback botmaster hijacked Google search results and displayed their own PPC search results. The most successful keywords are usually related to pharmaceutical products, auto insurance, and debt mortgage consolidation.

More than 98 percent of the ads being sent to the compromised computers appear to originate from the same PPC provider, the company found.

"This is a complex problem," Murchu says. "However, it's certainly in PPC providers' best interest to police their programs for click fraud. After all, gaining a reputation as a PPC with click-fraud problems is not good for business. Most PPC companies have a verification process and automated solutions in place to determine whether a click is legitimate in origin or not."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.