The Flashback Botnet targetted Apple computers
Lately the twittersphere has been abuzz with news of a group of hackers who owned a quite prolific botnet, not in the sense of numbers, but in the sense of just brazen, link clicking and getting paid, botnet used to harvest money from the Google AdSense platform.
As we all know, certain blogs or websites feel a need to monetize. Some choose ads to be displayed on their page, on the off chance that someone may click them. These types of ads typically are not paying much by users just viewing the page, so there is an incentive to get clicks on them. One click can net upwards of 20 cents, and depending on how many you get a day, this could be quite fruitful.
How did they do this?
They targeted Apple users, and redirected their clicks to the ad click URL’s, thus generating payment from Google’s AdSense advertising platform.
Symantec had this to say:
The Flashback ad-clicking component is loaded into Chrome, Firefox, and Safari where it can intercept all GET and POST requests from the browser. Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click . (Google never receives the intended ad click.)
The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to [a] malicious server.
We can clearly see a value of 0.8 cents for the click and the redirection… This redirected URL is subsequently written into the browser so that the user is now directed to the new site, in effect hijacking the ad click Google should have received.
Anatomy of a botnet
How does one do this, you ask?
A Botnet is a term for a web of connected computers that are infected with what we call botcode. Botcode allows for these computers to go about their daily business and obey the user’s orders all day, but ever so often, they contact, usually a central computer for what is called Command and Control. No, not Command and Conquer! This computer in control acts like the pied piper, playing a tune that the entire botnet can dance to.
These hackers used their botnet to generate clicks on these ads, sometimes making upwards of $10k per day, according to researchers at Symantec. This translates to many hundreds of thousands of clicks just in the same day, and since it comes from so many IP’s it can be difficult to discern fraudulent clicks from legit clicks unless they follow a regimented pattern. The botnet these guys used is rumored to have had up to 700,000 Apple computers enlisted in the botnet.
Until now, gaming the Google AdSense platform was quite taboo, and best left to skilled hackers who were able to generate traffic without any kind of noticeable pattern. This move is a game changer, as we are likely to see these types of attacks in the future with increased incidence.