Flashback Culprits Could Be Making $10,000 a Day Off Infected Macs
So as not to arouse suspicion, the Flashback ad-clicking component looks at a "whitelist" of websites that it will refuse to redirect. That whitelist includes major destinations -- on the level of Amazon and PayPal -- said Thakur. "That keeps things on a lower profile on the client side," Thakur said, referring to the infected Mac.
In any case, most users won't even notice that they've been shunted to a different ad than the one they clicked, Thakur maintained. And if they do, they probably don't care.
"From the [user's] perspective, very little has changed, even though they're shown a different ad," said Thakur. "It's the search providers and those paying for ads who are out the money."
Click fraud relies on the fact that the user is not the victim; instead its the search provider -- Google, for instance -- and the businesses paying for each time someone clicks on an ad.
"Suddenly they're being billed a lot more than they expected," said Thakur of the latter. "They may have expected to pay for 100 clicks per day, and then sell their product to one of that 100. But suddenly, they're being billed for 1,000 'ghost clicks,' and no one is buying anything."
Symantec has notified Google of the scam that Flashback is running, but frankly, there's not a lot the search giant can do. "Everything is happening on the client side," said Thakur, talking about the ad-click redirection.
Mac owners running either OS X 10.7 or 10.6 -- Lion and Snow Leopard, respectively -- can protect themselves from Flashback attacks by updating Java using their machines' Software Update tool.
Because Apple has stopped shipping security updates for older editions -- OS X 10.5, or Leopard, and its predecessors -- those users must disable Java in their browsers.
About 18 percent of Mac owners ran Leopard or earlier on their systems last month, according to the most recent statistics from Internet metrics company Net Applications. However, Snow Leopard has been the most-infected OS X edition, accounting for 63.4 percent of all Macs in the botnet.
In its analysis of Flashback's monetization strategy, Symantec also took a swipe at Apple for helping the hackers.
"Unfortunately for Mac users, there was a large window of exposure since Apple's patch for this vulnerability was not available for [seven] weeks," said Symantec. "This window of opportunity helped the Flashback Trojan to infect Macs on a large scale ... [and] the Flashback authors took advantage of the gap between Oracle and Apple's patches."
Oracle patched the Java bug on Feb. 14 for Windows and Linux users, but Apple, which still maintains Java for OS X, didn't issue its update until April 3.
Later this year, Oracle will release Java 7 for OS X; Mac users who upgrade to Java 7 will then receive security updates directly from Oracle, not from Apple.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.