At the height of the Flashback Trojan, experts say it spread to more than 600,000 Macs worldwide. Aside from being a pain in the rear end of those who were infected, it was estimated that the author could be generating upwards of $10,000 per day in fraudulent ad clicks. Further analysis from Symantec, however, paints quite a different picture and it’s likely that the author never received any payment at all.
Despite being installed on over 600,000 machines, the ad-click component of Flashback was only installed on roughly 10,000 systems, or less than 2 percent of all infections. Symantec says that around 10 million fraudulent ads were displayed on compromised computers but users only clicked around 400,000 times. This resulted in only $14,000 for the code-writer over the course of three weeks.
The problem is that most ad networks have built-in anti-fraud protection and affiliate-verification methods in place to combat attempts to game the system. The security firm notes that the Flashback author likely didn’t complete the necessary steps to get paid. Based on analysis of traffic patterns, it seems that 98 percent of ads came from a single pay-per-click provider, something that might have tipped off the ad server.
It’s unclear why only 2 percent of systems were loaded with the ad-click component. Perhaps the author thought of the idea after the initial infections started or maybe they didn’t want to alert suspicion by having a huge influx of funds generated in a short time. Either way, in this instance, it seems the old adage of “crime doesn’t pay” reigns true.