In April 2012, security researchers discovered a new piece of malware targeting OS X users. The malware was dubbed "Flashback" and reportedly infected more than 600,000 Mac users, including about 200 machines on Apple's Cupertino campus. The malware was able to infect so many machines because it was cleverly masqueraded as a fake Adobe Flash installer.
Once active, the malware would inject ads from pay-per-click providers into search results instead of sourcing the ads from Google. The security firm Symantec estimated that the malware had the potential to net its creators upwards of US$10,000 a day, but further analysis indicated that the actual payout was much lower.
From our analysis we have seen that, for a three-week period starting in April, the botnet displayed over 10 million ads on compromised computers but only a small percentage of users who were shown ads actually clicked them, with close to 400,000 ads being clicked. These numbers earned the attackers $14,000 in these three weeks, although it is worth mentioning that earning the money is only one part of the puzzle -- actually collecting that money is another, often more difficult, job. Many PPC providers employ anti-fraud measures and affiliate-verification processes before paying.
About a week after the malware was first publicized, Apple issued a software update to remove the malware from affected machines.
Over the past few months, investigative reporter and former Washington Post journalist Brian Krebs did a bit of sleuthing and was able to piece together a number of clues which purport to reveal the identity of the man behind the Flashback malware.
By lurking on forum threads on a Russian-language site dedicated to black-hat SEO, the art of deceptively manipulating search results for monetary gain, Krebs was eventually able to acquire some revealing information.
In a private message obtained by Krebs, he found that one user with the handle "mavook" was looking to get an invitation to Darkod, a cybercrime forum. In order to prove his bonafides, mavook took responsibility for the Flashback botnet while boasting that he specializes "in finding exploits and creating bots."
The senior member that Mavook petitions is quite well-known in the Russian cybercrime underground, and these two individuals also are well-known to one another. In fact, in a separate exchange on the main BlackSEO forum between the senior member and a BlackSEO user named JPS, the senior member recommends Mavook as a guy who knows his stuff and can be counted on to produce reliable attack tools.
Following that, Krebs took a look at mavook's profile page and saw that his personal homepage was at one point mavook.com. Krebs was then able to look at old WHOIS registration records and come up with a name -- Maxim Selikhanovich, a 30-year-old from Saransk, Russia.
The full details behind Krebs' investigation are rather interesting and worth checking out in their entirety.