According to the security outfit Symantec, the Flashback Trojan discovered to be infecting over 600,000 Mac OSX machines has a variant that may have net the botnet owners potentially up to $10,0000 a day. The malware targets Google advertisements in a click-fraud scheme that redirects users clicks from the targeted at to the botnet’s accounts.

Symantec dubbed the variant OSX.Flashback.K and it used some wily controls to manipulate browser clicks to Google advertisements by loading itself into Chrome, Firefox, and Safari where it intercepts GET HTTP commands from the browser. A blog post in Symantec explained how the malware functioned:

“Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click . (Google never receives the intended ad click.)

“The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist,” the post continued, “If not, it forwards the request to the malicious server in the following form:

http://[FLASHBACK_DOMAIN]/search?q=[QUERY]&ua=[USER AGENT]&al=[LANG]&cv=[VERSION]

“Flashback uses a specially crafted user agent in these requests, which is actually the clients universally unique identifier (UUID) encoded in base64. This is already sent in the “ua” query string parameter, so it is likely that this is an effort to thwart “unknown” parties from investigating the URL with unrecognised user-agents.”

According to Symantec this attack is not novel in the realm of malware and ad-hijacking Trojans are a usual part of the criminal cyberspace operations. From previous studies, Symantec could say that a botnet in the ballpark of 25,000 infections could net around $450 per day—therefore, extrapolating to the much larger estimate of Flashback’s botnet size, measuring in the hundreds of thousands, the authors potentially were netting almost $100,000 per day.

These may just be guesses, but the evidence of the activity from the Flashback.K Trojan and the potential losses-per-click of every machine infected would add up to a tremendous amount of fraud.

And, of course, no malware exists in a vacuum as Kaspersky Labs discovered that the Flashback Trojan previous variant was probably also connected to the Luckycat malware campaign. Trojans themselves are just software to get inside the firewall and a users defenses; from there the payload can be modified to do any number of things from intercepting Google ad-clicks (Flashback.K) to siphoning out important and confidential data (as in Luckycat) to be used in spear-phishing.