Cyber-crooks are using the Flashfake malware, which infected up to 748 000 Mac computers recently, to generate money.

This is one of the findings from Kaspersky Lab’s “Anatomy of Flashfake Part 2” report.

The first part of the report was a detailed analysis of the Mac OS X malware’s infection and distribution mechanisms, and how it was being used to conduct click-fraud scams by hijacking the search results of victims’ computers.

The new report examines the malware’s additional functions and provides an in-depth analysis of the technical methods that the Flashfake cyber criminals are using to generate money through click-fraud scams.

According to Kaspersky Lab, the Flashfake malicious program is made up of multiple modules that inject malicious code into the infected victim’s browser. Once the malicious code is injected, it connects the infected computer to the list of Flashfake’s active Command & Control (C&C) servers.

When the victim uses Google’s search engine to browse websites, the legitimate advertisements and links on the websites are substituted with fraudulent ones by the Flashback C&C servers. By having users click on the fraudulent links or ads, the cyber criminals are tricking them into committing click-fraud.

In March 2012, the Flashfake group created a new version of the dynamic library with more functions. Notably, this included a new search method for Flashfake C&C servers using Twitter, and most recently, Firefox browser add-on. The malicious Firefox browser add-on is disguised as an Adobe Flash Player add-on, and performs the same functionalities to communicate with the C&Cs and execute the click-fraud scam.

“Flashfake is currently the most widespread malicious program for Mac OS X, and this incident shows that Mac OS X is now a definitive target for cyber criminals moving forward,” says Costin Raiu, director: global research & analysis team at Kaspersky Lab.

“Not only did cyber criminals evolve their attack methods to incorporate zero-day vulnerabilities, but they also created a program that is resilient. Flashback checks for anti-virus solutions, has integrated self-protection measures, and uses encryption to communicate with the C&Cs. The additional functionality for Twitter and Firefox also demonstrates their willingness to invest time and effort into improving the scale and efficiency of the malware.”

Although Flashfake had infected more than 748 000 Mac OS X computers by the end of April, the botnet’s size has significantly decreased. In May this year, the number of active bots was estimated at 112 528.