Click fraud or pay-per-click fraud typically involves criminals hijacking devices to artificially inflate traffic statistics and defraud advertisers who pay a fee for each click on their link.
But devices compromised for this purpose are now being used as the initial step in a chain of infections that lead to infections by CryptoWall ransomware, according to Damballa’s latest infection report.
The report highlights the importance for organisations to identify low-level threats before they open the door to more serious and damaging infections.
Researchers studied the RuthlessTreeMafia click fraud malware. Devices hijacked by the Asprox botnet were used to generate fake clicks on adverts.
According to Damballa, click fraud cheats advertisers out of millions of dollars and costs businesses about $6.3bn a year.
Chain of infection
The researchers found one device under the command of the botnet, the RuthlessTreeMafia. Operators were able to sell access to the compromised device to other threat actors, who used downloaders to deliver the Rerdom and Rovnix Trojans, generating additional revenue for the criminal operators.
As the click-fraud infection chain continued, the device was infected with the CryptoWall ransomware, which encrypts company data on the host system in seconds, making it inaccessible to the user and demanding a ransom, usually in bitcoins, in exchange the decryption key.
Read more about ransomware
According to the FBI, CryptoWall is the biggest ransomware threat to business and has been responsible for 992 ransomware attacks reported to the agency since the ransomware appeared in April 2014, resulting in losses of more than $18m to US business.
Damballa researchers found that, in two hours, the initial click fraud infection escalated to a further three click fraud infections as well as CryptoWall.
Monitoring activity
According to the report, an enterprise security team would likely never have seen this transformation unless they “were instrumented” to detect post-compromise activity.
“As this report highlights, advanced malware can quickly mutate and it’s not just the initial infection vector that matters – it’s about understanding the chain of activity over time,” said Stephen Newman, chief technology officer at Damballa.
“The intricacies of advanced infections mean that a seemingly low risk threat - in this case click fraud - can serve as the entry point for far more serious threats,” he said.
According to Newman, the changing nature of these attacks underscores the importance of being armed with advanced detection, to combat the more stealthy threats.
“As infections can spread quickly through the network, security teams should take proactive measures to avoid becoming a cautionary click-fraud tale,” he said.
According to the report, understanding the complex malware infection lifecycle is essential to fighting advanced threats.
The ability to detect activity after a compromise can prevent serious damage, but a single point-in-time view of a device’s behavior is not enough, the report said.
Damballa said automated detection that monitors device behaviour over time can reveal the more serious threats underlying low-level threats before damage is done.
