Damballa, the experts in advanced threat protection and containment, today released its Q2 2015 State of Infections Report, highlighting how a device hi-jacked for the purpose of conducting ‘click-fraud’ can become a conduit for more serious malware such as ransomware. The study cited an example of how a compromised device, originally exploited for the seemingly innocuous purpose of click fraud – a scam to defraud ‘pay-per-click’ advertisers – became part of a chain of infections, which led within two hours to the introduction of the toxic ransomware CryptoWall – the cyber equivalent of a ‘wolf in sheep’s clothing’.
The analysis highlights not only how a low-level threat can open the door for serious and more damaging infections, but also the importance of swiftly identifying malicious activity in order to minimize the likelihood of infection.
Lifecycle of an Infection
The findings come from analysis of RuthlessTreeMafia – click fraud malware introduced by the botnet Asprox. In this incidence botnet-infected devices were used to generate fake clicks on ads, a practice which cheats advertisers out of millions of dollars and costs businesses some $6.3 billion* a year.
Once the device was under the command of the botnet, the RuthlessTreeMafia operators were able to sell access to the compromised device to other threat actors, who used downloaders to deliver the Rerdom and Rovnix Trojans, generating additional revenue for the criminal operators.
As the click-fraud infection chain continued, the device was infected with the CryptoWall ransomware, which encrypts the files on the host system in seconds, making it inaccessible to the user. The click fraud activity continues as the device remained under criminal control, and the attacker continues to make money from control of the compromised device. Within two hours, the initial click fraud infection had escalated to subject the compromised device to three further click fraud infections as well as CryptoWall itself.
Commenting on the findings, Stephen Newman, CTO Damballa said, “As this report highlights, advanced malware can quickly mutate and it’s not just the initial infection vector that matters, it’s about understanding the chain of activity over time. The intricacies of advanced infections mean that a seemingly low risk threat – in this case click fraud – can serve as the entry point for far more serious threats.”
He continues: “The changing nature of these attacks, underscores the importance of being armed with advanced detection, to combat these more stealthy threats. As infections can spread quickly through the network, security teams should take proactive measures to avoid becoming a cautionary click-fraud tale.”
The full report can be downloaded here: https://www.damballa.com/q2-2015-state-of-infections-report-highlights-click-fraud-as-entry-route-for-high-risk-ransomware/