Just as drug dealers try to get people hooked on progressively more addictive substances, it seems that the hijacking of a device to perform simple click fraud can quickly lead to the distribution of nastier malware.
According to the latest State of Infections report from threat protection specialists Damballa, a compromised device, originally exploited for the relatively low-level purpose of committing of click fraud -- a scam to defraud pay-per-click advertisers -- became part of a chain of infections, which led within two hours to the introduction of the toxic ransomware CryptoWall.
The findings are based on analysis of the RuthlessTreeMafia click fraud malware introduced by the botnet Asprox. Once the device was under the command of the botnet, the RuthlessTreeMafia operators were able to sell access to the compromised device to others who used downloaders to deliver the Rerdom and Rovnix Trojans, generating additional revenue for the criminals.
As the click-fraud infection chain continued, the device became infected with the CryptoWall ransomware. The click fraud activity was able to continue though as the device remained under criminal control and the attacker continued to make money. Within two hours, the initial click fraud infection had escalated to subject the compromised device to three further click fraud infections as well as CryptoWall itself.
"As this report highlights, advanced malware can quickly mutate and it's not just the initial infection vector that matters, it's about understanding the chain of activity over time. The intricacies of advanced infections mean that a seemingly low risk threat -- in this case click fraud -- can serve as the entry point for far more serious threats," says Stephen Newman, CTO of Damballa. "The changing nature of these attacks, underscores the importance of being armed with advanced detection, to combat these more stealthy threats. As infections can spread quickly through the network, security teams should take proactive measures to avoid becoming a cautionary click-fraud tale".
More information can be be found in the full report which is available to download from the Damballa website.
Image Credit: djmilic / Shutterstock