Click-fraud: the entry point for high-risk ransomware

Devices that have been hijacked for directing ‘click-fraud' can become a passage for more serious malware such as ransomware according to Damballa's newly released Q2 2015 State of Infections Report. In addition, the analysis shows the importance of quickly identifying malicious activity in order to reduce the possibility of infection.

Click fraud malware, RuthlessTreeMafia, has been infecting botnet devices resulting in the ability for the malware to generate fake clicks on ads, cheating advertisers out of thousands, perhaps millions of pounds.

When a device was under the control of the botnet, operators of RuthlessTreeMafia were able to sell access to the device to other threat actors.  They then used downloaders to deliver the Trojans, which generated more revenue for the criminal hustlers.

As the click-fraud series continued, the device was infected with CryptoWall ransomware, encrypting the files on the host system, making it unattainable to the user. Click fraud activity continues as the device remains under criminal control, making the attacker more money. In two hours, the initial click fraud infection has grown to subject the negotiated device to three further click fraud infections, including CryptoWall.

Stephen Newman, CTO Damballa said, “The changing nature of these attacks underscores the importance of being armed with advanced detection, to combat these more stealthy threats. As infections can spread quickly through the network, security teams should take proactive measures to avoid becoming a cautionary click-fraud tale.”