alphaspirit - Fotolia
A recent report from Damballa claims ransomware evolved out of a click fraud attack. How does this work? I understand that low-risk attacks can sometimes cause more serious damage, but we don't have the staff or resources to investigate every low-level attack. Should certain issues be prioritized?
Malware authors are trying to find any way to potentially profit from their malicious code, and that includes click fraud attacks. This goes back to the origins of adware, spyware and malware where if a security tool found a malicious cookie, many security professionals would ignore the cookie or delete it rather than further investigate. This extends to potentially unwanted programs and other executable software. If click fraud malware is profitable for attackers, they will continue to use it. But if more profit can be made with minimal additional risks for the malware author, updating her existing malware to use a different "monetization" module in the malware might make sense. The malware could include several different ways to monetize the compromised endpoint for the malware author to profit. As Damballa reports, malware can be quickly adapted to avoid being detected by antimalware tools and to incorporate new and more malicious functionality, such as ransomware.
The concern over investigating every low-level attack is a significant one for most institutions. Part of the issue is that it is difficult to know if click fraud malware has now decided to include functionality for ransomware or destructive malware. An enterprise could use risk assessments based on the data security requirements to drive prioritization for investigating low-level malware. For example, if click fraud malware is found in a payment card environment, it should be investigated immediately, but that same malware would probably not need to be investigated on a guest wireless network.
Using an antimalware tool that's rapidly updated as changes are detected in the vendor's customer base will help reduce the time it takes to determine if additional investigation of low-level threats is necessary. Using a threat intelligence service that monitors many different networks to complement your existing endpoint and network-based antimalware tools can also help identify when malware has changed tactics from just click fraud to ransomware.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.