alphaspirit - Fotolia
A recent report from Damballa claims ransomware evolved out of a click fraud attack. How does this work? I understand that low-risk attacks can sometimes cause more serious damage, but we don't have the staff or resources to investigate every low-level attack. Should certain issues be prioritized?
Malware authors are trying to find any way to potentially profit from their malicious code, and that includes click fraud attacks. This goes back to the origins of adware, spyware and malware where if a security tool found a malicious cookie, many security professionals would ignore the cookie or delete it rather than further investigate. This extends to potentially unwanted programs and other executable software. If click fraud malware is profitable for attackers, they will continue to use it. But if more profit can be made with minimal additional risks for the malware author, updating her existing malware to use a different "monetization" module in the malware might make sense. The malware could include several different ways to monetize the compromised endpoint for the malware author to profit. As Damballa reports, malware can be quickly adapted to avoid being detected by antimalware tools and to incorporate new and more malicious functionality, such as ransomware.
The concern over investigating every low-level attack is a significant one for most institutions. Part of the issue is that it is difficult to know if click fraud malware has now decided to include functionality for ransomware or destructive malware. An enterprise could use risk assessments based on the data security requirements to drive prioritization for investigating low-level malware. For example, if click fraud malware is found in a payment card environment, it should be investigated immediately, but that same malware would probably not need to be investigated on a guest wireless network.
Using an antimalware tool that's rapidly updated as changes are detected in the vendor's customer base will help reduce the time it takes to determine if additional investigation of low-level threats is necessary. Using a threat intelligence service that monitors many different networks to complement your existing endpoint and network-based antimalware tools can also help identify when malware has changed tactics from just click fraud to ransomware.
Discover how ransomware fuels health data extortionists
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading