alphaspirit - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Is click fraud malware hiding bigger potential threats?

A recent report shows how ransomware evolved from click fraud malware. Expert Nick Lewis explains how low-level threats can hide greater dangers for enterprises.

A recent report from Damballa claims ransomware evolved out of a click fraud attack. How does this work? I understand that low-risk attacks can sometimes cause more serious damage, but we don't have the staff or resources to investigate every low-level attack. Should certain issues be prioritized?

Malware authors are trying to find any way to potentially profit from their malicious code, and that includes click fraud attacks. This goes back to the origins of adware, spyware and malware where if a security tool found a malicious cookie, many security professionals would ignore the cookie or delete it rather than further investigate. This extends to potentially unwanted programs and other executable software. If click fraud malware is profitable for attackers, they will continue to use it. But if more profit can be made with minimal additional risks for the malware author, updating her existing malware to use a different "monetization" module in the malware might make sense. The malware could include several different ways to monetize the compromised endpoint for the malware author to profit. As Damballa reports, malware can be quickly adapted to avoid being detected by antimalware tools and to incorporate new and more malicious functionality, such as ransomware.

The concern over investigating every low-level attack is a significant one for most institutions. Part of the issue is that it is difficult to know if click fraud malware has now decided to include functionality for ransomware or destructive malware. An enterprise could use risk assessments based on the data security requirements to drive prioritization for investigating low-level malware. For example, if click fraud malware is found in a payment card environment, it should be investigated immediately, but that same malware would probably not need to be investigated on a guest wireless network.

Using an antimalware tool that's rapidly updated as changes are detected in the vendor's customer base will help reduce the time it takes to determine if additional investigation of low-level threats is necessary. Using a threat intelligence service that monitors many different networks to complement your existing endpoint and network-based antimalware tools can also help identify when malware has changed tactics from just click fraud to ransomware.

Next Steps

Find out what threats the CrypVault ransomware attack poses for enterprises

Discover how ransomware fuels health data extortionists

Learn why Cryptowall 3.0 reportedly cost victims $325 million

This was last published in January 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal