Sometimes a mere cybernuisance can deliver an unexpected wallop.
This may be especially true in the case of click fraud, which is often viewed as more of an annoyance than a true threat.
In its Q2 State of Infection Report released this week by Damballa, Inc., researchers found a device compromised to commit click fraud quickly became the victim of a much more serious threat -- ransomware.
Given the speed at which security teams detect issues -- which Ponemon Institute estimates to be at least five days in the case of malware -- it could be next to impossible for enterprises to detect such an issue in time, especially if organizations only monitor for factors of compromise.
Click fraud -- also known as pay-per-click fraud, a practice of inflating traffic statistics to defraud advertisers or websites offering revenue-generating ads -- is generally a low-risk threat, although it is quite costly to the advertising industry. Now, it's emerging as an entry point for more serious issues.
"In reality," the Damballa report reads, " click fraud is often a precursor to something more sinister. A device infected with click fraud may leave the enterprise susceptible to dangerous downstream infections."
Researchers tracked a threat dubbed "RuthlessTreeMafia," a click fraud malware introduced by the Asprox botnet. Once controlled, a sample device was accessed by other actors that which used additional Trojans to generate revenue. In the span of two hours, the device was infected by three more click fraud infections and finally CryptoWall.
"As this report highlights, advanced malware can quickly mutate and it's not just the initial infection vector that matters, it's about understanding the chain of activity over time," said Stephen Newman, CTO at Damballa. "The intricacies of advanced infections mean that a seemingly low risk threat -- in this case click fraud -- can serve as the entry point for far more serious threats.
"The changing nature of these attacks, underscores the importance of being armed with advanced detection, to combat these more stealthy threats. As infections can spread quickly through the network, security teams should take proactive measures to avoid becoming a cautionary click fraud tale."
In other news
- Though the end-of-life date for Windows XP was in April 2014, the OS is still generating a good chunk of change for the Redmond-based company thanks to the U.S. government. The Navy is reportedly paying $9.1 million annually to continue receiving patches for the now obsolete software, as well as the soon to be retired Office 2003, Exchange 2003 and Windows Server 2003. According to reports, the Space and Naval Warfare Systems Command, which runs the Navy's communications and information networks, signed the contract earlier this month to cover software on an approximate 100,000 computers. The company purportedly began a migration from XP in 2013. According to a Navy notice, the extension will allow the Navy "time to migrate from its existing reliance on the expiring product versions to newer product versions approved for use … and will provide hotfixes to minimize risks while ensuring support and sustainability of deployed capabilities." The Army approved a similar extension for more than 8,000 devices while it "works to migrate off Windows XP over the next year."
- The U.S. and China entered an agreement Wednesday to create a "cyber code of conduct" that will outline appropriate behavior on the Web. "The United States and China should be working together to develop and implement a shared understanding of appropriate state behavior in cyberspace," U.S. Secretary of State John Kerry announced on the third day of the U.S.-China Strategic and Economic Dialogue in Washington. "I'm pleased to say China agreed that we must work together to complete a code of conduct regarding cyber activities." The statement given by Kerry provided no further details, but came following President Barack Obama's comments to Chinese leaders about China's cyberbehavior. The White House released a statement saying Obama "urged China to take concrete steps to lower tensions." Kerry noted the importance of accepting cyber norms, telling reporters, "We need to work together in order to define those and then live by them. I think that message was clearly delivered and received, and hopefully that work will begin in earnest very, very quickly."
- The United States generates the most botnet command-and-control (C&C) traffic globally, followed by the Ukraine and Russia, according to a report released last week by Level 3 Communications, LLC. The report attributed this to the "wealth of infrastructure that lends itself to attack execution" in the country. Twenty percent of the more than 1,000 botnets tracked by Level 3 researchers were in the U.S., "with nearly an equal amount launching from Ukraine and Russia combined." Western Europe and the U.K. came in with 12%; Latin America housed only 2%. "Left unchecked," the report warned, "these [C&Cs] have the potential to disrupt business and destroy critical information assets." According to the report, researchers concluded the average number of infected hosts per C&C server is 1,700. Additionally, 600 -- or 60% -- of the botnets analyzed targeted corporate environments.
- Researchers at HP's Zero Day Initiative released the details and proof-of-concept code for an Internet Explorer ASLR bypass flaw the team discovered with the Microsoft Mitigation Bypass Bounty and BlueHat Bonus for Defense Program in February of this year. The team, which took home $125,000 for its work, was told by Microsoft that a patch would not be released, according to a blog post published last week; Microsoft said the flaw does not affect 64-bit systems, which ZDI researchers confirmed. However, Dustin Childs, who authored the blog post, said "what is lost here is that the bypass described and submitted only works for 32-bit systems, which is the default configuration on millions of systems." Childs noted that the release of flaw details was not done lightly. "To be very clear, we are not doing this out of spite or malice," Childs wrote. "We would prefer to release this level of detail only after the bug is patched. However, since Microsoft confirmed in correspondence with us they do not plan to take action from this research, we felt the necessity of providing this information to the public. We do so in accordance with the terms of our own ZDI vulnerability-disclosure program." The whitepaper detailing the attack also offers suggestions to improve IE defenses.