Click-Fraud Attack Morphs into Ransomware Risk in a Couple of Hours

Folks STOP CLICKING ON ADDS YOU ARE KILLING YOURSELVES.. Tech Support clean up runs from anywhere from 50.00 a hour to
500.00 per hour is what I charge…
Suggestion use as your search engine NO ADDS TO CLICK ON…be conscious folks..its your money.

By Ionut Ilascu    26 Jun 2015, 12:50 GMT

CryptoWall infection does not halt click-fraud activity

Threats considered a non-priority by security experts can quickly transform into a serious reason of concern, as they can represent the starting point of a more elaborate cybercriminal assault, researchers have found.

This tactic was observed when click-fraud malware, considered a low-level threat, escalated to a ransomware risk with CryptoWall file encrypting tool.
Rerdom Trojan delivered to victim’s computer

Security researchers at Damballa noticed the chain of events while investigating on a customer’s network an incident caused by a threat actor they call RuthlessTreeMafia, who initially ran an operation to defraud “pay-per-click” advertisers.

According to a report published today by the company, the cybercriminals rely on the Asprox botnet to deliver the initial payload, but exploit kits are also employed. Then access to the victim’s system is sold to other threat actors.

Damballa ran the RuthlessTreeMafia threat on their system and monitored the infection chain, which saw undeniable evidence of a click-fraud campaign, which ended with the delivery of CryptoWall.

“The RuthlessTreeMafia threat operators use a fast-flux infrastructure to deliver the Rerdom click-fraud malware to victims. This Trojan utilizes a combination of downloader, information stealer, rootkit and search redirector with pop-up ads to obtain additional revenue for the criminal command and control (C&C) organization,” the researchers say in the report.
Threat makes DNS queries to sites in Russia

After the initial download, multiple DNS queries are made to websites in Russia until one is resolved to emptyarray[.]ru. In the following 40 minutes, Damballa’s automated analysis system saw more than 900 connections to different domain names and spotted different threat groups, almost all of them engaging in click-fraud business.

However, during this activity, CryptoWall was also sent to the compromised system to encrypt files and demand payment of a ransom in exchange for decryption services.

Researchers say that the device remains under criminal control and the click-fraud action continues for another hour, generating additional revenue for cybercriminals.

In the two hours until CryptoWall arrived, the infected system received three click-fraud malware pieces.

Stephen Newman, CTO at Damballa, draws attention to the fact that initial infection vectors should not be dismissed as a less important threat because they can represent a symptom for a larger threat waiting to hit.

“The changing nature of these attacks, underscores the importance of being armed with advanced detection, to combat these more stealthy threats. As infections can spread quickly through the network, security teams should take proactive measures to avoid becoming a cautionary click-fraud tale,” Newman says.

Roy Miehe | | Ceo/President MspPortal Partner Network Where Service and Technical Skills Count

Tags: , , , , , ,

Comments are closed.

%d bloggers like this: