Malware spotlight: What is click fraud?
Introduction
Click fraud is a well-known method for fraudsters to make money by taking advantage of online affiliates. It typically involves an ad placed on a website where either a bot or (less commonly) a real person clicks on this ad to generate an artificially high amount of monetized user interaction. What many may not notice is that attackers have been using malware to perform both click fraud and other malicious actions, making it a type of malware all its own.
This article will detail the click fraud type of malware and examine what click fraud is, how it works, some of the other capabilities of click fraud malware and real-world examples of click fraud malware.
Hands-on threat intel training
What is click fraud?
Did you know that according to advertising experts, one in five paid clicks in the month of January 2017 was fraudulent? This means that either malware, a dedicated application or an unfortunate person was responsible for this click.
Also known as pay-per-click (PPC) or performance-based advertising, click fraud is the practice of imitating the actions of legitimate web users clicking on a web-based advertisement. Part of the point (from the attacker’s perspective) is to generate clicks for advertisements regardless if there is genuine interest or not.
Some click fraud is used by ad agencies to inflate click numbers, but a generous amount of the click fraud activity online is performed by malware. These clicks translate into dollar signs for the attackers, who may be hired by an ad agency — but regardless of origin, the end result is often the spreading of even more dangerous malware
There are many ways that click fraud malware can infect a system. Some of the most common methods are:
- As an attachment to spam emails
- Infected apps
- Downloaded by other malware
- Downloaded through vulnerability exploits
The threat of click fraud is increasing to be sure and has prompted Google to include click fraud in its new definition of “potentially harmful applications” (PHA). It should be noted that presence of click fraud infected apps in the Google Play store increased by 100% between the years of 2017 and 2018.
How does click fraud work?
Contemporary versions of click fraud work by using bots to generate an excessive number of clicks on click fraud advertisements. The act of simply generating fraudulent clicks is not, per se, malware, but this click-generating capability is only part of the story.
Click fraud may be performed by a stand-alone click generating bot, but increasingly this capability is being incorporated as only one of the capabilities of a piece of malware. Some of the other capabilities that click fraud malware may be able to perform including theft of information, opening up backdoors for other attackers to take advantage of, and worst of all, the downloading of even worse malware than the initial click fraud malware that performed the download.
Simply put, click fraud is often just one ability of malware that as a whole is a much greater threat.
Some of these other, more damaging, capabilities of click fraud malware are:
- Information theft, including sensitive information
- Identity theft or fraud
- Loss of privacy due to web browser tracking
- System security compromise
Real-world examples
MIUREF
This Trojan, which uses click fraud in its attack campaign, was originally discovered in November 2013. It is most commonly spread through spam email attachments and installs itself as a browser plugin and is loaded whenever the browser is opened.
One of the other capabilities of MIUREF is to install the TSPY_FAREIT malware family. MIUREF may be disguised as cracks or key generators.
Kovter
Kovter is a click fraud malware that uses its fileless design to avoid detection after infection. It most often spreads as .zip file attachments of a UPS email containing malicious JavaScript files. As Kovter avoids detection, it has the ability to download additional malware, steal sensitive information and even give attackers access to the infected system.
Kovter works by running a hidden Chromium embedded framework (CEF) browser on the compromised system. The C2 server then sends ads to the infected machine, which are then displayed in the CEF browser. As of November of 2018, most of the major threat actors behind Kovter have been brought to justice, effectively bringing down the click fraud malware’s infrastructure.
Ramdo
The Ramdo malware family is one of the many malware families dedicated to click fraud. It is spread through both exploit kits (RIG, Angler, Blackhole) and spam email containing URLs that redirect users to malicious Adobe Flash Player. These files have a filename of flashplayer20_ga_install.exe.
Based upon processes already running on an infected system, Ramdo injects malicious DLL code into the process, downloads a CEF from its C2 server and navigates to advertisements on a fake browser. Ramdo is also well-known for downloading other malware onto compromised systems.
Conclusion
Click fraud is a well-known tactic for advertisers to generate fraudulent clicks to make money. What is lesser known is the fact that malware is responsible for much of this click fraud and can be performed by malware as a sort of appetizer for the proverbial meal that is a full cyberattack.
The distinguishing ability of click generating, coupled with its high-level malware functionality and increasing prevalence on the malware landscape, is enough to declare click fraud as a type of malware all to itself.
Hands-on threat intel training
Sources
In this Series
- Malware spotlight: What is click fraud?
- Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
- Dependency confusion: Compromising the supply chain
- BendyBear: A shellcode attack used for cyberespionage
- ATP group MontysThree uses MT3 toolset in industrial cyberespionage
- BlackBerry exposes threat actor group BAHAMUT: Cyberespionage, phishing and other APTs
- Top 9 cybercrime tactics, techniques and trends in 2020: A recap
- KashmirBlack botnet targets WordPress, Joomla and other popular CMS platforms
- BAHAMUT: Uncovering a massive hack-for-hire cyberespionage group
- Linux security and APTs: Identifying threats and reducing risk
- Top 6 ransomware strains to watch out for in 2020
- 2020 Verizon data breach investigations report: Summary and key findings for security professionals
- How hackers use CAPTCHA to evade automated detection
- The State of Ransomware 2020: Key findings from Sophos & Malwarebytes
- Dark web fraud: How-to guides make cybercrime too easy
- Top 6 malware strains to watch out for in 2020
- Top Cybersecurity Predictions for 2020
- What does dark web monitoring really do?
- ThreatMetrix Cybercrime Report: An interview
- Are dark web monitoring services worth it?
- Cybercrime and the underground market [Updated 2019]
- Verizon DBIR 2019 analysis
- Common causes of large breaches (Q1 2019)
- The Magecart Cybercrime Group Is Threatening E-Commerce Websites Worldwide
- Russian Cyberspies Target 2018 U.S. Midterm Elections
- The Increasing Threat of Banking Trojans and Cryptojacking
- Leaders’ Meetings: A Privileged Target for Hackers
- Fraud as a Service (FaaS): Everything You Need to Know
- All about SamSam Ransomware
- The Decline of Ransomware and the Rise of Cryptocurrency Mining Malware
- Mechanics Behind Ransomware-as-a-Service
- The Art of Fileless Malware
- ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS
- Which Are the Most Exploited Flaws by Cybercriminal Organizations?
- 5 New Threats Every Organization Should be Prepared for in 2018
- Memcrashed: The Dangerous Trend Behind the Biggest DDoS Attack Ever
- Open source threat intelligence tools & techniques
- Global Cost of Cybercrime on the Rise
- An Enterprise Guide to Using Threat Intelligence for Cyber Defense
- The Five Largest Ransomware Attacks of 2017
- Intellectual Property Crimes in the Dark Web
- Top 5 Smartest Malware Programs
- Is Russian Intelligence Using Tainted Software to Access Corporate and Government Networks?
- Vault 7 Leaks: Inside the CIA's Secret Kingdom (July-August 07)
- DragonFly 2.0: The Alleged Nation-State Actor Hits the Energy Sector Again
- Russian APT Groups Continue Their Stealthy Operations
- Massive Petya Attack: Cybercrime or Information Warfare?
- SAP SECURITY FOR CISO: SAP Attacks and Incidents
- Role of Threat Intelligence in Business World
- WikiLeaks Vault 7 Data Leak: Another Earthquake in the Intelligence Community
- Past and Present Iran-linked Cyber-Espionage Operations
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Threat Intelligence
Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
Threat Intelligence
Threat Intelligence
Threat Intelligence
ATP group MontysThree uses MT3 toolset in industrial cyberespionage