Although often considered relatively innocuous, click-fraud malware infections could be the start of serious enterprise security issues.

Damballa warned in a “State of Infections Report” that seemingly low-risk click-fraud malware could lead to further infections of more sinister threats, such as ransomware 

“These threats don't just happen immediately,” Stephen Newman, CTO, Damballa, told “It's often the third or fourth infection on a device.”

In the report's RuthlessTreeMafia group example, a victim was infected with click-fraud malware through a phishing email. Once infected with this initial malware — the group used Asprox — the malware's Command and Control (C&C) server then updated the impacted device with additional malware. One was a rootkit and the other a click-fraud installer.

Eventually, after exploiting the infected machine to make money off click-fraud, the attackers sold it to other cybercriminals who dropped the CryptoWall ransomware on it. The entire attack took two hours to go from an initial click-fraud infection to three more click-fraud infections, plus Cryptowall.

Constrained IT teams often can't deal with every click-fraud threat, Newman said. However, instead of primarily focusing on preventing devices from infection, teams should monitor machines at all times. This could allow for quick responses, he said.

“These teams aren't able to discover the click-fraud on devices because there's so much effort around prevention,” Newman said. “So they miss the real infections in the first place.”