News
RiskIQ Researchers Identify New Threat Actor NoTrove Delivering Millions of Scam Ads, Threatening Consumers, and the Digital Advertising Industry
April 2017 by RiskIQ
Earlier this year, RiskIQ reported an eight-fold increase in internet scam incidents that
deny the $83 billion digital advertising industry millions of dollars. Now,
researchers at RiskIQ have identified NoTrove, a newly discovered and major threat
actor that is delivering millions of scam ads that threaten consumers and further
undermine the digital advertising industry.
A new research report released today, “NoTrove: The Threat Actor Ruling a Scam
Empire”, presents a detailed analysis demonstrating how NoTrove uses advanced
automation techniques to deliver scam ads from millions of different domain names to
stay ahead of detection and takedown efforts. NoTrove was so effective that one of
its pages ranked as the internet’s most visited pages for one day.
The online ad scams work by serving up attractive but disingenuous ads on legitimate
websites. The ads might offer bogus surveys or free software upgrades, as examples.
When someone clicks on the ad, however, the scammer’s software then re-directs the
users “clicks” and traffic toward various locations across the internet.
Since advertisers and web content providers want as much of the traffic pie as they
can get, web traffic is an essential commodity. Ad scammers like NoTrove profit from
this demand, participating in traffic affiliate programmes or selling traffic to
traffic buyers (brokers). Unfortunately for the digital advertisers, however, the
users are negatively impacted by the ad they are seeing and don’t even know how
they got it.
Equally troubling for the digital advertising industry is that as ad scammers
increase, the likelihood consumers will implement ad blockers as a way to avoid
bogus ads increases, as well. This practice, according to Juniper Research, will
cost the digital media industry over $27 billion by 2020*.
For consumers, this is more than just a nuisance. Ad scams can also be used to
download PUPs—potentially unwanted programmes—and can redirect them to unwanted
places.
The RiskIQ report takes a deep dive into how NoTrove works and shows the advances
being made to avoid detection, preventing efforts to take it down, and making it one
of the most effective and largest ad scam operations ever. Key findings include:
– To stay ahead of efforts to block its fake ads, NoTrove uses automation
to constantly change how the ads are delivered and clickthroughs re-routed.
– The scam master has burned through 2,000 randomly generated domains and
over 3,000 IPs, operating across millions of Fully Qualified Domain Names; an FQDN
is a complete web address, typically including subdomains for ad scammers, such as
ajee99.mycontent.example.com.
– RiskIQ observed 78 variants of NoTrove campaigns, such as scam survey
rewards, fake software downloads, and redirections to PUPs.
– Alexa rankings for its domains show how effective NoTrove is; even though
each domain is short-lived, the rankings often shoot up into the Alexa top 10,000
based purely on scam ad deliveries; one NoTrove domain reached the ranking of 517,
making it one of the most visited pages on the entire internet for that day.
RiskIQ first observed NoTrove a year ago when it began expanding its focus on scams,
but PDNS results inside RiskIQ PassiveTotal indicate this group has been operating
as far back as December of 2010. Used by more than 18,000 security analysts,
PassiveTotal expedites external threat investigation tasks and automates threat
research collaboration and artifact monitoring. You can view the Public Project for
NoTrove compiled by RiskIQ’s Threat Research team here:
https://passivetotal.org/projects/7ee582dc-c792-e635-ce78-0396e1e00bf4
“NoTrove harms not only visiting users, but also legitimate advertisers, adversely
affecting those reliant on the credibility of the digital advertising ecosystem such
as online retailers, publishers, and networks,” said William MacArthur, a threat
researcher at RiskIQ. “Constantly shifting infrastructure means simply blocking
domains and IPs isn’t enough. We must now begin utilising machine learning to
leverage human security teams who increasingly depend on accurate, automated scam
detection.”
To conduct this and other web research, RiskIQ applies its proprietary virtual user
web crawling technology. This advanced internet reconnaissance acts like a user
would, thoroughly interrogating websites and web apps, as well as respective browser
session communications. It processes more than two billion HTTP requests per day to
surface, identify, and connect internet elements to malicious campaigns.
Acting in concert with RiskIQ’s machine learning, virtual user technology can
provide a deep level of analysis of how threat actors are behaving, their underlying
infrastructure, and the techniques they use. In the NoTrove example, they can detect
what the NoTrove page looks like down to the document object model (DOM), how a user
gets there, and learn what makes a NoTrove page a NoTrove page. RiskIQ’s platform
will even understand and dynamically monitor for small variances in the payload
without the need for any human intervention, so it can continue to detect NoTrove,
even as this threat actor evolves.
* Worldwide Digital Advertising: 2016-2020, Juniper Research, 11/5/2016 by Sam Barker
