The new report finds ad scammers like NoTrove profit from relentless web traffic. NoTrove actors participate in traffic-booster affiliate programs or selling traffic to traffic buyers (brokers)
RiskIQ, the leader in digital threat management, released a new research report today, titled, “NoTrove: The Threat Actor Ruling a Scam Empire”. The report is a detailed analysis that demonstrates how NoTrove uses advanced automation techniques to deliver scam ads. These scam ads (part of malvertising) are channeled from millions of different domain names to stay ahead of detection and takedown efforts. Surprisingly, NoTrove was so effective that one of its pages ranked as the internet’s most visited pages for one day.
Ad Scams Eat Away $83 Billion from the Digital Advertising Industry
RiskIQ reported an eight-fold increase in internet scam incidents that deny the $83 billion digital advertising industry millions of dollars. Now, researchers at RiskIQ have identified NoTrove, a newly discovered and major threat actor that is delivering millions of scam ads that threaten consumers and further undermine the digital advertising industry.
How Ad Scams Make Money from Traffic
The online ad scams are effective by virtue of serving attractive but disingenuous ads on legitimate websites. The ads often offer bogus surveys or free software upgrades. When clicked on the ad, the scammer’s software re-directs the users’ “clicks” and traffic toward various locations across the internet.
Since advertisers and web content providers want as much of the traffic pie as they can get, web traffic is an essential commodity. Ad scammers like NoTrove profit from this demand, participating in traffic affiliate programs or selling traffic to traffic buyers (brokers).
Unfortunately for the digital advertisers, however, the users are negatively impacted by the ad they are seeing and don’t even know how they got it.
Ad Scams Speed Up Ad Blocker Usage
Equally troubling for the digital advertising industry is that as ad scammers increase, the likelihood consumers will implement ad blockers as a way to avoid bogus ads increases, as well. This practice, according to Juniper Research, will cost the digital media industry over $27 billion by 2020.
For consumers, this is more than just a nuisance. Ad scams can also be used to download PUPs—potentially unwanted programmes—and can redirect them to unwanted places.
NoTrove’s Modus Operandi
The RiskIQ report takes a deep dive into how NoTrove works and shows the advances being made to avoid detection, preventing efforts to take it down, and making it one of the most effective and largest ad scam operations ever.
Key findings by the “NoTrove: The Threat Actor Ruling a Scam Empire” include —
– To stay ahead of efforts to block its fake ads, NoTrove uses automation to constantly change how the ads are delivered and clickthroughs re-routed.
– The scam master has burned through 2,000 randomly generated domains and over 3,000 IPs, operating across millions of Fully Qualified Domain Names; an FQDN is a complete web address, typically including subdomains for ad scammers, such as ajee99.mycontent.example.com.
– RiskIQ observed 78 variants of NoTrove campaigns, such as scam survey rewards, fake software downloads, and redirections to PUPs.
– Alexa rankings for its domains show how effective NoTrove is; even though each domain is short-lived, the rankings often shoot up into the Alexa top 10,000 based purely on scam ad deliveries; one NoTrove domain reached the ranking of 517, making it one of the most visited pages on the entire internet for that day.
RiskIQ PassiveTotal and the Battle Against NoTrove
RiskIQ first observed NoTrove a year ago when it began expanding its focus on scams, but PDNS results inside RiskIQ PassiveTotal indicate this group has been operating as far back as December of 2010. Used by more than 18,000 security analysts, PassiveTotal expedites external threat investigation tasks and automates threat research collaboration and artifact monitoring.
“NoTrove harms not only visiting users, but also legitimate advertisers, adversely affecting those reliant on the credibility of the digital advertising ecosystem such as online retailers, publishers, and networks,” said William MacArthur, a threat researcher at RiskIQ.
“Constantly shifting infrastructure means simply blocking domains and IPs isn’t enough. We must now begin utilizing machine learning to leverage human security teams who increasingly depend on accurate, automated scam detection.”
To conduct this and other web research, RiskIQ applies its proprietary virtual user web crawling technology. This advanced internet reconnaissance acts like a user would, thoroughly interrogating websites and web apps, as well as respective browser session communications. It processes more than two billion HTTP requests per day to surface, identify, and connect internet elements to malicious campaigns.
Acting in concert with RiskIQ’s machine learning, virtual user technology can provide a deep level of analysis of how threat actors are behaving, their underlying infrastructure, and the techniques they use. In the NoTrove example, they can detect what the NoTrove page looks like down to the document object model (DOM).
The model also reveals how a user gets there, and learn what makes a NoTrove page a NoTrove page. RiskIQ’s platform will even understand and dynamically monitor for small variances in the payload without the need for any human intervention, so it can continue to detect NoTrove, even as this threat actor evolves.