NoTrove threat actor delivering millions of scam ads
Researchers at RiskIQ have identified NoTrove, a threat actor that is delivering millions of scam ads that threaten consumers and further undermine the digital advertising industry. NoTrove was so effective that one of his pages ranked as one of the internet’s most visited pages for one day.
Earliest observed instance of NoTrove
The online ad scams work by serving up attractive but disingenuous ads on legitimate websites. The ads might offer bogus surveys or free software upgrades, as examples. When someone clicks on the ad, however, the scammer’s software then re-directs the user’s “clicks” and traffic toward various locations across the Internet.
Since advertisers and web content providers want as much of the traffic pie as they can get, web traffic is an essential commodity. Ad scammers like NoTrove profit from this demand, participating in traffic affiliate programs or selling traffic to traffic buyers (brokers). Unfortunately for the digital advertisers, however, the users are negatively impacted. They are surprised by the ad they are seeing and don’t even know how they got it.
Equally troubling for the digital advertising industry is that as ad scammers increase, the likelihood consumers will implement ad blockers as a way to avoid bogus ads increases as well. This practice, according to Juniper Research, will cost the digital media industry over $27 billion by 2020.
For consumers, this is more than just a nuisance. Ad scams can also be used to download PUPs—potentially unwanted programs—and can redirect them to unwanted places.
How NoTrove works
- To stay ahead of efforts to block its fake ads, NoTrove uses automation to constantly change how the ads are delivered and clickthroughs re-routed.
- The scam master has burned through 2,000 randomly generated domains and more than 3,000 IPs, operating across millions of Fully Qualified Domain Names; an FQDN is a complete web address, typically including subdomains for ad scammers, such as ajee99.mycontent.example.com.
- RiskIQ observed 78 variants of NoTrove campaigns, such as scam survey rewards, fake software downloads, and redirections to PUPs.
- Alexa rankings for its domains show how effective NoTrove is; even though each domain is short-lived, the rankings often shoot up into the Alexa top 10,000 based purely on scam ad deliveries; one NoTrove domain reached the ranking of 517, making it one of the most visited pages on the entire internet for that day.
“NoTrove harms not only visiting users, but also legitimate advertisers, adversely affecting those reliant on the credibility of the digital advertising ecosystem, such as online retailers, publishers and networks,” said William MacArthur, a threat researcher at RiskIQ. “Constantly shifting infrastructure means simply blocking domains and IPs isn’t enough. We must now begin utilizing machine learning to leverage human security teams who increasingly depend on accurate, automated scam detection.”