Security
NoTrove threat is delivering millions of scam ads
Friday, April 28, 2017
|
Richard Harris |
NoTrove is a newly discovered and major threat actor that is delivering millions of scam ads.
Earlier this year, RiskIQ, a digital threat management company, reported an eight-fold increase in internet scam incidents that deny the $83 billion digital advertising industry millions of dollars. Now, researchers at RiskIQ have identified NoTrove, a newly discovered and major threat actor that is delivering millions of scam ads that threaten consumers and further undermine the digital advertising industry.
A new research report released, “NoTrove: The Threat Actor Ruling a Scam Empire,” presents a detailed analysis demonstrating how NoTrove uses advanced automation techniques to deliver scam ads from millions of different domain names to stay ahead of detection and take down efforts. NoTrove was so effective that one of his pages ranked as one of the internet’s most visited pages for one day.
The online ad scams work by serving up attractive but disingenuous ads on legitimate websites. The ads might offer bogus surveys or free software upgrades, as examples. When someone clicks on the ad, however, the scammer’s software then re-directs the user’s “clicks” and traffic toward various locations across the internet.
Since advertisers and web content providers want as much of the traffic pie as they can get, web traffic is an essential commodity. Ad scammers like NoTrove profit from this demand, participating in traffic affiliate programs or selling traffic to traffic buyers (brokers). Unfortunately for the digital advertisers, however, the users are negatively impacted. They are surprised by the ad they are seeing and don’t even know how they got it.
Equally troubling for the digital advertising industry is that as ad scammers increase, the likelihood consumers will implement ad blockers as a way to avoid bogus ads increases as well. This practice, according to Juniper Research, will cost the digital media industry over $27 billion by 2020*.
For consumers, this is more than just a nuisance. Ad scams can also be used to download PUPs - potentially unwanted programs - and can redirect them to unwanted places.
The RiskIQ report takes a deep dive into how NoTrove works and shows the advances being made to avoid detection, preventing efforts to take it down and making it one of the most effective and largest ad scam operations ever.
- To stay ahead of efforts to block its fake ads, NoTrove uses automation to constantly change how the ads are delivered and clickthroughs re-routed.
- The scam master has burned through 2,000 randomly generated domains and more than 3,000 IPs, operating across millions of Fully Qualified Domain Names; an FQDN is a complete web address, typically including subdomains for ad scammers, such as ajee99.mycontent.example.com.
- RiskIQ observed 78 variants of NoTrove campaigns, such as scam survey rewards, fake software downloads, and redirections to PUPs.
- Alexa rankings for its domains show how effective NoTrove is; even though each domain is short-lived, the rankings often shoot up into the Alexa top 10,000 based purely on scam ad deliveries; one NoTrove domain reached the ranking of 517, making it one of the most visited pages on the entire internet for that day.
“NoTrove harms not only visiting users, but also legitimate advertisers, adversely affecting those reliant on the credibility of the digital advertising ecosystem, such as online retailers, publishers and networks,” said William MacArthur, a threat researcher at RiskIQ. “Constantly shifting infrastructure means simply blocking domains and IPs isn't enough. We must now begin utilizing machine learning to leverage human security teams who increasingly depend on accurate, automated scam detection.”
A new research report released, “NoTrove: The Threat Actor Ruling a Scam Empire,” presents a detailed analysis demonstrating how NoTrove uses advanced automation techniques to deliver scam ads from millions of different domain names to stay ahead of detection and take down efforts. NoTrove was so effective that one of his pages ranked as one of the internet’s most visited pages for one day.
The online ad scams work by serving up attractive but disingenuous ads on legitimate websites. The ads might offer bogus surveys or free software upgrades, as examples. When someone clicks on the ad, however, the scammer’s software then re-directs the user’s “clicks” and traffic toward various locations across the internet.
Since advertisers and web content providers want as much of the traffic pie as they can get, web traffic is an essential commodity. Ad scammers like NoTrove profit from this demand, participating in traffic affiliate programs or selling traffic to traffic buyers (brokers). Unfortunately for the digital advertisers, however, the users are negatively impacted. They are surprised by the ad they are seeing and don’t even know how they got it.
Equally troubling for the digital advertising industry is that as ad scammers increase, the likelihood consumers will implement ad blockers as a way to avoid bogus ads increases as well. This practice, according to Juniper Research, will cost the digital media industry over $27 billion by 2020*.
For consumers, this is more than just a nuisance. Ad scams can also be used to download PUPs - potentially unwanted programs - and can redirect them to unwanted places.
The RiskIQ report takes a deep dive into how NoTrove works and shows the advances being made to avoid detection, preventing efforts to take it down and making it one of the most effective and largest ad scam operations ever.
Key findings:
- To stay ahead of efforts to block its fake ads, NoTrove uses automation to constantly change how the ads are delivered and clickthroughs re-routed.
- The scam master has burned through 2,000 randomly generated domains and more than 3,000 IPs, operating across millions of Fully Qualified Domain Names; an FQDN is a complete web address, typically including subdomains for ad scammers, such as ajee99.mycontent.example.com.
- RiskIQ observed 78 variants of NoTrove campaigns, such as scam survey rewards, fake software downloads, and redirections to PUPs.
- Alexa rankings for its domains show how effective NoTrove is; even though each domain is short-lived, the rankings often shoot up into the Alexa top 10,000 based purely on scam ad deliveries; one NoTrove domain reached the ranking of 517, making it one of the most visited pages on the entire internet for that day.
“NoTrove harms not only visiting users, but also legitimate advertisers, adversely affecting those reliant on the credibility of the digital advertising ecosystem, such as online retailers, publishers and networks,” said William MacArthur, a threat researcher at RiskIQ. “Constantly shifting infrastructure means simply blocking domains and IPs isn't enough. We must now begin utilizing machine learning to leverage human security teams who increasingly depend on accurate, automated scam detection.”
Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.
MEMBERS GET ACCESS TO
- - Exclusive content from leaders in the industry
- - Q&A articles from industry leaders
- - Tips and tricks from the most successful developers weekly
- - Monthly issues, including all 90+ back-issues since 2012
- - Event discounts and early-bird signups
- - Gain insight from top achievers in the app store
- - Learn what tools to use, what SDK's to use, and more
Subscribe here
