Researchers from RiskIQ discovered the threat actor uses advanced automation techniques to deliver scam ads from millions of different domain names to evade detection and takedown efforts.
One of NoTrove's pages ranked as one of the internet's most visited pages for a day, scoring a number 517 ranking on Alexa rankings, which demonstrates the effectiveness of the threat actor.
The report discusses that the online ad scams work by serving up attractive yet bogus ads on legitimate websites such as fake surveys or free software upgrades. When someone clicks on the ad, the scammer's software then redirects the user's “clicks” and traffic to various locations on the internet.
Web traffic is an essential commodity for advertisers and web content providers. Therefore, ad scammers like NoTrove profit from the demand by participating in traffic affiliate programmes or by selling traffic to traffic buyers. Unfortunately for the digital advertisers, the users are negatively impacted by the ad they see and don't even know how they got it.
As ad scammers grow, the likelihood that consumers will implement ad blockers to avoid bogus ads grows as well. Additionally, the scams can redirect potentially unwanted programmes (PUPs) to unwanted places.
To evade detection, NoTrove uses automation to consistently change how the ads are delivered and click-through URLs re-routed. The scam master has burned through 2,000 randomly generated domains and more than 3,000 IPs that operate across millions of Fully Qualified Domain Names.
Ian Cowger, security researchers at RiskIQ told SC Media UK, “On a business level, we've found the most effective way to track NoTrove is through machine learning. Traditional advertisement security measures of blocking on the IP or domain level fall short of being able to effectively block NoTrove. On a consumer level, however, there is little you can do besides recognise the payload you are delivered as a scam and report the incident back to the publishing site with as much detail as you can provide.”
Seventy-eight variations of NoTrove campaigns were observed, including scam survey rewards, fake software downloads and redirections to PUPs.
NoTrove was observed a year ago when it began expanding its focus on scams, but RiskIQ indicates this threat actor has been operating as far back as December 2010.
“NoTrove harms not only visiting users, but also legitimate advertisers, adversely affecting those reliant on the credibility of the digital advertising ecosystem such as online retailers, publishers and networks. Constantly shifting infrastructure means simply blocking domains and IPs isn't enough,” said William MacArthur, a threat researcher at RiskIQ, in a statement.
Cowger continued: “The problem for those in charge of the security of ad networks and publishers is that constantly shifting and rotating infrastructure means just blocking domains and IPs won't cut it. NoTrove's infrastructure is so vast that blocking one piece is just playing a whack-a-mole game; when you hit one, another will pop up. If scam actors continue to be left unchecked, NoTrove will continue to balloon to even greater size.
“We feel that all security professionals can learn from NoTrove, not just those in digital advertising. Threat actors of all kinds are accumulating massive swaths of infrastructure to carry out their campaigns and essentially overwhelm traditional security controls. Security teams have to incorporate machine learning and automation that can understand small variances in payloads without the need for any human intervention and automatically block new infrastructure.”