A major new threat actor, dubbed NoTrove, has been seen delivering millions of scam ads, undermining and siphoning money from the digital advertising industry.
According to RiskIQ, NoTrove uses advanced automation techniques to deliver scam ads from millions of different domain names to stay ahead of detection and takedown efforts. NoTrove was so effective that one of the group’s pages ranked as one of the internet’s most visited pages for one day, the security firm noted in a report.
“The online ad scams work by serving up attractive but disingenuous ads on legitimate websites,” the firm explained. “The ads might offer bogus surveys or free software upgrades, as examples. When someone clicks on the ad, however, the scammer’s software then re-directs the user’s clicks and traffic toward various locations across the internet.”
Ad scammers like NoTrove profit from the demand for eyeballs, participating in traffic affiliate programs or selling traffic to traffic buyers (brokers). End users though are often surprised by the ad they are seeing and don’t even know how they got it. As ad scammers increase, the likelihood consumers will implement ad blockers as a way to avoid bogus ads increases as well. Also, beyond the annoyance factor, ad scams can be used to download potentially unwanted programs and can redirect users to unwanted places.
“NoTrove harms not only visiting users, but also legitimate advertisers, adversely affecting those reliant on the credibility of the digital advertising ecosystem, such as online retailers, publishers and networks,” said William MacArthur, a threat researcher at RiskIQ. “Constantly shifting infrastructure means simply blocking domains and IPs isn't enough. We must now begin utilizing machine learning to leverage human security teams who increasingly depend on accurate, automated scam detection.”
To stay ahead of efforts to block its fake ads, NoTrove uses automation to constantly change how the ads are delivered and click-throughs re-routed, the analysis explained: “The scam master has burned through 2,000 randomly generated domains and more than 3,000 IPs, operating across millions of Fully Qualified Domain Names; an FQDN is a complete web address, typically including subdomains for ad scammers, such as ajee99.mycontent.example.com.”
RiskIQ observed 78 variants of NoTrove campaigns, such as scam survey rewards, fake software downloads, and redirections to PUPs—starting about a year ago. However, indicators show that the group has been operating as far back as December of 2010.
Earlier this year, RiskIQ, the leader in digital threat management, reported an eight-fold increase in internet scam incidents that deny the $83 billion digital advertising industry millions of dollars.