RiskIQ Research Identifies New Threat Actor NoTrove

Apr 27, 2017


      Bookmark and Share

Earlier this year, RiskIQ, a provider of digital threat management, reported an eight-fold increase in internet scam incidents that deny the $83 billion digital advertising industry millions of dollars. Now, researchers at RiskIQ have identified NoTrove, a newly discovered and major threat actor that it says is delivering millions of scam ads that threaten consumers and further undermine the digital advertising industry.

A new research report, “NoTrove: The Threat Actor Ruling a Scam Empire”, presents a detailed analysis demonstrating how NoTrove uses advanced automation techniques to deliver scam ads from millions of different domain names to stay ahead of detection and takedown efforts. NoTrove was so effective that one of its pages ranked as the internet’s most visited pages for one day.

The online ad scams work by serving up attractive but disingenuous ads on legitimate websites. The ads might offer bogus surveys or free software upgrades, as examples. When someone clicks on the ad, however, the scammer’s software then re-directs the users “clicks” and traffic toward various locations across the internet.

The RiskIQ report takes a deep dive into how NoTrove works. Key findings include:

  • To stay ahead of efforts to block its fake ads, NoTrove uses automation to constantly change how the ads are delivered and clickthroughs re-routed.
  • The scam master has burned through 2,000 randomly generated domains and over 3,000 IPs, operating across millions of Fully Qualified Domain Names; an FQDN is a complete web address, typically including subdomains for ad scammers, such asmycontent.example.com.
  • RiskIQ observed 78 variants of NoTrove campaigns, such as scam survey rewards, fake software downloads, and redirections to PUPs.
  • Alexa rankings for its domains show how effective NoTrove is; even though each domain is short-lived, the rankings often shoot up into the Alexa top 10,000 based purely on scam ad deliveries; one NoTrove domain reached the ranking of 517, making it one of the most visited pages on the entire internet for that day.

RiskIQ first observed NoTrove a year ago when it began expanding its focus on scams, but PDNS results inside RiskIQ PassiveTotal indicate this group has been operating as far back as December of 2010.

(riskiq.com)