RiskIQ researchers have released a report into the King of Malvertising, NoTrove. The report, “NoTrove: The Threat Actor Ruling a Scam Empire” (registration required) can be downloaded from the RiskIQ website. What it shows is how effective scams around malvertising can be and how NoTrove, in particular, works.
According to William MacArthur, a threat researcher at RiskIQ: “NoTrove harms not only visiting users, but also legitimate advertisers, adversely affecting those reliant on the credibility of the digital advertising ecosystem such as online retailers, publishers, and networks. Constantly shifting infrastructure means simply blocking domains and IPs isn’t enough. We must now begin utilising machine learning to leverage human security teams who increasingly depend on accurate, automated scam detection.”
What is NoTrove?
Put simply, it is the person behind the most effective scam network yet discovered. It has been active since 2010 but has managed to remain off the radar of security vendors for most of that time. RiskIQ claim that it is responsible for millions of scam ads across the Internet. In the press release RiskIQ states: “NoTrove was so effective that one of his pages ranked as the internet’s most visited pages for one day.”
NoTrove runs a vast web of Internet domains. These are created and removed automatically over short periods of time. This countermeasure makes it hard for security companies to spot and produce tools to block. Each domain has its own infrastructure comprising another set of domains addresses focused on different scams. The report from RiskIQ says that these range from promotions to prize draws, surveys to free software.
They are then displayed on unsuspecting websites through a variety of methods. This might include poor website management or using hacked credentials to take over a website. More effective is the breaking into established advertising networks and using them to place ads on thousands of small business websites and blogs. In February RiskIQ reported that advertising networks from Google, AOL and Rubicon were among those hacked into. This allows malvertising from the like of NoTrove to be placed on large numbers of websites including those of very large companies.
The ads are constantly refreshed as another countermeasure to stop them being spotted. Once a user clicks on an ad they are redirected to where NoTrove wants them.
What is the benefit of malvertising?
In some cases the malvertising is looking to harvest data from users machines. In others, it will install small programmes that are used by a range of cybercriminals. It might be to install malware or deliver more fake advertising.
The big bonus here is defrauding companies out of money for displaying adverts. Most advertising on the Internet relies on traffic. NoTrove generates vast amounts of network traffic. That traffic is then sold to third parties, some of whom use it to inflate the numbers of hits for real adverts. This then means that the advertisers pay out per ad view or impression. Although the amount per impression is typically very small, the number of fake hits are high enough to make this valuable.
There is another side to this. The number of adverts that are irrelevant to users is increasing. This has led to a breakdown in trust between users and advertisers. More importantly it has created a large growth market for ad-blockers which have a significant impact on some websites. If users are blocking ads then the website doesn’t get paid as the ad isn’t viewed. This has forced some websites to limit the content users can see if they are using an ad blocker.
As with a lot of cybercrime this is all about fraud. The more ads that can be delivered the more traffic NoTrove can gather. The more traffic flowing across the network the more money can be made by selling it to other people. What is worrying about this is the amount of traffic that NoTrove is harvesting and the number of domains in use.
So far NoTrove has used over 2,000 domains and 3,000 IP addresses. There are 78 known variations of campaigns. All of this means that NoTrove domains are regularly in the top 1,000 Internet domains which means tens of thousands of clicks on ads. Each click could be routed through several networks gaining statistics as it moves. It’s not only a money machine but one that is using regular countermeasures to avoid detection