Researchers Expose Huge Ad Scam Operation
1.5.2017 securityweek Spam
Researchers from security frim RiskIQ recently discovered a large ad scam operation where cybercriminals employed advanced automation techniques to deliver scam ads from millions of different domain names.
Dubbed NoTrove, the threat actor managed to stay ahead of detection and takedown efforts, while also building a network that generated huge amounts of traffic. The group was first observed a year ago, but the security researchers believe that it has been operating since at least 2010.
NoTrove was mainly focused on getting as much web traffic as possible, for monetary gain, and RiskIQ associated the group to 78 campaigns, including scam survey rewards, fake software downloads, and redirections to PUPs (Potentially Unwanted Programs). Although the used domains were short-lived, the generated traffic from scam ad deliveries was so large that it even pushed one of them to a 517 ranking on the Alexa top 10,000 web sites.
The actor was observed switching between 2,000 randomly generated domains and more than 3,000 IP addresses, operating across millions of Fully Qualified Domain Names (FQDNs). An FQDN is a complete web address, typically including subdomains for ad scammers, RiskIQ security researchers explain in their report (PDF).
The NoTrove FQDNs show high-entropy (they are highly random hosts), which shows that automation was used when creating them. Next to the high-entropy hosts, the researchers identified campaign-specific middle hosts, which appear to label the type of scam employed in the campaign, along with high-entropy or randomly worded domains, also generated using automation.
“With high-entropy domains and always-shifting hosting, we’ve seen NoTrove burn through just under 2,000 domains and over 3,000 IPs. Combined with the 78 variations of campaign-specific middle word variants and randomized hostnames, we’ve seen NoTrove operate across millions of FQDNs. Typically, one IP used by NoTrove will house a set of domains, but each campaign-specific *.domain.tld campaign variant will be hosted on its own IP, usually a Choopa or Linode droplet,” the researchers say.
“NoTrove harms not only visiting users, but also legitimate advertisers, adversely affecting those reliant on the credibility of the digital advertising ecosystem such as online retailers, service providers and media outlets. Constantly shifting infrastructure means simply blocking domains and IPs isn't enough. We must now begin utilizing machine learning to leverage human security teams who increasingly depend on accurate, automated scam detection,” RiskIQ threat researcher William MacArthur said.