G4S Africa supports small business development thr... » The latest product in the G4S Deposita range is a smart safe system called mini-pay that holds up to... Commissioner's statement following incident in Man... » This is an utterly appalling attack. My thoughts are with the people of Manchester as they try to co... UPDATE: Policing events in the Capital » Following the horrific terrorist attack in Manchester last night, in which 22 people were killed and... Statement from Assistant Commissioner » Statement from Assistant Commissioner Mark Rowley, Head of National Counter Terrorism Policing: The... Met intensifies policing activities in London fol... » The Metropolitan Police Service (MPS) has increased police numbers and operations across the Capital... OF FOOLS OF THE MIDDLE BELT, ONE NORTH AND PASTORA... » Please visit also: www.scorpionnewscorp.com SERIES: BUHARISM AND THE FIERCE URGENCY OF NOW A treat... Home Secretary’s statement on the Manchester attac... » I know that some people will only just be waking up to the news of the horrific attacks in Mancheste... Checkpoint Systems unveils Bug Tag 2 loss preventi... » Checkpoint Systems has announced the launch of Bug Tag 2 – an innovative loss prevention solution th... Edesix launches new head and torso mounted body wo... » Edesix has announced the launch of new head and torso mounted cameras. The X-100 is a side-mounta... Banknote Watch offers essential advice as old £5 i... » As of Friday 5th May 2017, the paper £5 note was officially withdrawn from circulation and no lo...

CLICK HERE TO

SOCIAL BOOKMARK

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Case Studies

London, UK: Earlier this year, RiskIQ reported an eight-fold increase in internet scam incidents that deny the $83 billion digital advertising industry millions of dollars. Now, researchers at RiskIQ have identified NoTrove, a newly discovered and major threat actor that is delivering millions of scam ads that threaten consumers and further undermine the digital advertising industry.

 

A new research report released today, “NoTrove: The Threat Actor Ruling a Scam Empire”, presents a detailed analysis demonstrating how NoTrove uses advanced automation techniques to deliver scam ads from millions of different domain names to stay ahead of detection and takedown efforts. NoTrove was so effective that one of its pages ranked as the internet’s most visited pages for one day.

The online ad scams work by serving up attractive but disingenuous ads on legitimate websites. The ads might offer bogus surveys or free software upgrades, as examples. When someone clicks on the ad, however, the scammer’s software then re-directs the users “clicks” and traffic toward various locations across the internet.

Since advertisers and web content providers want as much of the traffic pie as they can get, web traffic is an essential commodity. Ad scammers like NoTrove profit from this demand, participating in traffic affiliate programmes or selling traffic to traffic buyers (brokers). Unfortunately for the digital advertisers, however, the users are negatively impacted by the ad they are seeing and don’t even know how they got it.

Equally troubling for the digital advertising industry is that as ad scammers increase, the likelihood consumers will implement ad blockers as a way to avoid bogus ads increases, as well. This practice, according to Juniper Research, will cost the digital media industry over $27 billion by 2020*.

For consumers, this is more than just a nuisance. Ad scams can also be used to download PUPs—potentially unwanted programmes—and can redirect them to unwanted places.

The RiskIQ report takes a deep dive into how NoTrove works and shows the advances being made to avoid detection, preventing efforts to take it down, and making it one of the most effective and largest ad scam operations ever. Key findings include:

· To stay ahead of efforts to block its fake ads, NoTrove uses automation to constantly change how the ads are delivered and clickthroughs re-routed.

· The scam master has burned through 2,000 randomly generated domains and over 3,000 IPs, operating across millions of Fully Qualified Domain Names; an FQDN is a complete web address, typically including subdomains for ad scammers, such as ajee99.mycontent.example.com.

· RiskIQ observed 78 variants of NoTrove campaigns, such as scam survey rewards, fake software downloads, and redirections to PUPs.

· Alexa rankings for its domains show how effective NoTrove is; even though each domain is short-lived, the rankings often shoot up into the Alexa top 10,000 based purely on scam ad deliveries; one NoTrove domain reached the ranking of 517, making it one of the most visited pages on the entire internet for that day.

RiskIQ first observed NoTrove a year ago when it began expanding its focus on scams, but PDNS results inside RiskIQ PassiveTotal indicate this group has been operating as far back as December of 2010. Used by more than 18,000 security analysts, PassiveTotal expedites external threat investigation tasks and automates threat research collaboration and artifact monitoring. You can view the Public Project for NoTrove compiled by RiskIQ’s Threat Research team here: https://passivetotal.org/projects/7ee582dc-c792-e635-ce78-0396e1e00bf4

“NoTrove harms not only visiting users, but also legitimate advertisers, adversely affecting those reliant on the credibility of the digital advertising ecosystem such as online retailers, publishers, and networks,” said William MacArthur, a threat researcher at RiskIQ. “Constantly shifting infrastructure means simply blocking domains and IPs isn't enough. We must now begin utilising machine learning to leverage human security teams who increasingly depend on accurate, automated scam detection.”

To conduct this and other web research, RiskIQ applies its proprietary virtual user web crawling technology. This advanced internet reconnaissance acts like a user would, thoroughly interrogating websites and web apps, as well as respective browser session communications. It processes more than two billion HTTP requests per day to surface, identify, and connect internet elements to malicious campaigns.

Acting in concert with RiskIQ’s machine learning, virtual user technology can provide a deep level of analysis of how threat actors are behaving, their underlying infrastructure, and the techniques they use. In the NoTrove example, they can detect what the NoTrove page looks like down to the document object model (DOM), how a user gets there, and learn what makes a NoTrove page a NoTrove page. RiskIQ's platform will even understand and dynamically monitor for small variances in the payload without the need for any human intervention, so it can continue to detect NoTrove, even as this threat actor evolves.