NoTrove: Meet the Scammer Ruling Over an Empire

NoTrove: The Threat Actor Ruling a Scam Empire

April 26, 2017, Ian Cowger

Meet NoTrove, the snake oil salesman of digital advertising.

Scams: an alarming trend

Earlier this year, RiskIQ reported an 845.9% increase in internet scam incidents, indicating a major trend toward disingenuous advertising meant to capture traffic.

Scammers deliver fraudulent landing pages (take a survey to win a free PlayStation!), which are often ignored by typical malvertising detection methods looking for payloads like scareware, phishing, and malicious injections. However, because of the gray nature of their payloads—scams themselves do not deliver crimeware—scammers are usually left to acquire tons of cheap infrastructure to grow, unimpeded, to enormous sizes.

NoTrove, a scammer that has amassed an enormous infrastructure, has been appearing more and more in our clients’ workspaces.

Fig-1 A typical scam

A scam empire

One scam actor, in particular, has been appearing more and more in our clients’ workspaces, a group we call NoTrove.

NoTrove’s peculiar name comes from a common theme we observed in the URI pattern. This actor’s URLs almost always come with the parameters /tov= or /rov=, and are most commonly associated with fake rewards scams. Therefore, the name came together as No (Treasure) (T/R)ove,or NoTrove for short.

Over the years, NoTrove has amassed enormous infrastructure. With high-entropy domains and always-shifting hosting, we’ve seen NoTrove burn through just under 2,000 domains and over 3,000 IPs. Combined with the 78 variations of campaign-specific middle word variants and randomized hostnames, we’ve seen NoTrove operate across millions of FQDNs.

You can see most of NoTrove’s infrastructure compiled in a RiskIQ PassiveTotal public project here: https://passivetotal.org/projects/7ee582dc-c792-e635-ce78-0396e1e00bf4

Massive amounts of traffic

Traffic is an essential commodity for legitimate web companies and criminal underground economy alike. Scammers redirect users who click on their misleading advertising and can sell it to the highest bidder, and NoTrove is particularly successful in capturing it. NoTrove domains regularly appear in the Alexa top ten thousand based purely on scam ad deliveries. In fact, the highest rank we’ve seen historically for a NoTrove domain was 517, making it one of the most visited pages on the entire internet for that day.

The material impact

As scam actors are redirecting an increasing number of users through layers and layers of what amounts to digital junk, they’re turning to ad blocking, which directly affects the lifeblood of the digital advertising ecosystem. According to Juniper Research, ad blocking will cost the digital media industry over $27 billion by 2020.

A growing problem

The problem for those in charge of the security of ad networks and publishers is that constantly shifting and rotating infrastructure means simply blocking domains and IPs isn’t enough. NoTrove is spread so far and wide that blocking one piece of its infrastructure is akin to playing whack-a-mole—no matter how many you hit, another will pop up. If left unchecked, NoTrove and threat actors like it will continue to balloon to even greater size, encompassing more domains, IPs, and other infrastructure.

For the full profile of NoTrove, and what you can do to detect it, Download the full report, NoTrove: The Threat Actor Ruling a Scam Empire.

Share: