According to RiskIQ, a new malware is seriously damaging the advertising industry, and ad networks have no idea how to really combat it.
William MacArthur, a threat researcher at RiskIQ said, “NoTrove harms not only visiting users, but also legitimate advertisers, adversely affecting those reliant on the credibility of the digital advertising ecosystem such as online retailers, publishers, and networks. Constantly shifting infrastructure means simply blocking domains and IPs isn’t enough. We must now begin utilising machine learning to leverage human security teams who increasingly depend on accurate, automated scam detection.”
Put simply, it is the person behind the most effective scam network yet discovered. It has been active since 2010 but has managed to remain off the radar of security vendors for most of that time. RiskIQ claim that it is responsible for millions of scam ads across the Internet. In the press release RiskIQ states: “NoTrove was so effective that one of his pages ranked as the internet’s most visited pages for one day.”
NoTrove runs a vast web of Internet domains. These are created and removed automatically over short periods of time. This countermeasure makes it hard for security companies to spot and produce tools to block. Each domain has its own infrastructure comprising another set of domains addresses focused on different scams. The report from RiskIQ says that these range from promotions to prize draws, surveys to free software.
They are then displayed on unsuspecting websites through a variety of methods. This might include poor website management or using hacked credentials to take over a website. More effective is the breaking into established advertising networks and using them to place ads on thousands of small business websites and blogs. In February RiskIQ reported that advertising networks from Google, AOL and Rubicon were among those hacked into. This allows malvertising from the like of NoTrove to be placed on large numbers of websites including those of very large companies.
The ads are constantly refreshed as another countermeasure to stop them being spotted. Once a user clicks on an ad they are redirected to where NoTrove wants them.
In some cases the malvertising is looking to harvest data from users machines. In others, it will install small programmes that are used by a range of cybercriminals. It might be to install malware or deliver more fake advertising.
The big bonus here is defrauding companies out of money for displaying adverts. Most advertising on the Internet relies on traffic. NoTrove generates vast amounts of network traffic. That traffic is then sold to third parties, some of whom use it to inflate the numbers of hits for real adverts. This then means that the advertisers pay out per ad view or impression. Although the amount per impression is typically very small, the number of fake hits are high enough to make this valuable.
There is another side to this. The number of adverts that are irrelevant to users is increasing. This has led to a breakdown in trust between users and advertisers. More importantly it has created a large growth market for ad-blockers which have a significant impact on some websites. If users are blocking ads then the website doesn’t get paid as the ad isn’t viewed. This has forced some websites to limit the content users can see if they are using an ad blocker.