SlideShare ist ein Scribd-Unternehmen logo

Malvertising Domain Had So Much Traffic It Reached #517 in the Alexa Ranking

I
Ian Beckett

Malvertising Domain Had So Much Traffic It Reached #517 in the Alexa Ranking

Business
1 von 7
Downloaden Sie, um offline zu lesen
NoTrove: The Threat Actor Ruling a Scam Empire APRIL 2017
2 NoTrove: The Threat Actor Ruling a Scam Empire When it comes to threats delivered through the digital advertising ecosystem, malware is usually what keeps folks up at night. However, while the infosec world laser-focuses on hunting and neutralizing exploit kits, a different type of threat is left to grow unimpeded, often to enormous sizes: scams. Scam campaigns grow quickly and silently in the shadows by acquiring cheap infrastructure. Over the years, these campaigns have become pervasive to the point of badly degrading the overall quality of the internet. If you’ve ever seen a digital ad offering free electronics or “fabulous prizes” in return for taking a quick survey, you know what scams are. Essentially, scams are undesirable advertising, which fly under the radar because of the “gray” nature of their payload. In other words, while scams aren’t classified as crimeware, they are intentionally misleading and disingenuous, and compromising the integrity of digital advertising. By utilizing machine learning to enhance our ability to identify scams, RiskIQ detected 845% more scam incidents¹ in 2016 than 2015, a number we expect to increase again this year. With this new approach to scams, we’re also able to closely examine their infrastructure to determine what makes them effective and lucrative to operate. What we find alarming about our research on a threat actors we’ve come to call “NoTrove” is the sheer scale of these scam networks’ infrastructure and the traffic they command. EXECUTIVE SUMMARY The main goal of scammers is often to accrue as much web traffic as possible. Essentially, web traffic is the result of a computer connecting with a web browser and an actual human connecting with digital content sitting on a hosting server. It’s comprised of visitors to websites, with each single click and background request counting as a minuscule but significant drop in a vast pool of monitored, tracked, and often commoditized data points. Ecosystems and economies form to buy, sell, and trade this traffic; products and services are designed to aid in analyzing and classifying it. Traffic is redirected and shuffled around the web as part of partnerships and business contracts. Traffic is critical to the giant exchanges in the online advertising space and to the very many niche affiliate network programs that exist, with organizations of all kinds tasked with monetizing and, ultimately, squeezing every last fraction of a penny of indirect marginal profit of each URL visited. To monetize their traffic collecting, scammers like the one outlined in this report may participate in shady traffic affiliate programs or sell traffic to traffic buyers (brokers). Traffic is an essential commodity for legitimate web companies and criminal underground economy alike. Everyone wants a piece of the traffic pie, and NoTrove is feasting. THE TARGET: WEB TRAFFIC ¹ RiskIQ’s 2016 Malvertising Report, RiskIQ Research, 1/30/2017
3 NoTrove: The Threat Actor Ruling a Scam Empire One of these scam networks, by the prolific actor “NoTrove,” is particularly successful in capturing traffic. NoTrove’s peculiar name comes from a common theme observed in the URI pattern. This actor’s URLs almost always come with the parameters /tov= or /rov=, and are most commonly associated with fake rewards scams. Therefore, the name came together as No (Treasure) (T/R)ove,or NoTrove for short. We first observed NoTrove a year ago when we began expanding our focus on scams, but Passive DNS (PDNS) results inside PassiveTotal indicate this group has been operating as far back as December of 2010: (Fig 1. Earliest observed instance of NoTrove) https://passivetotal.org/search/220.181.5.222 THE CULPRIT: WHO (WHAT) IS NOTROVE? In Fig-1 above you’ll see an older version of a NoTrove host, but today, NoTrove builds its infrastructure in a very particular way: • A typical NoTrove fully qualified domain name (FQDN) will use a high-entropy (i.e., highly random) host, shown in blue. High-entropy hosts indicate that they are created by automation, which threat actors will employ to quickly build infrastructure with which to launch attacks. • Following these high-entropy hosts are campaign- specific middle hosts (shown medium blue) we think are used to label the type of scam (e.g., survey, promo, prize, etc.). With so much infrastructure constantly in rotation, this is how NoTrove keeps it all organized. So far, we’ve observed 78 variants representing NoTrove’s different payloads. • Following the “label” hosts are a high-entropy or randomly worded domains (shown in light blue), again indicating they were created by automation. THE MODUS OPERANDI: WITH SCAMS, SIZE MATTERS With high-entropy domains and constantly shifting hosting, we’ve seen NoTrove burn through just under 2,000 domains and over 3,000 IPs. Combined with the 78 variations of campaign-specific middle-word variants and randomized hostnames, we’ve seen NoTrove operate across millions of FQDNs. Typically, one IP used by NoTrove will house a set of domains, but each campaign-specific *.domain.tld campaign variant will be hosted on its own IP, usually a Choopa or Linode droplet. These IPs and domains can be found in this PassiveTotal public project here: https://passivetotal.org/projects/7ee582dc-c792-e635-ce78-0396e1e00bf4 But, to see just how prevalent this actor is, we can look at the Alexa rankings of its domains. Usually, each domain will only be active for a couple of weeks, but during that period it is not uncommon for the domain to shoot up into the Alexa top ten thousand based purely on scam ad deliveries. In fact, the highest rank we’ve seen historically for a NoTrove domain was 517, making it one of the most visited pages on the entire internet for that day. Here are some more examples of typical contemporary NoTrove FQDNs: bogzz.bestprizeland.8702.ws uchzz.pcloadletter.footbaths.xyz rjkzz.super-promo.7891223.com tcfzz.stream.7891223.com
4 NoTrove: The Threat Actor Ruling a Scam Empire So what does NoTrove look like? Well, with the 78 variants of tracked middle-phrase campaigns, there are many different payloads. However, the most common versions seen are scam survey rewards, fake software downloads, and redirections to potentially unwanted programs (PUPs). Seen Here: THE MUG SHOT: WHAT VICTIMS SEE Fig 2. Fake Media Player Fig 3. Fake Rewards Fig 4. Redirection to PUP
5 NoTrove: The Threat Actor Ruling a Scam Empire Below, we’ll journey through a sequence overview from a RiskIQ crawl that ended up on a commonly advertised PUP from NoTrove to examine how NoTrove sends users to one of its scam pages. We begin our trek with a request for an ad from a(.)diretrak(.)com, where we are immediately shunted off to a rotator (dedicated infrastructure for redirecting the user based off of various parameters) that then kicks us over to the first stage of a NoTrove delivery. You can see here that NoTrove typically comes in two stages: 1. An internal redirection based on the type of campaign 2. The scam payload, a redirection to a PUP, or, if there is nothing to serve for that requested campaign, it will fallback to delivering another ad through a second network In this example, there was nothing to deliver for the given parameters on that particular campaign, so NoTrove used the fallback of delivering an ad pulled through play(.)leadzupc(.)com, which is the Mobusi mobile-based ad network. THE DELIVERY: HOW THE TRAFFIC COMES AND GOES
6 NoTrove: The Threat Actor Ruling a Scam Empire From Mobusi, the sequence passes through Afftrack for affiliate traffic tracking, and then off to the same rotator we saw before. Once again, that rotator spits us back out to NoTrove. This time, however, we’re hitting a different campaign. With this campaign, we were given an actual result when we hit the second stage of NoTrove. We received a redirection out to ReimagePlus, a PUP commonly associated with low-quality affiliates, aggressive, misleading advertising, and software bundlers.
7 NoTrove: The Threat Actor Ruling a Scam Empire NoTrove is far from the only actor operating enormous swaths of scam infrastructure, which pollutes digital advertising networks and degrades the overall effectiveness of the digital ad ecosystem. Redirecting users through layers and layers of what amounts to digital junk may be incredibly lucrative for NoTrove operators, but adversely affects those reliant on the credibility of the digital advertising ecosystem. More and more users are becoming attuned to the undesirability and potential dangers of scams and are turning to ad blocking as a solution. Unfortunately, ad blockers block all ads, so publishers don’t get paid. Ad blockers eat away at digital advertising revenue and sharply curtail the growth of the industry. In 2016, 69.8 million Americans were expected to use an ad blocker, an increase of 34.4% over last year². In 2017, that figure is projected to grow by another 24%, or 86.6 million people. This practice, according to Juniper Research, will cost the digital media industry over $27 billion by 2020.³ The problem for those in charge of the security of ad networks is that constantly shifting infrastructure means simply blocking domains and IPs isn’t enough. NoTrove is spread so far and wide that blocking one piece of its infrastructure is akin to playing whack-a-mole—no matter how many you hit, another will pop up. Also, the scale at which NoTrove and groups like it operate means identifying scams in time to block their impact is no longer possible for humans alone. ² US Ad Blocking to Jump by Double Digits This Year, eMarketer, 6/30/2016 If left unchecked, NoTrove and threat actors like it will continue to balloon to even greater size, encompassing more domains, IPs, and other infrastructure. Until we can commit to stopping those accruing scam empires across the web, these threat actors will cause more problems for the digital advertising space and the internet as a whole. Fortunately, you should now have enough information to identify a NoTrove scam. Unfortunately, mere humans lack the computing power to identify NoTrove’s rotating infrastructure quickly enough to do much about it. However, with machine learning, human security professionals can enjoy accurate, automated detection and confirmation of NoTrove scams. Just like this report taught you how to know a piece of NoTrove infrastructure when you see it, machine learning can detect what the NoTrove page looks like down to the document object model (DOM) and learn what makes a NoTrove page a NoTrove page. Eventually, it will even understand small variances in the payload without the need for any human intervention, so it can continue to detect NoTrove, even as this threat actor evolves. THE CONSEQUENCES: WHY IT MATTERS THE RESPONSE: MACHINE-LEARNING AUTOMATION ABOUT RISKIQ RiskIQ is the leader in digital threat management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 80 percent of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social, and mobile exposures. Trusted by thousands of security analysts, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk, and take action to protect business, brand, and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners, and MassMutual Ventures. THINK OUTSIDE THE FIREWALL™ riskiq.com • 22 Battery Street, 10th Floor, San Francisco, CA 94111, USA • sales@riskiq.com • 1.888.415.4447 © 2017 RiskIQ, Inc. All rights reserved. RiskIQ and PassiveTotal are registered trademarks and Outside the Firewall is a trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. ³ Worldwide Digital Advertising: 2016-2020, Juniper Research, 11/5/2016 by Sam Barker

Empfohlen

111 of the biggest, costliest startup failures of all time – cbinsights 062017
111 of the biggest, costliest startup failures of all time – cbinsights 062017111 of the biggest, costliest startup failures of all time – cbinsights 062017
111 of the biggest, costliest startup failures of all time – cbinsights 062017Ian Beckett
 
Edtech startup scene 2017 - startups
Edtech startup scene 2017 - startups Edtech startup scene 2017 - startups
Edtech startup scene 2017 - startups Ian Beckett
 
Drone tech startup scene 2017 - startups
Drone tech startup scene 2017 - startupsDrone tech startup scene 2017 - startups
Drone tech startup scene 2017 - startupsIan Beckett
 
Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Ian Beckett
 
2016 payment threats trends report
2016 payment threats trends report2016 payment threats trends report
2016 payment threats trends reportIan Beckett
 
usa homeloan startup scene - fintech
usa homeloan startup scene - fintech usa homeloan startup scene - fintech
usa homeloan startup scene - fintech Ian Beckett
 
india fintech startups
india fintech startupsindia fintech startups
india fintech startupsIan Beckett
 
smarthome startup scene - list
smarthome startup scene - listsmarthome startup scene - list
smarthome startup scene - listIan Beckett
 

Empfohlen

111 of the biggest, costliest startup failures of all time – cbinsights 062017
111 of the biggest, costliest startup failures of all time – cbinsights 062017111 of the biggest, costliest startup failures of all time – cbinsights 062017
111 of the biggest, costliest startup failures of all time – cbinsights 062017Ian Beckett
 
Edtech startup scene 2017 - startups
Edtech startup scene 2017 - startups Edtech startup scene 2017 - startups
Edtech startup scene 2017 - startups Ian Beckett
 
Drone tech startup scene 2017 - startups
Drone tech startup scene 2017 - startupsDrone tech startup scene 2017 - startups
Drone tech startup scene 2017 - startupsIan Beckett
 
Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Ian Beckett
 
2016 payment threats trends report
2016 payment threats trends report2016 payment threats trends report
2016 payment threats trends reportIan Beckett
 
usa homeloan startup scene - fintech
usa homeloan startup scene - fintech usa homeloan startup scene - fintech
usa homeloan startup scene - fintech Ian Beckett
 
india fintech startups
india fintech startupsindia fintech startups
india fintech startupsIan Beckett
 
smarthome startup scene - list
smarthome startup scene - listsmarthome startup scene - list
smarthome startup scene - listIan Beckett
 
Cb insights 2017 fintech-250
Cb insights 2017 fintech-250Cb insights 2017 fintech-250
Cb insights 2017 fintech-250Ian Beckett
 
WEF Realizing the Potential of Blockchain
WEF Realizing the Potential of BlockchainWEF Realizing the Potential of Blockchain
WEF Realizing the Potential of BlockchainIan Beckett
 
what is a cryptocurrency token sale ICO
what is a cryptocurrency token sale ICO what is a cryptocurrency token sale ICO
what is a cryptocurrency token sale ICO Ian Beckett
 
VAT + imports exports in a post Brexit UK
VAT + imports exports in a post Brexit UKVAT + imports exports in a post Brexit UK
VAT + imports exports in a post Brexit UKIan Beckett
 
Blockchain Technology A game-changer in accounting ?
Blockchain Technology A game-changer in accounting ?Blockchain Technology A game-changer in accounting ?
Blockchain Technology A game-changer in accounting ?Ian Beckett
 
The accountants guide to Blockchain + DistributedLedger - ACCA
The accountants guide to Blockchain + DistributedLedger - ACCA The accountants guide to Blockchain + DistributedLedger - ACCA
The accountants guide to Blockchain + DistributedLedger - ACCA Ian Beckett
 
Future of financial services 2017
Future of financial services 2017Future of financial services 2017
Future of financial services 2017Ian Beckett
 
Ecommerce sales worldwide 2017
Ecommerce sales worldwide 2017Ecommerce sales worldwide 2017
Ecommerce sales worldwide 2017Ian Beckett
 
Hash Visualization a New Technique to improve Real World CyberSecurity
Hash Visualization a New Technique to improve Real World CyberSecurityHash Visualization a New Technique to improve Real World CyberSecurity
Hash Visualization a New Technique to improve Real World CyberSecurityIan Beckett
 
Divided we fall, distributed we stand the professional accountant’s guide t...
Divided we fall, distributed we stand the professional accountant’s guide t...Divided we fall, distributed we stand the professional accountant’s guide t...
Divided we fall, distributed we stand the professional accountant’s guide t...Ian Beckett
 
PWC - Global FinTech Report 2017 - startup
PWC - Global FinTech Report 2017 - startup PWC - Global FinTech Report 2017 - startup
PWC - Global FinTech Report 2017 - startup Ian Beckett
 
Deloitte - Blockchain and the future of financial infrastructure - fintech cl...
Deloitte - Blockchain and the future of financial infrastructure - fintech cl...Deloitte - Blockchain and the future of financial infrastructure - fintech cl...
Deloitte - Blockchain and the future of financial infrastructure - fintech cl...Ian Beckett
 
PWC - Global FinTech Report 2017
PWC - Global FinTech Report 2017PWC - Global FinTech Report 2017
PWC - Global FinTech Report 2017Ian Beckett
 
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing Ian Beckett
 
Pitch book 2016 annual vc valuations report
Pitch book 2016 annual vc valuations reportPitch book 2016 annual vc valuations report
Pitch book 2016 annual vc valuations reportIan Beckett
 
Industrial internet of things (IIOT) - special report-2017
Industrial internet of things (IIOT) - special report-2017Industrial internet of things (IIOT) - special report-2017
Industrial internet of things (IIOT) - special report-2017Ian Beckett
 
UK Govt Apprenticeship Levy special report 2017
UK Govt Apprenticeship Levy special report 2017UK Govt Apprenticeship Levy special report 2017
UK Govt Apprenticeship Levy special report 2017Ian Beckett
 
Annual Returns for Key Indices Ranked in Order of Performance (1997–2016) 2/2
Annual Returns for Key Indices Ranked in Order of Performance (1997–2016) 2/2Annual Returns for Key Indices Ranked in Order of Performance (1997–2016) 2/2
Annual Returns for Key Indices Ranked in Order of Performance (1997–2016) 2/2Ian Beckett
 
PWC 2017 - UK startup review - 2016 in Fintech
PWC 2017 - UK startup review - 2016 in Fintech PWC 2017 - UK startup review - 2016 in Fintech
PWC 2017 - UK startup review - 2016 in Fintech Ian Beckett
 
the new retail ecosystem From disrupted to disruptor - startup
the new retail ecosystem From disrupted to disruptor - startup the new retail ecosystem From disrupted to disruptor - startup
the new retail ecosystem From disrupted to disruptor - startup Ian Beckett
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756dollysharma2066
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataExhibitors Data
 

Weitere ähnliche Inhalte

Mehr von Ian Beckett

Cb insights 2017 fintech-250
Cb insights 2017 fintech-250Cb insights 2017 fintech-250
Cb insights 2017 fintech-250Ian Beckett
 
WEF Realizing the Potential of Blockchain
WEF Realizing the Potential of BlockchainWEF Realizing the Potential of Blockchain
WEF Realizing the Potential of BlockchainIan Beckett
 
what is a cryptocurrency token sale ICO
what is a cryptocurrency token sale ICO what is a cryptocurrency token sale ICO
what is a cryptocurrency token sale ICO Ian Beckett
 
VAT + imports exports in a post Brexit UK
VAT + imports exports in a post Brexit UKVAT + imports exports in a post Brexit UK
VAT + imports exports in a post Brexit UKIan Beckett
 
Blockchain Technology A game-changer in accounting ?
Blockchain Technology A game-changer in accounting ?Blockchain Technology A game-changer in accounting ?
Blockchain Technology A game-changer in accounting ?Ian Beckett
 
The accountants guide to Blockchain + DistributedLedger - ACCA
The accountants guide to Blockchain + DistributedLedger - ACCA The accountants guide to Blockchain + DistributedLedger - ACCA
The accountants guide to Blockchain + DistributedLedger - ACCA Ian Beckett
 
Future of financial services 2017
Future of financial services 2017Future of financial services 2017
Future of financial services 2017Ian Beckett
 
Ecommerce sales worldwide 2017
Ecommerce sales worldwide 2017Ecommerce sales worldwide 2017
Ecommerce sales worldwide 2017Ian Beckett
 
Hash Visualization a New Technique to improve Real World CyberSecurity
Hash Visualization a New Technique to improve Real World CyberSecurityHash Visualization a New Technique to improve Real World CyberSecurity
Hash Visualization a New Technique to improve Real World CyberSecurityIan Beckett
 
Divided we fall, distributed we stand the professional accountant’s guide t...
Divided we fall, distributed we stand the professional accountant’s guide t...Divided we fall, distributed we stand the professional accountant’s guide t...
Divided we fall, distributed we stand the professional accountant’s guide t...Ian Beckett
 
PWC - Global FinTech Report 2017 - startup
PWC - Global FinTech Report 2017 - startup PWC - Global FinTech Report 2017 - startup
PWC - Global FinTech Report 2017 - startup Ian Beckett
 
Deloitte - Blockchain and the future of financial infrastructure - fintech cl...
Deloitte - Blockchain and the future of financial infrastructure - fintech cl...Deloitte - Blockchain and the future of financial infrastructure - fintech cl...
Deloitte - Blockchain and the future of financial infrastructure - fintech cl...Ian Beckett
 
PWC - Global FinTech Report 2017
PWC - Global FinTech Report 2017PWC - Global FinTech Report 2017
PWC - Global FinTech Report 2017Ian Beckett
 
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing Ian Beckett
 
Pitch book 2016 annual vc valuations report
Pitch book 2016 annual vc valuations reportPitch book 2016 annual vc valuations report
Pitch book 2016 annual vc valuations reportIan Beckett
 
Industrial internet of things (IIOT) - special report-2017
Industrial internet of things (IIOT) - special report-2017Industrial internet of things (IIOT) - special report-2017
Industrial internet of things (IIOT) - special report-2017Ian Beckett
 
UK Govt Apprenticeship Levy special report 2017
UK Govt Apprenticeship Levy special report 2017UK Govt Apprenticeship Levy special report 2017
UK Govt Apprenticeship Levy special report 2017Ian Beckett
 
Annual Returns for Key Indices Ranked in Order of Performance (1997–2016) 2/2
Annual Returns for Key Indices Ranked in Order of Performance (1997–2016) 2/2Annual Returns for Key Indices Ranked in Order of Performance (1997–2016) 2/2
Annual Returns for Key Indices Ranked in Order of Performance (1997–2016) 2/2Ian Beckett
 
PWC 2017 - UK startup review - 2016 in Fintech
PWC 2017 - UK startup review - 2016 in Fintech PWC 2017 - UK startup review - 2016 in Fintech
PWC 2017 - UK startup review - 2016 in Fintech Ian Beckett
 
the new retail ecosystem From disrupted to disruptor - startup
the new retail ecosystem From disrupted to disruptor - startup the new retail ecosystem From disrupted to disruptor - startup
the new retail ecosystem From disrupted to disruptor - startup Ian Beckett
 

Mehr von Ian Beckett (20)

Cb insights 2017 fintech-250
Cb insights 2017 fintech-250Cb insights 2017 fintech-250
Cb insights 2017 fintech-250
 
WEF Realizing the Potential of Blockchain
WEF Realizing the Potential of BlockchainWEF Realizing the Potential of Blockchain
WEF Realizing the Potential of Blockchain
 
what is a cryptocurrency token sale ICO
what is a cryptocurrency token sale ICO what is a cryptocurrency token sale ICO
what is a cryptocurrency token sale ICO
 
VAT + imports exports in a post Brexit UK
VAT + imports exports in a post Brexit UKVAT + imports exports in a post Brexit UK
VAT + imports exports in a post Brexit UK
 
Blockchain Technology A game-changer in accounting ?
Blockchain Technology A game-changer in accounting ?Blockchain Technology A game-changer in accounting ?
Blockchain Technology A game-changer in accounting ?
 
The accountants guide to Blockchain + DistributedLedger - ACCA
The accountants guide to Blockchain + DistributedLedger - ACCA The accountants guide to Blockchain + DistributedLedger - ACCA
The accountants guide to Blockchain + DistributedLedger - ACCA
 
Future of financial services 2017
Future of financial services 2017Future of financial services 2017
Future of financial services 2017
 
Ecommerce sales worldwide 2017
Ecommerce sales worldwide 2017Ecommerce sales worldwide 2017
Ecommerce sales worldwide 2017
 
Hash Visualization a New Technique to improve Real World CyberSecurity
Hash Visualization a New Technique to improve Real World CyberSecurityHash Visualization a New Technique to improve Real World CyberSecurity
Hash Visualization a New Technique to improve Real World CyberSecurity
 
Divided we fall, distributed we stand the professional accountant’s guide t...
Divided we fall, distributed we stand the professional accountant’s guide t...Divided we fall, distributed we stand the professional accountant’s guide t...
Divided we fall, distributed we stand the professional accountant’s guide t...
 
PWC - Global FinTech Report 2017 - startup
PWC - Global FinTech Report 2017 - startup PWC - Global FinTech Report 2017 - startup
PWC - Global FinTech Report 2017 - startup
 
Deloitte - Blockchain and the future of financial infrastructure - fintech cl...
Deloitte - Blockchain and the future of financial infrastructure - fintech cl...Deloitte - Blockchain and the future of financial infrastructure - fintech cl...
Deloitte - Blockchain and the future of financial infrastructure - fintech cl...
 
PWC - Global FinTech Report 2017
PWC - Global FinTech Report 2017PWC - Global FinTech Report 2017
PWC - Global FinTech Report 2017
 
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
 
Pitch book 2016 annual vc valuations report
Pitch book 2016 annual vc valuations reportPitch book 2016 annual vc valuations report
Pitch book 2016 annual vc valuations report
 
Industrial internet of things (IIOT) - special report-2017
Industrial internet of things (IIOT) - special report-2017Industrial internet of things (IIOT) - special report-2017
Industrial internet of things (IIOT) - special report-2017
 
UK Govt Apprenticeship Levy special report 2017
UK Govt Apprenticeship Levy special report 2017UK Govt Apprenticeship Levy special report 2017
UK Govt Apprenticeship Levy special report 2017
 
Annual Returns for Key Indices Ranked in Order of Performance (1997–2016) 2/2
Annual Returns for Key Indices Ranked in Order of Performance (1997–2016) 2/2Annual Returns for Key Indices Ranked in Order of Performance (1997–2016) 2/2
Annual Returns for Key Indices Ranked in Order of Performance (1997–2016) 2/2
 
PWC 2017 - UK startup review - 2016 in Fintech
PWC 2017 - UK startup review - 2016 in Fintech PWC 2017 - UK startup review - 2016 in Fintech
PWC 2017 - UK startup review - 2016 in Fintech
 
the new retail ecosystem From disrupted to disruptor - startup
the new retail ecosystem From disrupted to disruptor - startup the new retail ecosystem From disrupted to disruptor - startup
the new retail ecosystem From disrupted to disruptor - startup
 

Kürzlich hochgeladen

FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756dollysharma2066
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataExhibitors Data
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLkapoorjyoti4444
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...allensay1
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon investment
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...lizamodels9
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...amitlee9823
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noidadlhescort
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...amitlee9823
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with CultureSeta Wicaksana
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...rajveerescorts2022
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsP&CO
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...lizamodels9
 
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876dlhescort
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPanhandleOilandGas
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxWorkforce Group
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptP&CO
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 

Kürzlich hochgeladen (20)

FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 

Malvertising Domain Had So Much Traffic It Reached #517 in the Alexa Ranking

  • 1. NoTrove: The Threat Actor Ruling a Scam Empire APRIL 2017
  • 2. 2 NoTrove: The Threat Actor Ruling a Scam Empire When it comes to threats delivered through the digital advertising ecosystem, malware is usually what keeps folks up at night. However, while the infosec world laser-focuses on hunting and neutralizing exploit kits, a different type of threat is left to grow unimpeded, often to enormous sizes: scams. Scam campaigns grow quickly and silently in the shadows by acquiring cheap infrastructure. Over the years, these campaigns have become pervasive to the point of badly degrading the overall quality of the internet. If you’ve ever seen a digital ad offering free electronics or “fabulous prizes” in return for taking a quick survey, you know what scams are. Essentially, scams are undesirable advertising, which fly under the radar because of the “gray” nature of their payload. In other words, while scams aren’t classified as crimeware, they are intentionally misleading and disingenuous, and compromising the integrity of digital advertising. By utilizing machine learning to enhance our ability to identify scams, RiskIQ detected 845% more scam incidents¹ in 2016 than 2015, a number we expect to increase again this year. With this new approach to scams, we’re also able to closely examine their infrastructure to determine what makes them effective and lucrative to operate. What we find alarming about our research on a threat actors we’ve come to call “NoTrove” is the sheer scale of these scam networks’ infrastructure and the traffic they command. EXECUTIVE SUMMARY The main goal of scammers is often to accrue as much web traffic as possible. Essentially, web traffic is the result of a computer connecting with a web browser and an actual human connecting with digital content sitting on a hosting server. It’s comprised of visitors to websites, with each single click and background request counting as a minuscule but significant drop in a vast pool of monitored, tracked, and often commoditized data points. Ecosystems and economies form to buy, sell, and trade this traffic; products and services are designed to aid in analyzing and classifying it. Traffic is redirected and shuffled around the web as part of partnerships and business contracts. Traffic is critical to the giant exchanges in the online advertising space and to the very many niche affiliate network programs that exist, with organizations of all kinds tasked with monetizing and, ultimately, squeezing every last fraction of a penny of indirect marginal profit of each URL visited. To monetize their traffic collecting, scammers like the one outlined in this report may participate in shady traffic affiliate programs or sell traffic to traffic buyers (brokers). Traffic is an essential commodity for legitimate web companies and criminal underground economy alike. Everyone wants a piece of the traffic pie, and NoTrove is feasting. THE TARGET: WEB TRAFFIC ¹ RiskIQ’s 2016 Malvertising Report, RiskIQ Research, 1/30/2017
  • 3. 3 NoTrove: The Threat Actor Ruling a Scam Empire One of these scam networks, by the prolific actor “NoTrove,” is particularly successful in capturing traffic. NoTrove’s peculiar name comes from a common theme observed in the URI pattern. This actor’s URLs almost always come with the parameters /tov= or /rov=, and are most commonly associated with fake rewards scams. Therefore, the name came together as No (Treasure) (T/R)ove,or NoTrove for short. We first observed NoTrove a year ago when we began expanding our focus on scams, but Passive DNS (PDNS) results inside PassiveTotal indicate this group has been operating as far back as December of 2010: (Fig 1. Earliest observed instance of NoTrove) https://passivetotal.org/search/220.181.5.222 THE CULPRIT: WHO (WHAT) IS NOTROVE? In Fig-1 above you’ll see an older version of a NoTrove host, but today, NoTrove builds its infrastructure in a very particular way: • A typical NoTrove fully qualified domain name (FQDN) will use a high-entropy (i.e., highly random) host, shown in blue. High-entropy hosts indicate that they are created by automation, which threat actors will employ to quickly build infrastructure with which to launch attacks. • Following these high-entropy hosts are campaign- specific middle hosts (shown medium blue) we think are used to label the type of scam (e.g., survey, promo, prize, etc.). With so much infrastructure constantly in rotation, this is how NoTrove keeps it all organized. So far, we’ve observed 78 variants representing NoTrove’s different payloads. • Following the “label” hosts are a high-entropy or randomly worded domains (shown in light blue), again indicating they were created by automation. THE MODUS OPERANDI: WITH SCAMS, SIZE MATTERS With high-entropy domains and constantly shifting hosting, we’ve seen NoTrove burn through just under 2,000 domains and over 3,000 IPs. Combined with the 78 variations of campaign-specific middle-word variants and randomized hostnames, we’ve seen NoTrove operate across millions of FQDNs. Typically, one IP used by NoTrove will house a set of domains, but each campaign-specific *.domain.tld campaign variant will be hosted on its own IP, usually a Choopa or Linode droplet. These IPs and domains can be found in this PassiveTotal public project here: https://passivetotal.org/projects/7ee582dc-c792-e635-ce78-0396e1e00bf4 But, to see just how prevalent this actor is, we can look at the Alexa rankings of its domains. Usually, each domain will only be active for a couple of weeks, but during that period it is not uncommon for the domain to shoot up into the Alexa top ten thousand based purely on scam ad deliveries. In fact, the highest rank we’ve seen historically for a NoTrove domain was 517, making it one of the most visited pages on the entire internet for that day. Here are some more examples of typical contemporary NoTrove FQDNs: bogzz.bestprizeland.8702.ws uchzz.pcloadletter.footbaths.xyz rjkzz.super-promo.7891223.com tcfzz.stream.7891223.com
  • 4. 4 NoTrove: The Threat Actor Ruling a Scam Empire So what does NoTrove look like? Well, with the 78 variants of tracked middle-phrase campaigns, there are many different payloads. However, the most common versions seen are scam survey rewards, fake software downloads, and redirections to potentially unwanted programs (PUPs). Seen Here: THE MUG SHOT: WHAT VICTIMS SEE Fig 2. Fake Media Player Fig 3. Fake Rewards Fig 4. Redirection to PUP
  • 5. 5 NoTrove: The Threat Actor Ruling a Scam Empire Below, we’ll journey through a sequence overview from a RiskIQ crawl that ended up on a commonly advertised PUP from NoTrove to examine how NoTrove sends users to one of its scam pages. We begin our trek with a request for an ad from a(.)diretrak(.)com, where we are immediately shunted off to a rotator (dedicated infrastructure for redirecting the user based off of various parameters) that then kicks us over to the first stage of a NoTrove delivery. You can see here that NoTrove typically comes in two stages: 1. An internal redirection based on the type of campaign 2. The scam payload, a redirection to a PUP, or, if there is nothing to serve for that requested campaign, it will fallback to delivering another ad through a second network In this example, there was nothing to deliver for the given parameters on that particular campaign, so NoTrove used the fallback of delivering an ad pulled through play(.)leadzupc(.)com, which is the Mobusi mobile-based ad network. THE DELIVERY: HOW THE TRAFFIC COMES AND GOES
  • 6. 6 NoTrove: The Threat Actor Ruling a Scam Empire From Mobusi, the sequence passes through Afftrack for affiliate traffic tracking, and then off to the same rotator we saw before. Once again, that rotator spits us back out to NoTrove. This time, however, we’re hitting a different campaign. With this campaign, we were given an actual result when we hit the second stage of NoTrove. We received a redirection out to ReimagePlus, a PUP commonly associated with low-quality affiliates, aggressive, misleading advertising, and software bundlers.
  • 7. 7 NoTrove: The Threat Actor Ruling a Scam Empire NoTrove is far from the only actor operating enormous swaths of scam infrastructure, which pollutes digital advertising networks and degrades the overall effectiveness of the digital ad ecosystem. Redirecting users through layers and layers of what amounts to digital junk may be incredibly lucrative for NoTrove operators, but adversely affects those reliant on the credibility of the digital advertising ecosystem. More and more users are becoming attuned to the undesirability and potential dangers of scams and are turning to ad blocking as a solution. Unfortunately, ad blockers block all ads, so publishers don’t get paid. Ad blockers eat away at digital advertising revenue and sharply curtail the growth of the industry. In 2016, 69.8 million Americans were expected to use an ad blocker, an increase of 34.4% over last year². In 2017, that figure is projected to grow by another 24%, or 86.6 million people. This practice, according to Juniper Research, will cost the digital media industry over $27 billion by 2020.³ The problem for those in charge of the security of ad networks is that constantly shifting infrastructure means simply blocking domains and IPs isn’t enough. NoTrove is spread so far and wide that blocking one piece of its infrastructure is akin to playing whack-a-mole—no matter how many you hit, another will pop up. Also, the scale at which NoTrove and groups like it operate means identifying scams in time to block their impact is no longer possible for humans alone. ² US Ad Blocking to Jump by Double Digits This Year, eMarketer, 6/30/2016 If left unchecked, NoTrove and threat actors like it will continue to balloon to even greater size, encompassing more domains, IPs, and other infrastructure. Until we can commit to stopping those accruing scam empires across the web, these threat actors will cause more problems for the digital advertising space and the internet as a whole. Fortunately, you should now have enough information to identify a NoTrove scam. Unfortunately, mere humans lack the computing power to identify NoTrove’s rotating infrastructure quickly enough to do much about it. However, with machine learning, human security professionals can enjoy accurate, automated detection and confirmation of NoTrove scams. Just like this report taught you how to know a piece of NoTrove infrastructure when you see it, machine learning can detect what the NoTrove page looks like down to the document object model (DOM) and learn what makes a NoTrove page a NoTrove page. Eventually, it will even understand small variances in the payload without the need for any human intervention, so it can continue to detect NoTrove, even as this threat actor evolves. THE CONSEQUENCES: WHY IT MATTERS THE RESPONSE: MACHINE-LEARNING AUTOMATION ABOUT RISKIQ RiskIQ is the leader in digital threat management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 80 percent of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social, and mobile exposures. Trusted by thousands of security analysts, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk, and take action to protect business, brand, and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners, and MassMutual Ventures. THINK OUTSIDE THE FIREWALL™ riskiq.com • 22 Battery Street, 10th Floor, San Francisco, CA 94111, USA • sales@riskiq.com • 1.888.415.4447 © 2017 RiskIQ, Inc. All rights reserved. RiskIQ and PassiveTotal are registered trademarks and Outside the Firewall is a trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. ³ Worldwide Digital Advertising: 2016-2020, Juniper Research, 11/5/2016 by Sam Barker