ThreatSTOP Blog

Knock-Knock! Who’s There? ... NoTrove.

Written by ThreatSTOP Security Team | May 9, 2017

 

Internet-based advertising has been in wide use since the early 21st century. Its popularity grew in 2010 with the development of programmatic advertising. (Also referred to as automated advertainment) Here, you pay per ad view, which can be maliciously misused by counting machines and bots as actual viewers. Additional types of malicious use include accumulating web traffic and selling it to web traffic brokers, or engaging this traffic in semi-malicious programs like PUP. (Potentially Unwanted Programs)

The NoTrove Campaign, discovered by RiskIQ, is a malvertising campaign active since 2010. This campaign gives over the traffic originated through clicking fake advertisements to traffic brokers and affiliate programs. This campaign was found to have 78 variants differing in the type of counterfeit offers (survey, promo, prize, etc.), fake software downloads and various redirections that download PUPs or sites selling non-existent merchandise.

The most common versions include scam survey rewards, fake software downloads and redirections to PUPs.

This campaign was found to use a unique form of hosts, seen in the structure below:

<DGA or highly random host>.<Campaign specific middle hosts>.<DGA or highly random host>.<tld>. For example: bogzz.bestprizeland.8702[.]ws

The campaign’s middle host is attributed to type of scam the campaign used. Its been discovered that this campaign used approximately 2,000 domains and over 3,000 IP address.

ThreatSTOP IP Firewall Service and DNS Firewall Service protect against NoTrove's campaign, if TSCritical targets are enabled in policies. If you only have ThreatSTOP IP Firewall service, we recommend adding the DNS Firewall service as well to enhance the protection that you can get from this (and other) campaigns.