RiskIQ Researchers Identify New Threat Actor NoTrove Delivering Millions of Scam Ads, Threatening Consumers, and the Digital Advertising Industry


Earlier this year, RiskIQ, the leader in digital threat management, reported an eight-fold increase in internet scam incidents that deny the $83 billion digital advertising industry millions of dollars. Now, researchers at RiskIQ have identified NoTrove, a newly discovered and major threat actor that is delivering millions of scam ads that threaten consumers and further undermine the digital advertising industry.

A new research report released today, “NoTrove: The Threat Actor Ruling a Scam Empire,” presents a detailed analysis demonstrating how NoTrove uses advanced automation techniques to deliver scam ads from millions of different domain names to stay ahead of detection and takedown efforts. NoTrove was so effective that one of his pages ranked as the internet’s most visited pages for one day.

The online ad scams work by serving up attractive but disingenuous ads on legitimate websites. The ads might offer bogus surveys or free software upgrades, as examples. When someone clicks on the ad, however, the scammer’s software then re-directs the users “clicks” and traffic toward various locations across the internet.

Since advertisers and web content providers want as much of the traffic pie as they can get, web traffic is an essential commodity. Ad scammers like NoTrove profit from this demand, participating in traffic affiliate programmes or selling traffic to traffic buyers (brokers). Unfortunately for the digital advertisers, however, the users are negatively impacted the ad they are seeing and don’t even know how they got it.

Equally troubling for the digital advertising industry is that as ad scammers increase, the likelihood consumers will implement ad blockers as a way to avoid bogus ads increases, as well. This practice, according to Juniper Research, will cost the digital media industry over $27 billion by 2020*.

For consumers, this is more than just a nuisance. Ad scams can also be used to download PUPs—potentially unwanted programmes—and can redirect them to unwanted places.

The RiskIQ report takes a deep dive into how NoTrove works and shows the advances being made to avoid detection, preventing efforts to take it down, and making it one of the most effective and largest ad scam operations ever. Key findings include:

  • To stay ahead of efforts to block its fake ads, NoTrove uses automation to constantly change how the ads are delivered and clickthroughs re-routed.
  • The scam master has burned through 2,000 randomly generated domains and over 3,000 IPs, operating across millions of Fully Qualified Domain Names; an FQDN is a complete web address, typically including subdomains for ad scammers, such as ajee99.mycontent.example.com.
  • RiskIQ observed 78 variants of NoTrove campaigns, such as scam survey rewards, fake software downloads, and redirections to PUPs.
  • Alexa rankings for its domains show how effective NoTrove is; even though each domain is short-lived, the rankings often shoot up into the Alexa top 10,000 based purely on scam ad deliveries; one NoTrove domain reached the ranking of 517, making it one of the most visited pages on the entire internet for that day.


RiskIQ first observed NoTrove a year ago when it began expanding its focus on scams, but PDNS results inside RiskIQ PassiveTotal indicate this group has been operating as far back as December of 2010. Used by more than 18,000 security analysts, PassiveTotal expedites external threat investigation tasks and automates threat research collaboration and artifact monitoring. You can view the Public Project for NoTrove compiled by RiskIQ’s Threat Research team here: https://passivetotal.org/projects/7ee582dc-c792-e635-ce78-0396e1e00bf4


“NoTrove harms not only visiting users, but also legitimate advertisers, adversely affecting those reliant on the credibility of the digital advertising ecosystem such as online retailers, publishers, and networks,” said William MacArthur, a threat researcher at RiskIQ. “Constantly shifting infrastructure means simply blocking domains and IPs isn’t enough. We must now begin utilising machine learning to leverage human security teams who increasingly depend on accurate, automated scam detection.”


To conduct this and other web research, RiskIQ applies its proprietary virtual user web crawling technology. This advanced internet reconnaissance acts like a user would, thoroughly interrogating websites and web apps, as well as respective browser session communications.It processes more than two billion HTTP requests per day to surface, identify, and connect internet elements to malicious campaigns.


Acting in concert with RiskIQ’s machine learning, virtual user technology can provide a deep level of analysis of how threat actors are behaving,their underlying infrastructure, and the techniques they use. In the NoTrove example, they can detect what the NoTrove page looks like down to the document object model (DOM), how a user gets there, and learn what makes a NoTrove page a NoTrove page. RiskIQ’s platform will even understand and dynamically monitor for small variances in the payload without the need for any human intervention, so it can continue to detect NoTrove, even as this threat actor evolves.

By Jim O Brien/CEO

CEO and expert in transport and Mobile tech. A fan 20 years, mobile consultant, Nokia Mobile expert, Former Nokia/Microsoft VIP,Multiple forum tech supporter with worldwide top ranking,Working in the background on mobile technology, Weekly radio show, Featured on the RTE consumer show, Cavan TV and on TRT WORLD. Award winning Technology reviewer and blogger. Security and logisitcs Professional.