As soon as one network of malicious ads gets disrupted, like a phoenix, it respawns under a different name, and all the malware actors migrate to it immediately. Researchers discover a close relationship between website hackers and certain adtech companies.
Since late 2015, when hackers hijacked WordPress and other websites, they have redirected visitors to VexTrio, the largest criminal traffic distribution system (TDS). This criminal malicious affiliate program then spreads malware, scams, and illegal content on hijacked websites.
Think of this malicious TDS as a smart routing system that directs visitors to malicious content while cloaking its harmful nature.
Researchers at Infoblox have discovered that multiple adtech companies, originally thought to be independent, are intertwined with this criminal network. Like a hydra with many adtech company heads – when one gets chopped down, another springs.
“It turned out that Help TDS is not new but has been intertwined with VexTrio for years. GoDaddy researchers had highlighted that Help resembled another TDS they had called the Disposable TDS; this, too, has long been interwoven with VexTrio,”
the Infoblox report reads.
One of these heads was discovered on November 13th, when researchers exposed Los Pollos, a Swiss-Czech adtech company, as part of the criminal enterprise. Russian propagandists from Doppelganger were using it in their operations.
Infoblox tracked closely what would happen after the takedown. As soon as Los Pollos stopped their push link monetization service, the hijacked WordPress websites were updated to redirect users “in exactly the same way.”
Threat actors migrated to a new adtech – Help TDS, another traffic distribution system.
“It turned out that Help TDS is not new but has been intertwined with VexTrio for years. GoDaddy researchers had highlighted that Help resembled another TDS they had called the Disposable TDS; this, too, has long been interwoven with VexTrio,” the Infoblox report reads.
Further investigation uncovered many other adtechs “sharing a surprising number of characteristics with VexTrio,” including common files, URL structure, hinting at shared code lineage. These companies include Partners House, BroPush, and RichAds.
“The relationship of these commercial entities remains a mystery; while they are certainly long-time partners redirecting traffic to one another, and they all have a Russian nexus, there is no overt common ownership,” the researchers ponder.
The ads that rarely resemble common ads
Why would the website hijackers rely on a commercial ad network when they can easily create their own? It is a smart strategy: visitors are targeted and provided with a variety of potential content.
“The industry term for the delivered content is ‘advertisements,’” the researchers said.
However, the delivered content rarely resembles common ads. Compromised website operators are paid by malicious TDSes “based on ‘actions’ that the visitor, better referred to as a victim, will take, including providing email or credit card information.”
The final content is often referred to as verticals with benign names like “mainstream dating” and “sweepstakes.” These are crypto and other scams, adult content, fake apps, or malware download sites. Malicious adtech companies usually have a closed advertising pool.
Multiple malicious ad tech companies also specialize in push advertisements. They fraudulently subscribe users to notifications, which allows them to send various push notification messages to the victims indefinitely.
Infoblox researchers found different command and control servers and other infrastructure working together. An analysis of over 4.5 million DNS queries uncovered two distinct sets of command and control servers, both hosted in Russia and leading to VexTrio, but using different hosting, redirections to distinct domains, and separate URL formats.
“Many advertising networks argue that they can’t be responsible for malicious affiliates who abuse their systems; after all, they just provide a connection between a publisher and an advertiser,”
the researchers explain.
The report includes the domains, IP addresses, and other indicators of compromise, but not the criminals' identities. Mapping TDS URL patterns to public affiliate network entities is uniquely challenging because much of their infrastructure is kept secret and hidden behind proxies (e.g., Cloudflare) or bulletproof hosting.
“Many advertising networks argue that they can’t be responsible for malicious affiliates who abuse their systems; after all, they just provide a connection between a publisher and an advertiser,” the researchers explain.
Now, security researchers and, likely, authorities are planning their next steps—these adtechs may be cybercriminals’ Achilles heel. The firms maintain personal information about their affiliates and transaction data that could lead to cybercriminals’ identities.
“The true test of whether they are abused services will be their willingness to turn in the malicious actors who haunt the internet and have stolen untold money from victims worldwide,” the researchers said. “They also know the identities of the scam artists to which they connect innocent website visitors.”
Your email address will not be published. Required fields are markedmarked