Recent investigations by Infoblox Threat Intel have unveiled a covert partnership between notorious cybercrime syndicates, specifically VexTrio, and several seemingly legitimate AdTech companies including Los Pollos, Partners House, BroPush, and RichAds. This revelation is significant as it highlights a complex web of relationships that blurs the lines between legal and illegal online practices.
The inquiry began when Infoblox disrupted VexTrio’s Traffic Distribution System (TDS), a mechanism that is typically employed to manage web traffic. However, in this instance, it was effectively rerouting users to malicious sites laden with malware. The disruption forced malware operators to pivot to a new TDS that, unbeknownst to many, was under the same control structure.
On November 13, 2024, researchers at Qurium confirmed that Los Pollos, a Swiss-Czech AdTech entity, was enmeshed within VexTrio’s operations. Their findings were necessitated by the usage of Los Pollos’ links, known as “smartlinks,” which were utilized by cybercriminals to direct users to harmful content. The collaborative effort with Qurium allowed Infoblox to share critical data with various security organizations to further combat this threat.
Following these developments, the digital landscape saw swift shifts. Los Pollos ceased its monetization efforts on November 17, sparking immediate consequences across a number of compromised websites. As of November 20, malware such as DollyWay, which had leveraged VexTrio’s infrastructure for nearly eight years, redirected its operations to the Help TDS, revealing a longstanding connection between these services.
Regular evaluations indicated that Help TDS had maintained historical ties to VexTrio, raising concerns regarding the adaptive behavior of cybercriminal networks amidst disruption. Reports highlighted that up to 40% of compromised websites had previously directed users through VexTrio, as noted in GoDaddy’s 2024 cybersecurity report.
The investigative efforts underscored that many TDSs were interconnected and shared common sources, bolstering the idea of a synchronized operation behind the scenes. Despite these findings, the true ownership of Help TDS remains elusive, although it is noted that entities like Partners House, BroPush, and RichAds are suspected of fulfilling crucial roles in this shared network.
Furthermore, the methodical use of shared software and strategic code across different TDSs hints at a more sophisticated level of organization within the cybercrime realm. As these techniques evolve, the danger increases for users who may inadvertently stumble into these traps.
This investigation signifies a pivotal moment in understanding the convergence of cybercrime with the AdTech industry, highlighting the criticality of continuous vigilance and cooperation among cybersecurity firms. As threats continue to evolve, an enhanced level of diligence is required to protect consumers from emerging scam tactics.