
Various landing pages from the VexTrio TDS in November 2024 | Source: Infoblox
In the cybersecurity world, analysts often focus on the adversary’s tactics, techniques, and procedures (TTPs), but what happens when we shift the perspective to the victim? Renée Burton, Vice President of Threat Intel at Infoblox, decided to take a firsthand look at the impact of malicious advertising technology (adtech) embedded in compromised websites.
What she uncovered was a deeply entrenched ecosystem of cybercrime that goes far beyond simple malvertising. Victims are pushed into an endless cycle of deceptive ads, fake alerts, and even manipulated news content that persists long after leaving the compromised website.
“Visiting a website linked with malicious adtech can have a long-lasting impact on the user’s experience with their device.”
Burton’s experiment started with an old Google Pixel 2 phone running Chrome and Firefox. She visited a compromised domain, germannautica[.]com, which was flagged by Infoblox as part of a campaign operated by the threat actor VexTrio Viper.
Immediately, her device was funneled through a complex web of traffic distribution systems (TDSs)—a series of redirections designed to evade security tools and filter victims based on their location and browser characteristics.
“All of this activity happened in the blink of an eye. After a few redirections, I ended up with a request to allow push notifications—not from the site I initially visited, but from a totally different domain.”
This social engineering trick—disguised as a fake CAPTCHA prompt—tricked Burton into accepting push notifications from an attacker-controlled domain. That single click led to an avalanche of cyber threats.
Once enrolled in the push notification scam, Burton’s phone became a delivery hub for cybercriminal content:
- Fake antivirus alerts (scareware)
- Fraudulent sweepstakes and gift card scams
- Fake cryptocurrency mining sites
- Adware-infested applications
- Manipulated news feeds designed to distort information
“I received over 100 push notifications per day from various domains, each notification leading to malicious content and often accompanied by requests to allow more push notifications.”
Perhaps the most disturbing revelation was how malicious adtech influenced mainstream content delivery.
Even after clearing browser history and revoking push notification permissions, Burton found herself trapped in a cycle of manipulated news and advertisements.
“The built-in news feed and ads fed by major services like Google and Taboola were tainted by the manipulated content—and in a way that seemed irrevocable.”
This suggests that adtech-driven cybercrime doesn’t just rely on hijacked websites and push notifications—it also exploits the very infrastructure of digital advertising to sustain long-term influence over a victim’s browsing experience.
Unlike traditional malware infections, malicious adtech thrives in the shadows of legitimacy. Threat actors embed a single line of code into hacked websites and partner with shady adtech firms that monetize user clicks and engagement.
Burton’s investigation uncovered a network of affiliate marketing schemes, where criminals profit not just from fraudulent ad clicks, but also from leading victims into deceptive subscription models.
- Fake security alerts led to aggressive sales tactics for antivirus software (e.g., TotalAV).
- Users were tricked into expensive, recurring subscriptions after an initial $1.99 trial.
- Some adtech firms knowingly facilitated these scams while maintaining a façade of legitimacy.
“They aren’t just abused; minimally they are willfully ignorant and often active participants.”
One of the most lucrative frauds in the adtech ecosystem is scareware—fake security alerts that use fear to push users into downloading unnecessary or malicious software.
Burton documented multiple scareware campaigns where users were bombarded with urgent security warnings claiming that their device was infected with malware.
“Clicking the notification leads the user into a TDS and to a landing page that contains a fake virus scan.”
These scam pages:
- Display flashing warnings and fake virus scan results
- Pretend to be official security brands (e.g., McAfee, Norton, TotalAV)
- Push users into long-term subscriptions with misleading pricing
Unlike ransomware or phishing, this attack doesn’t rely on malware—it leverages legitimate digital infrastructure to create an illusion of authenticity.
“We just explored how adtech proliferates so successfully through hacked websites. Now let’s turn our focus to how this technology plays out in a particular category of scams: scareware.”
As cybercriminal ad networks continue to evolve, security teams must rethink how they approach digital advertising threats. Shutting down TDS networks and disrupting malicious ad partnerships will be key in stopping these large-scale manipulations.
For now, the best defense is awareness—because in the world of cybercrime, even one wrong click can rewrite your entire online reality.
Related Posts:
- Protecting Malaysians’ Data: New Breach Notification System in Place
- Github launches Python security alerts