home.social

#vextrio — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #vextrio, aggregated by home.social.

  1. Are Smartlinks the Charon of Adtech?

    If you have been following our research on adtech, such as VexTrio origin story published last week (blogs.infoblox.com/threat-inte) , you've likely seen repeated references to Smartlinks, also known as Direct Offers.
    Smartlinks may appear harmless as first glance – just as actors intend–, but much as Charon, who ferries souls into the kingdom of Hades, Smartlinks lead traffic into the TDS controlled by adtech operators. In both cases, once you are caught in the current, you have no control over your destination. And just as Charon’s passengers, you may land in a place you do not desire to be.
    Analogies aside, Smartlinks are an integral feature of adtech and are here to stay. To help you better understand how they work and why they matter, we've created a cheatsheet that breaks down their role and relevance.

    #dns #infosec #vextrio #smartlink #adtech #tds #infoblox #cybercrime #scam #cybercrime #threatintel

  2. Are Smartlinks the Charon of Adtech?

    If you have been following our research on adtech, such as VexTrio origin story published last week (blogs.infoblox.com/threat-inte) , you've likely seen repeated references to Smartlinks, also known as Direct Offers.
    Smartlinks may appear harmless as first glance – just as actors intend–, but much as Charon, who ferries souls into the kingdom of Hades, Smartlinks lead traffic into the TDS controlled by adtech operators. In both cases, once you are caught in the current, you have no control over your destination. And just as Charon’s passengers, you may land in a place you do not desire to be.
    Analogies aside, Smartlinks are an integral feature of adtech and are here to stay. To help you better understand how they work and why they matter, we've created a cheatsheet that breaks down their role and relevance.

    #dns #infosec #vextrio #smartlink #adtech #tds #infoblox #cybercrime #scam #cybercrime #threatintel

  3. Two recent podcast / videocasts on #vextrio #tds and malicious #adtech
    both have slightly different although they talk about VexTrio TDS and Russian organized crime in adtech.

    The cyberwire podcast is 20 min long - discussing VexTrio and TDS in general. the interview with Rob Wright from Dark Reading is about 10 min long.

    #threatintel #cybercrime #scam #cybersecurity #infosec

    youtube.com/watch?v=biZAmoJkpZE

    thecyberwire.com/podcasts/rese

  4. Two recent podcast / videocasts on #vextrio #tds and malicious #adtech
    both have slightly different although they talk about VexTrio TDS and Russian organized crime in adtech.

    The cyberwire podcast is 20 min long - discussing VexTrio and TDS in general. the interview with Rob Wright from Dark Reading is about 10 min long.

    #threatintel #cybercrime #scam #cybersecurity #infosec

    youtube.com/watch?v=biZAmoJkpZE

    thecyberwire.com/podcasts/rese

  5. @shadowserver helped us disrupt a prolific website malware multiple times in early August. This malware uses DNS TXT records for a C2 to redirect users to scams and malware. Exclusively redirecting to VexTrio for years, they've been disrupted a few times by us and partners this past year ... which each time allows us to understand the criminal enterprise a bit further.

    Prior to the disruption, we analyzed over 4M DNS responses from the authoritative servers from several partners covering a short window of traffic.

    The diagram below shows how the server is likely to redirect website visitors based on their geo and device type, which are encoded in the query. Connections to Strela Stealer in June. We are in the process of writing up research around how this all connects to the MikroTik router botnet we published early this year.

    In mid-June, the C2 server domain had a global popularity level on Tranco of about 80k - pretty high for a niche domain.

    What happened after Shadow Server sinkholed the C2 domain?? We saw nearly 30k sites reach out to the sinkhole in a 48 hour period. Lots of bot activity -- these queries only come from compromised websites and there were nearly 37M unique queries in that time!

    of course the threat actors adjust.. that is part of the game. but we learnt a lot in the process.

    Diagram also shows how several of the TDS are related to each other in these flows.

    #dns #threatintel #scam #malware #tds #infoblox #vextrio #cybercrime #cybersecurity #infosec

  6. @shadowserver helped us disrupt a prolific website malware multiple times in early August. This malware uses DNS TXT records for a C2 to redirect users to scams and malware. Exclusively redirecting to VexTrio for years, they've been disrupted a few times by us and partners this past year ... which each time allows us to understand the criminal enterprise a bit further.

    Prior to the disruption, we analyzed over 4M DNS responses from the authoritative servers from several partners covering a short window of traffic.

    The diagram below shows how the server is likely to redirect website visitors based on their geo and device type, which are encoded in the query. Connections to Strela Stealer in June. We are in the process of writing up research around how this all connects to the MikroTik router botnet we published early this year.

    In mid-June, the C2 server domain had a global popularity level on Tranco of about 80k - pretty high for a niche domain.

    What happened after Shadow Server sinkholed the C2 domain?? We saw nearly 30k sites reach out to the sinkhole in a 48 hour period. Lots of bot activity -- these queries only come from compromised websites and there were nearly 37M unique queries in that time!

    of course the threat actors adjust.. that is part of the game. but we learnt a lot in the process.

    Diagram also shows how several of the TDS are related to each other in these flows.

    #dns #threatintel #scam #malware #tds #infoblox #vextrio #cybercrime #cybersecurity #infosec

  7. Part three of our VexTrio full monty is now available. This one is for the geeks but also a pretty short read... especially given the previous two parts!

    Major takeaways are:
    * these networks receive a ton of traffic. The primary image server for VexTrio TDS has long been in the top 10k popular domains globally -- we've been pushing hard and it is down around 11k now.
    * they use a few different cloakers / trackers. we talk about IMKLO and binom.
    * they run a pretty modern devops stack with all the tech you would expect.

    #dns #vextrio #threatintel #scam #malware #phishing #tds #cybercrime #cybersecurity #infosec #infoblox

    blogs.infoblox.com/threat-inte

  8. Part three of our VexTrio full monty is now available. This one is for the geeks but also a pretty short read... especially given the previous two parts!

    Major takeaways are:
    * these networks receive a ton of traffic. The primary image server for VexTrio TDS has long been in the top 10k popular domains globally -- we've been pushing hard and it is down around 11k now.
    * they use a few different cloakers / trackers. we talk about IMKLO and binom.
    * they run a pretty modern devops stack with all the tech you would expect.

    #dns #vextrio #threatintel #scam #malware #phishing #tds #cybercrime #cybersecurity #infosec #infoblox

    blogs.infoblox.com/threat-inte

  9. Scammers DO take vacations. Lots of them. These are social media from VexTrio key figures - tons more where these came from.

    Don't blame the victim, blame the guy on a private jet to a Coldplay concert. fr fr.

    #threatintel #cybercrime #cybersecurity #infosec #scam #VexTrio #tds #malware #phishing

  10. Scammers DO take vacations. Lots of them. These are social media from VexTrio key figures - tons more where these came from.

    Don't blame the victim, blame the guy on a private jet to a Coldplay concert. fr fr.

    #threatintel #cybercrime #cybersecurity #infosec #scam #VexTrio #tds #malware #phishing

  11. VexTrio's origins come from two distinct groups: an Italian group we can date back to 2004 and a Russian-speaking Eastern European group. The Italians were quite successful early on, with a dating app that was among the fastest growing on Facebook in 2012. But our guess is that their profits slid in the years that followed. In 2020, there is an merger-acquisition which leaves the Eastern Europeans in charge. They gain the trademarks, knowledge in spam distribution, and who knows what else.

    While developers remain in eastern Europe, VexTrio created business headquarters in Lugano, Switzerland. Including the existing AdsPro, which developed the Los Pollos, Taco Loco, and Adtrafico traffic distribution systems (TDS) through their software company HolaCode. (ok it's more complicated than that, but this is the cliffsnotes version). We have identified nearly 100 businesses associated with 8 key figures in many industries, including construction, energy, and advertising.

    So in the end, what is VexTrio? It's hard to say. We originally used it to refer to the TDS. Nice clean lines... but now, for us it is all the people and their labyrinth of companies.

    We spoke at BlackHat last week so if you have a briefings pass you can listen to that. Otherwise, find our research online and start your own investigation.

    #dns #threatintel #scam #cybercrime #vextrio #infoblox #cybersecurity #infosec #malware #tds

  12. VexTrio's origins come from two distinct groups: an Italian group we can date back to 2004 and a Russian-speaking Eastern European group. The Italians were quite successful early on, with a dating app that was among the fastest growing on Facebook in 2012. But our guess is that their profits slid in the years that followed. In 2020, there is an merger-acquisition which leaves the Eastern Europeans in charge. They gain the trademarks, knowledge in spam distribution, and who knows what else.

    While developers remain in eastern Europe, VexTrio created business headquarters in Lugano, Switzerland. Including the existing AdsPro, which developed the Los Pollos, Taco Loco, and Adtrafico traffic distribution systems (TDS) through their software company HolaCode. (ok it's more complicated than that, but this is the cliffsnotes version). We have identified nearly 100 businesses associated with 8 key figures in many industries, including construction, energy, and advertising.

    So in the end, what is VexTrio? It's hard to say. We originally used it to refer to the TDS. Nice clean lines... but now, for us it is all the people and their labyrinth of companies.

    We spoke at BlackHat last week so if you have a briefings pass you can listen to that. Otherwise, find our research online and start your own investigation.

    #dns #threatintel #scam #cybercrime #vextrio #infoblox #cybersecurity #infosec #malware #tds

  13. Tens of thousands of compromised websites use DNS TXT records to conditionally redirect visitors to malicious content. For years, this exclusively redirected to VexTrio TDS - but in late-November 2024, it changed. But did it? We think not.

    A couple of major takeaways from the research we released in June and what we've continued to learn since then:

    * DNS is being used very successfully to drive innocent people to malware and scams, including alarming tech support scams

    * These can be stopped by blocking the DNS query but it must be done at the website server side not the visitor

    * VexTrio is tight not just with malware actors who hack sites and drive traffic to them, but they appear to be one and the same, or at least closely related, to infamous TDS and a multitude of other "adtech" platforms.

    * reviewing old literature carefully connects VexTrio via shared software with ROI777

    we're going to throw up more "snackables" before heading to Vegas. If you want to see the faces behind VexTrio and hear their origin story, come see our talk or track us down at the booth.

    #threatintel #malware #tds #vextrio #dns #cybercrime #cybersecurity #scam #infosec #infoblox

  14. Tens of thousands of compromised websites use DNS TXT records to conditionally redirect visitors to malicious content. For years, this exclusively redirected to VexTrio TDS - but in late-November 2024, it changed. But did it? We think not.

    A couple of major takeaways from the research we released in June and what we've continued to learn since then:

    * DNS is being used very successfully to drive innocent people to malware and scams, including alarming tech support scams

    * These can be stopped by blocking the DNS query but it must be done at the website server side not the visitor

    * VexTrio is tight not just with malware actors who hack sites and drive traffic to them, but they appear to be one and the same, or at least closely related, to infamous TDS and a multitude of other "adtech" platforms.

    * reviewing old literature carefully connects VexTrio via shared software with ROI777

    we're going to throw up more "snackables" before heading to Vegas. If you want to see the faces behind VexTrio and hear their origin story, come see our talk or track us down at the booth.

    #threatintel #malware #tds #vextrio #dns #cybercrime #cybersecurity #scam #infosec #infoblox

  15. snackable 3/N on VexTrio and the WordPress hackers. This one's a bit geeky. One type of malware that led to VexTrio exclusively until late-Nov 2024 uses DNS TXT records to retrieve a redirection.

    This is a tricky bugger and gives the malware actor an easy way to change things up if they are disrupted. The C2 domain (a DNS nameserver) isn't observed and the calls happen server side. The DNS TXT record malware was first observed by Sucuri/GoDaddy in 2023.

    A compromised website makes a DNS TXT query that encodes the visitor's information and receives a redirection encoded in the response. When DNS queries to the C2 is blocked in the website's network, the visitor is protected -- we have had customers with compromised websites who still protected their users as we blocked the DNS query.

    This malware is stubborn and is tricky to get rid of... there are also bots that come through regularly and update the compromised servers.

    We used 4.5 million DNS queries over ~6 month period to understand how the C2 and redirect domains interrelated. What we found were two distinct clusters (this is the really geeky part) that indicate separate operations. Both use bulletproof hosting and/or Russian hosting, both were exclusively VexTrio, and both in late-November switched to the Help TDS. They used a few different paths to get to VexTrio's Los Pollos links.

    One of these clusters had not been previously reported to our knowledge.

    What you see in this image is a composite view. The C2 for each cluster are:
    * data-cheklo[.]world, cndatalos[.]com, data-infox[.]com
    * logs-web[.]com, airlogs[.]net, webdmonitor[.]io, cloudstats[.]net, etc.
    webdmonitor[.]io is still active.

    #dns #threatintel #cybercrime #cybersecurity #infosec #malware #scam #VexTrio #tds

  16. snackable 3/N on VexTrio and the WordPress hackers. This one's a bit geeky. One type of malware that led to VexTrio exclusively until late-Nov 2024 uses DNS TXT records to retrieve a redirection.

    This is a tricky bugger and gives the malware actor an easy way to change things up if they are disrupted. The C2 domain (a DNS nameserver) isn't observed and the calls happen server side. The DNS TXT record malware was first observed by Sucuri/GoDaddy in 2023.

    A compromised website makes a DNS TXT query that encodes the visitor's information and receives a redirection encoded in the response. When DNS queries to the C2 is blocked in the website's network, the visitor is protected -- we have had customers with compromised websites who still protected their users as we blocked the DNS query.

    This malware is stubborn and is tricky to get rid of... there are also bots that come through regularly and update the compromised servers.

    We used 4.5 million DNS queries over ~6 month period to understand how the C2 and redirect domains interrelated. What we found were two distinct clusters (this is the really geeky part) that indicate separate operations. Both use bulletproof hosting and/or Russian hosting, both were exclusively VexTrio, and both in late-November switched to the Help TDS. They used a few different paths to get to VexTrio's Los Pollos links.

    One of these clusters had not been previously reported to our knowledge.

    What you see in this image is a composite view. The C2 for each cluster are:
    * data-cheklo[.]world, cndatalos[.]com, data-infox[.]com
    * logs-web[.]com, airlogs[.]net, webdmonitor[.]io, cloudstats[.]net, etc.
    webdmonitor[.]io is still active.

    #dns #threatintel #cybercrime #cybersecurity #infosec #malware #scam #VexTrio #tds

  17. VexTrio and the malware actors snackable (2/N).

    At the heart of VexTrio is so called "smartlinks". What is that? BlackHatWorld users explain it well. see pics.

    smartlinks are the lipstick for the pig called domain cloaking that is provided by traffic distribution systems (TDS) owned by malicious adtech companies like Los Pollos and Taco Loco (and Adtrafico and and and)

    #VexTrio #malware #tds #cybercrime #phishing #scam #threatintel #infoblox #infobloxthreatintel #infosec #cybersecurity #adtech

  18. VexTrio and the malware actors snackable (2/N).

    At the heart of VexTrio is so called "smartlinks". What is that? BlackHatWorld users explain it well. see pics.

    smartlinks are the lipstick for the pig called domain cloaking that is provided by traffic distribution systems (TDS) owned by malicious adtech companies like Los Pollos and Taco Loco (and Adtrafico and and and)

    #VexTrio #malware #tds #cybercrime #phishing #scam #threatintel #infoblox #infobloxthreatintel #infosec #cybersecurity #adtech

  19. The Russians aren't coming, they are already here. Without most anyone realizing, they've created an entire malicious adtech industry whose story is just as complex as the Chinese organized crime we're now realizing from their ventures into pig butchering.

    VexTrio is just one Russian organized crime group in the malicious adtech world, but they are a critical one. They have a very "special" relationship with website hackers that defies logic. I'd put my money on a contractual one. all your bases belong to russian adtech hackers.

    Today we've released the first piece of research that may eventually prove whether I am right. This paper is hard. i've been told. I know. We've condensed thousands of hours of research into about 30 pages. @briankrebs tried to make the main points a lot more consumable -- and wrote a fabulous complimentary article : read both!

    There's so much more to say... but at the same time, between ourselves and Brian, we've released a lot of lead material ... and there's more to come. I've emphasized the Russian (technically Eastern European) crime here, but as Brian's article points out there is a whole Italian side too. and more.

    We've given SURBL, Spamhaus, Cloudflare, Domain Tools, several registrars, and many security companies over 100k domains. They are also posted on our open github.

    Super thanks to our collaborators at Qurium, GoDaddy Sucuri Security, and elsewhere.

    #threatintel #scam #tds #vextrio #cybercrime #cybersecurity #infosec #dns #infoblox #InfobloxThreatIntel #malware #phishing #spam

    blogs.infoblox.com/threat-inte

    krebsonsecurity.com/2025/06/in

  20. The Russians aren't coming, they are already here. Without most anyone realizing, they've created an entire malicious adtech industry whose story is just as complex as the Chinese organized crime we're now realizing from their ventures into pig butchering.

    VexTrio is just one Russian organized crime group in the malicious adtech world, but they are a critical one. They have a very "special" relationship with website hackers that defies logic. I'd put my money on a contractual one. all your bases belong to russian adtech hackers.

    Today we've released the first piece of research that may eventually prove whether I am right. This paper is hard. i've been told. I know. We've condensed thousands of hours of research into about 30 pages. @briankrebs tried to make the main points a lot more consumable -- and wrote a fabulous complimentary article : read both!

    There's so much more to say... but at the same time, between ourselves and Brian, we've released a lot of lead material ... and there's more to come. I've emphasized the Russian (technically Eastern European) crime here, but as Brian's article points out there is a whole Italian side too. and more.

    We've given SURBL, Spamhaus, Cloudflare, Domain Tools, several registrars, and many security companies over 100k domains. They are also posted on our open github.

    Super thanks to our collaborators at Qurium, GoDaddy Sucuri Security, and elsewhere.

    #threatintel #scam #tds #vextrio #cybercrime #cybersecurity #infosec #dns #infoblox #InfobloxThreatIntel #malware #phishing #spam

    blogs.infoblox.com/threat-inte

    krebsonsecurity.com/2025/06/in

  21. Some great work from Denis Sinegubko yesterday on a VexTrio affiliate who has been compromising websites for years. This is complex research coming in three parts and aligns with some of our own.

    A few highlights for me...sprinkling in some of our Infoblox work:
    * The DollyWorld actor is a VexTrio (specifically a Los Pollos) affiliate since 2016. Given that Los Pollos dates to 2015, this is an old partner.
    * Around November 20th, 2024, Los Pollos announced to their customers they would stop push monetization. I've written a lot on push monetization as a source of lingering evil. Whatever caused this change, it disrupted their affiliates.
    * DollyWorld actor and the DNS C2 TXT systems we have been tracking carefully (after all, it's DNS) both switched to Monetizer TDS at that point. Coincidence?
    * I had originally used germannautica[.]com to get the VexTrio hook and then later was able to trigger participates[.]cfd (leads to Monetizer) through the same site.
    * Where VexTrio was just scams, the new TDS pattern also gave me malware

    Most importantly -- scams pay! These affiliate actors are running for years on compromised sites and constantly updating their techniques. Why else would they keep going?

    #dns #threatintel #cybercrime #cybersecurity #infosec #malware #scam #vextrio

    godaddy.com/resources/news/dol

  22. Some great work from Denis Sinegubko yesterday on a VexTrio affiliate who has been compromising websites for years. This is complex research coming in three parts and aligns with some of our own.

    A few highlights for me...sprinkling in some of our Infoblox work:
    * The DollyWorld actor is a VexTrio (specifically a Los Pollos) affiliate since 2016. Given that Los Pollos dates to 2015, this is an old partner.
    * Around November 20th, 2024, Los Pollos announced to their customers they would stop push monetization. I've written a lot on push monetization as a source of lingering evil. Whatever caused this change, it disrupted their affiliates.
    * DollyWorld actor and the DNS C2 TXT systems we have been tracking carefully (after all, it's DNS) both switched to Monetizer TDS at that point. Coincidence?
    * I had originally used germannautica[.]com to get the VexTrio hook and then later was able to trigger participates[.]cfd (leads to Monetizer) through the same site.
    * Where VexTrio was just scams, the new TDS pattern also gave me malware

    Most importantly -- scams pay! These affiliate actors are running for years on compromised sites and constantly updating their techniques. Why else would they keep going?

    #dns #threatintel #cybercrime #cybersecurity #infosec #malware #scam #vextrio

    godaddy.com/resources/news/dol

  23. Survey says.. it's a scam! Here is the second in my blog series on the user experience of malicious adtech.

    This time focusing on gift card and survey scams. Bad dudes create endless webs to entrap users and take advantage of people's hope for a better life.

    Stealing money via scams ilke these is no different than via a phishing link.

    #scam #threatintel #cybercrime #cybersecurity #infosec #dns #infoblox #InfobloxThreatIntel #vextrio #tds #adtech

    blogs.infoblox.com/threat-inte

  24. Survey says.. it's a scam! Here is the second in my blog series on the user experience of malicious adtech.

    This time focusing on gift card and survey scams. Bad dudes create endless webs to entrap users and take advantage of people's hope for a better life.

    Stealing money via scams ilke these is no different than via a phishing link.

    #scam #threatintel #cybercrime #cybersecurity #infosec #dns #infoblox #InfobloxThreatIntel #vextrio #tds #adtech

    blogs.infoblox.com/threat-inte

  25. More malicious GitHub repos - this weekend there was one for Australia Day (Jan 26th). The pages in these repos load a malicious script that operates as a TDS -- the user will either be dropped to the decoy page or shown fake captchas and asked to allow push notifications.

    I just saw a new one pop up for Chinese New Years -- I'm telling you these malicious #adtech guys have no targeting boundaries.

    A few facts for the #threatintelligence folks:
    * the repo contains over 13k single page websites like the one below
    * accepting notifications on this one flooded my phone with porn, crypto scams, and fake news
    * believe this is #vextrio or a close VexTrio affiliate in spite of the new cute image captcha
    * not clear how the page lures are distributed but SEO poisoning has been seen in the past. we pick them up via #dns

    Screen capture of the captcha and push notifications are here: imgur.com/a/ZEDJ8BK

    australiaday[.]github[.]io
    chinesenewyear[.]github[.]io
    qggi[.]com
    yto[.]pp[.]ua
    xyc[.]pp[.]ua

    #threatintel #malware #cybercrime #cybersecurity #infosec #infoblox #InfobloxThreatIntel @InfobloxThreatIntel

  26. More malicious GitHub repos - this weekend there was one for Australia Day (Jan 26th). The pages in these repos load a malicious script that operates as a TDS -- the user will either be dropped to the decoy page or shown fake captchas and asked to allow push notifications.

    I just saw a new one pop up for Chinese New Years -- I'm telling you these malicious #adtech guys have no targeting boundaries.

    A few facts for the #threatintelligence folks:
    * the repo contains over 13k single page websites like the one below
    * accepting notifications on this one flooded my phone with porn, crypto scams, and fake news
    * believe this is #vextrio or a close VexTrio affiliate in spite of the new cute image captcha
    * not clear how the page lures are distributed but SEO poisoning has been seen in the past. we pick them up via #dns

    Screen capture of the captcha and push notifications are here: imgur.com/a/ZEDJ8BK

    australiaday[.]github[.]io
    chinesenewyear[.]github[.]io
    qggi[.]com
    yto[.]pp[.]ua
    xyc[.]pp[.]ua

    #threatintel #malware #cybercrime #cybersecurity #infosec #infoblox #InfobloxThreatIntel @InfobloxThreatIntel

  27. Have you ever wondered what happens if you say yes to every request to receive push notifications from sketchy websites?
    For the past few months we have done exactly that, exposing an old phone to an endless barrage of scareware and malicious ads.
    Find out more here: blogs.infoblox.com/threat-inte

    #dns #threatintel #adtech #adware #malware #scam #phishing #cybercrime #cybersecurity #vextrio #infoblox #infobloxthreatintel #malvertising #tds

  28. Have you ever wondered what happens if you say yes to every request to receive push notifications from sketchy websites?
    For the past few months we have done exactly that, exposing an old phone to an endless barrage of scareware and malicious ads.
    Find out more here: blogs.infoblox.com/threat-inte

    #dns #threatintel #adtech #adware #malware #scam #phishing #cybercrime #cybersecurity #vextrio #infoblox #infobloxthreatintel #malvertising #tds

  29. Cricket and Matt asked me to join them for the Ask Mr DNS podcast last week. It's a great show that i've listened to for years.

    We talked about securing networks by blocking bad things in DNS and how our research group @InfobloxThreatIntel does that work. I talk a bit about malicious adtech like #VexTrio ....

    This whole show is completely unrehearsed and i had no real idea what we were going to cover lol... so fingers crossed it makes sense to folks.

    There are some great episodes about the Dyn attacks in 2015 that you should listen to if you have an interest in DDOS attacks.

    #threatintel #dns #cybercrime #cybersecurity #infosec #infoblox #phishing #malware #malvertising

    ask-mrdns.com/2025/01/episode-

  30. Cricket and Matt asked me to join them for the Ask Mr DNS podcast last week. It's a great show that i've listened to for years.

    We talked about securing networks by blocking bad things in DNS and how our research group @InfobloxThreatIntel does that work. I talk a bit about malicious adtech like #VexTrio ....

    This whole show is completely unrehearsed and i had no real idea what we were going to cover lol... so fingers crossed it makes sense to folks.

    There are some great episodes about the Dyn attacks in 2015 that you should listen to if you have an interest in DDOS attacks.

    #threatintel #dns #cybercrime #cybersecurity #infosec #infoblox #phishing #malware #malvertising

    ask-mrdns.com/2025/01/episode-

  31. Many malicious adtech companies offer what they call a "smartlink" to marketing affiliates. These affiliates publish the smartlink url on a website, an instagram post, and facebook ad, etc. and receive a commission based on some criteria of the adtech company.

    But what is a smartlink really? You can think of it like this...

    A Guy tells you he'll pay you to deliver packages. You can deliver them to anyone you want. Here's the catch: you only get paid if the recipient buys the contents AFTER they open it.

    You don't know what's inside the packages, but the Guy gives you a hint by labeling it "mainstream", "dating", "gaming" etc. This way you can try to find people who are most likely to buy the content inside.

    So you run all around town handing out packages, being super creative and decorating them so people will open the box.. and hoping they'll buy what's inside when they do. The Guy decides whats in the package and whether you get paid.

    Sounds smart, right?

    VexTrio's Los Pollos is one company that offers smartlinks, but there are many others, including Propeller Ads (via Monetag). Some call them direct links. For the technical folks - these links enter the user/victim into the traffic distribution system (TDS). These links are used to deliver everything from scams to malware.

    #adtech #cybercrime #threatintel #cybersecurity #infosec #tds #vextrio #infoblox #infobloxthreatintel #scam #malware #phishing