Beyond the smoke screen.
[ Music ]
Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Research Saturday." I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
Dr. Renee Burton: So VexTrio came to our attention in the same way that it came, you know, to others within the industry. In particular there were really large numbers of compromised websites which when visitors went to them they would conditionally, meaning sometimes, redirect those people to a variety of scams. So it was really originally about these compromised websites and then seeing that there was a common DNS theme within that.
Dave Bittner: That's Dr. Renee Burton, VP of threat intelligence at Infoblox. Today we're discussing their work on VexTrio, a notorious traffic distribution system involved in digital fraud. Well, you all describe VexTrio as having its roots in spam and then evolving through scam tactics and eventually becoming part of malicious ad tech. Can you walk us through that journey from the early days to where they are today?
Dr. Renee Burton: Yeah. So if we look at VexTrio, and we try to think of it as this is an origin story, we really are trying to pull back to what are the earliest things that we can find people who have been involved with them during the days that we have, you know, as a security industry have thought of VexTrio. So that's, you know, this period between 2017 and 2025. And we looked at those key figures and then we tried to draw back how far can we track those key figures back. And the roots actually come out of two different areas. So we see one group coming out of Turin, Turin, Italy. And that was the group that was more involved with spam from all records that we can see. They really came in to the dating industry and they were very successful. They had partners in major mobile networks in the mid 2000s, 2008, 2009. And in 2012 they reportedly had one of the fastest growing Facebook games. And if you remember, you know, there was that period, right, where Facebook was like all of these little pop up games that were coming in to feeds. At that time their One Date server, One Date app, was part of that growing population. But they were also attached to a lot of accusations of spam and there were a couple of lawsuits associated with that behavior. So that's the Italians, and then we see the Italians move to Lugano in 2015 and they continue to be in their mostly their dating verticals in that area. Separate of them also coincidentally I think in 2015 we see a variety of eastern European Russian speaking people kind of move and companies move in to Prague. And there we see a sort of similar behavior. That group is a lot more computer science. They're really good at dev ops. They're good at scaling stuff. They're good at algorithms. And they are the ones who have actually built these what we call traffic distribution systems, TDS, which hide or cloak the domains from people. So they were all in Prague and then in 2020ish, we don't know exactly when, it appears to be some time in 2020, they merge in some way and the headquarters get moved in to Lugano. So at this point even though there's people still around the world and in particular in Prague and elsewhere the headquarters, the financial center, is in Lugano and becomes kind of one group.
Dave Bittner: Now was it 2022 or so when they were formally recognized?
Dr. Renee Burton: So we discovered them as a group in, yeah, 2022 I believe it was. And started tracking. We didn't publish about them until we'd been tracking them I think for close to a year. So it might have been 2021. What happened then is as always happens with the security industry is once we recognized that something is not, you know, a series of random campaigns or we're able to associate it with some kind of threat actor then we and other collaborators can start to look backwards and say, "Okay. Where can I find the origin? Where can I find the origin?" And our understanding of their activity has matured, continues to mature as of this week honestly. It's like crazy that you're able to keep pulling and pulling back. But together with our collaborators, you know, we can now date that activity back to about 2015 which is, by the way, when they went to Prague. So.
Dave Bittner: Interesting. Now you mentioned the traffic distribution systems or TDS that seemed to be kind of central to their operations. Can you explain to us how TDS works in this particular context and why it's such an effective tool?
Dr. Renee Burton: Yeah. So TDS to me is probably the single most important and single least understood phenomenon in the security industry or in the cyber crime world today. What it's doing is think of it as -- there's a couple ways to think about it. One is it's sort of like a maze that you're not going to see. So it's like a black box maze. And the purpose of that black box is to disguise, and the word the industry would use is cloak, to cloak the true mechanism or the true domain that you're going to go to. So in essence for instance you visit this website and it happens to be a compromised website. So you're going to, you know, ABC News or something. They are not compromised, but let's use them as an example. You're going to your local news site and that site is compromised. What they will do, the malware that's on there, it will fingerprint you. So it's going to say, "Oh. You are in this location. You're using this kind of device, mobile or desktop." It's going to get your browser information. It will try to get your operating system information. And that will create a little fingerprint and then that will send you in to the TDS and there's a variety of ways to think about that. Some people think of it as a Plinko game, as a maze, but that's basically like a big decision framework. In fact those -- ad type people often call it a funnel. So they're like deciding, "Oh. What is the most likely thing that you are going to buy?" Now buy here means as a scam. Right? Or as a malware. So it's like what's the most likely thing. And then it will route through this, you know, maze that you can't see. And then pop you back out in to what is the real end thing whether that be a scam or an information stealer, that kind of output, but malicious nonetheless. So to put that back together again the purpose of the TDS is to provide the infrastructure that maximizes the profit for the cyber criminals. That's really the way to think about it.
Dave Bittner: And for me, the user, I'm visiting what I think is my local website that's been compromised. What's my experience like as I'm being routed through this TDS?
Dr. Renee Burton: Sometimes you will see a, you know -- at the bottom of your screen or the top of your screen you will see redirecting to and you might see things flashing past. But very often you won't. So very often what will happen is you're going to your local news site and there's like a fraction -- you know, just like a fractional pause because that's where it's fingerprinting and deciding what it's going to do with you. And then instead of seeing news you're going to see something else, whichever thing they've decided you're most likely to get. I think one of the more alarming ones for consumers is the tech support scams. So again you're browsing the internet. I think most of us have had this happen to us. Doing normal things. Suddenly your machine is taken over and it says, you know, "Windows Defender." Or, you know, pick some product. "Has decided that you've got malware and you need to call this phone number." Or you need to download this file or something like that. That scareware notion. And it's usually extremely alarming. May have noise even with it. That is a typical experience for a user.
Dave Bittner: We'll be right back. [ Music ] You know, it's interesting because I remember a specific case where my father had fallen prey to this sort of thing. And one of the challenges for us to figure out what had happened was trying to figure out whether his computer itself had been compromised or it was a website that he was visiting that had been compromised. And so it strikes me that that's sort of a key element of this as you're looking at it. In this case it is the websites themselves that have been compromised. Right?
Dr. Renee Burton: Yes. And that is the real tricky thing is for a security team -- so we typically talk to a SOC and you know you might say, "Oh. Something happened on my machine." And then they want to know, you know, where it came from. And because of the way the TDS works you frequently cannot recreate that experience because it's checking. First it's looking for security groups. It's checking to see whether or not you're coming out of some anonymous kind of proxy. So there's a lot of protection on their part to prevent non victims from coming through their system. And they'll also do things like put cookies on your machine which allows them to know that they've already scammed you. Already had that visit. And then they won't do it again so that it can't be recreated. It's an extremely tricky thing.
Dave Bittner: How kind of them [laughs].
Dr. Renee Burton: Exactly.
Dave Bittner: So what sort of scale do we suppose we're talking about here? How big of an operation is this?
Dr. Renee Burton: They're absolutely enormous, and VexTrio's only one, you know one group within this malicious ad tech industry. We have associated about 100 companies and brands directly to 8 key figures within VexTrio. Not all of those are in ad tech. They have a lot of money so they have companies in construction. They have payment processing companies. They have cryptocurrency block chain companies. They've got restaurants, energy companies. They're very well diversified from a corporate perspective as well as of course everything to do with advertising. They've got email, direct email marketing companies, email validation companies, of course multiple affiliate networks which are how you get those ads changed. They've got brand awareness, search engine optimization. They really are dug in everywhere and then we also study other groups. We're not like only targeting them. We're targeting all the bad guys. And you have this similar sort of phenomenon of classic large scale shell company kind of operations.
Dave Bittner: I see. Well, I know you and your Infoblox colleagues are leveraging DNS data to try to enable early detection here. Can you explain how you all are going about that?
Dr. Renee Burton: Yeah. So what we do -- I mean this is where our real wheelhouse is. We're not, you know, going around and watching malware by itself on websites. We partner with a number of others whose specialty is in that area. Our specialty is in DNS. So what we do is we say like, "Okay. We know that these traffic distribution systems, these TDS, they have to use domain names." That's how the internet works. Basically everything needs a domain name. And they have to have very protected assets because they are -- their transactions according to them, and our evidence supports their claims, are 20 billion plus transactions a day. Right? And we think about all of them together. Right? We're talking about probably 100 billion transactions a day. So they need a very resilient robust system that nobody can easily break. That typically means they're going to need a wide variety of domain names. And just human nature that you create patterns in how you're going to register and use your domains. And in some ways when you create no patterns you also create a pattern. Right? I spent 23 years at the National Security Agency and so have a lot of experience in looking for patterns where other people are not looking for patterns or where you don't realize that you're placing that down. And then we combine all of those things together and we have like a fairly complex apparatus that is watching for domain name creation and use in these contexts.
Dave Bittner: I see. So what are your recommendations then? I mean based on the information that you've gathered here what should people do to protect themselves?
Dr. Renee Burton: Well, there's a couple of things. So there's always education of course. You know, in the sense that if your machine suddenly comes up and says you have malware, Google or Microsoft say, you know, something's wrong with your machine, you don't. Right? In most cases these things are you can actually back out of them or if you're suddenly redirected to a variety of places or something seems to be too good to be true of course education wise, you know, for our end users we want to do that. For our security we also want to be aware. Most people in the security industry are not aware of TDS. It's been quite an educational process to bring us this far. And from really from a security of protection apparatus DNS is the most effective in the sense that it has the largest -- you know, largest application because every connection that you're going to need, whether that's coming from a compromised site or whether they've done the lures through Instagram or whether it's a Google ad or a Facebook ad, in the end they're going to need a domain name. And so protective DNS whether that's, you know, provided through a commercial company or some other fashion, people can roll their own if they really want to, that is really the best way to be protected against these kind of folks. And of course taking them down. Right?
Dave Bittner: Right. Right. Right. You mentioned that TDS has sort of flown under the radar when it comes to security professionals. Why do you suppose that is?
Dr. Renee Burton: It's really a visibility issue in the sense that when you, you know, work in the field you or your product or your company has a specialty. You know, you're there to protect people's websites, for example, or you're there to protect people's advertising, whatever your specialty is. And as a result you might see -- a lot of times when I talk to people they're like, "Oh yeah. I saw a bunch of redirects." For you that probably doesn't matter because you're not a DNS company. You're not really protecting in the domain space. You're looking for malware and it just isn't, you know -- isn't that important. But for us that -- since what we do is domain name intelligence, DNS intelligence, we are hyper focused on breaking that cycle within that maze or funnel aspect of things.
Dave Bittner: Right. Right. I'm just imagine, you know, someone -- I'm imagining you standing on a street corner, you know, yelling out to all your colleagues, "Are you not seeing this?"
Dr. Renee Burton: Yes. That is what I do. Every day.
Dave Bittner: Right. Right. Right. Well, I think I have everything I need for our story here. Is there anything I missed, anything I haven't asked you that you think it's important to share?
Dr. Renee Burton: We have seen VexTrio and some of the other major malicious ad tech we have seen them in over 50% of our customer networks. It's extraordinarily broadly seen. I thin VexTrio is something like 88%, you know, over time we've seen. And then they have insanely popular domains. So their CDNs where they're storing their images in order to do the content deliveries fast, those domains are in the top 10,000 as measured by popularity worldwide which means they're really, really, really popular. [ Music ]
Dave Bittner: Our thanks to Dr. Renee Burton from Infoblox for joining us. Today we were discussing their work on VexTrio, a notorious traffic distribution system involved in digital fraud. We'll have a link in the show notes. And that's "Research Saturday" brought to you by N2K CyberWire. We'd love to hear from you. We are conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show notes. Please do check it out. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]
