Podcasts
Research Saturday
Ep 402
Research Saturday 11.15.25
Ep 402 | 11.15.25

When clicks turn criminal.

Show Notes
Transcript

Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dr. Renee Burton: So, what we have found, particularly over the last year, is essentially a lot of threats that we previously believed were associated with those actors hiding in the dark, working in those dark web forums, groups of hacker gangs. They, in fact, are being backed by registered businesses in various parts of the world. They advertise openly on the internet, and they provide a variety of advertising-related services.

Dave Bittner: That's Dr. Renee Burton, Vice President of Threat Intelligence at Infoblox. The research we're discussing today is titled "Deniability by Design: DNS-Driven Insights into a Malicious Ad Network." Let's dig in and talk about Vane Viper itself. How did you first come across this threat actor? 

Dr. Renee Burton: So we first found Vane Viper back in like 2022. And we found it similarly both through accidental things, but also through DNS. And at the time, they were heavily seen in compromised websites. I personally had the experience where I was just doing some browsing, and suddenly there was this little pop-up that said, Omnitor wants to show you notifications. Who's Omnitor? I'm definitely not visiting that website. 

Dave Bittner: Right. 

Dr. Renee Burton: So I said no, which was good, because that turned out to be a lead into us discovering, again, through DNS, by putting together DNS here being the domain names, IP addresses, we put those together and realized this is actually an entire actor, meaning, you know, a person or a group that we would be able to track, and that they were heavily involved in both scams and in malware. And then it took us years, it took us about two years, to realize that in fact they were registered companies.

Dave Bittner: Wow. Well, before we dig into some more of the details, you mentioned DNS, and your research points out that you and your team saw about a trillion, with a T, DNS queries linked to Vane Viper in just about a year. Can you put that into perspective for us, what this means in terms of scale?

Dr. Renee Burton: Yeah, that trillion was within our customer environments as well. So if you think about it, you know, globally, it's actually going to be much, much larger. These are extraordinarily popular domains, meaning that there's a lot of traffic associated with them. They're going to be not as popular as Google, right? Not as popular as Facebook. But they're still going to be up there more popular than very common VPN, security services, sharing systems, things like that. So tons and tons and tons of domain name traffic. And what that says to us is there is a lot of ways in which that actor is approaching both consumers and enterprises. 

Dave Bittner: And what exactly are they up to here? What's the approach and what are they hoping to get out of this?

Dr. Renee Burton: They're certainly financially motivated. As a company, they're making money off of the people who sign up with them as "publishers," meaning that they put the links on things and advertisers, which are the ones that show things. They are distributing both scams and malware. So they're affiliating or having advertisers who are the ones actually giving these scams and malwares. However, we also had very specific instances, again, one coming from my own phone, where malware was dropped directly onto my device from an IP address that is theirs, that is in their network.

Dave Bittner: Is there a legitimate side to their business? You all talk about plausible deniability in the report here. Is it all malware and scams?

Dr. Renee Burton: It's mostly [laughter]. I think that that's just a side effect, too, of when you're in this type of the advertising business, you don't have the cachet of being Google or being Taboola, any one of these really big, well-known advertising networks. And you are -- they are out of Cyprus, but they're Russian oriented. So they get a different kind of traffic. They're going to be seen on a variety of like gambling sites or on cracking sites or on free video download sites. You'll see that their ads would be there. That's one of the many ways that would happen. And so you could, you know, you might argue, well, this illegal gambling site is legitimate, you know, in some fashion and they're using them as a customer. I think also that we find with these ad tech businesses that they are trying to get people who want to make money. If you think about, you know, the world and the economy, all over the world, it's quite varied. And there's a lot of hope around the world. So there's a lot of people in Indonesia, India, a variety of other countries that face a lot of economic challenges. And what they see is basically marketing that, affiliate marketing, is a way that they can make money. And a lot of them will join in, you know, to do that kind of thing. So they might end up being led down a path where they're delivering scams, but in fact themselves are really just trying to find a way to make bread, you know, put food on the table type of thing.

Dave Bittner: Yeah. The research describes Vane Viper as being tied to AdTech Holdings and its subsidiaries, companies like Propeller Ads. Can you unpack that corporate structure for us? There's shell companies, there's offshore registrations, there's a lot to unwind here.

Dr. Renee Burton: AdTech Holdings is one of, you know, many different actors that we're looking at more recently. We also released an actor known as VexTrio, whose structures are even more convoluted. In the case of AdTech Holdings, everything that we're looking at really is in that advertising and marketing technology space. But there are a bunch of companies that they essentially advertise to be independent of each other, but are still under that holding. So Propeller Ads is probably their big flagship one. But Propeller Ads itself has other entities like Money Tag below that. There's a group called Zedo, which is independent in some ways, but it's still part of AdTech Holding. So there's a lot of ownership aspects over the last more than a decade that really tie the different companies together, including their hosting providers, lots of personalities who are involved in the particularly the Cyprus regional tech market.

Dave Bittner: Well, can we dig into some of the tools that they're actually using here? There's a lot of things going on for them to be able to do what they do. Can you walk us through some of that?

Dr. Renee Burton: So when we look at what sort of tools or tactics, devices, that they are using, they heavily use push notifications. This is widely used across malicious AdTech. And it's actually quite brilliant. It provides a mechanism for persistence on a device in that somehow or another, you convince someone to allow notifications. And now, instead of getting that one opportunity to scam them, you get an infinite number of opportunities [laughter]. And even more than that -- I recently had one where we were recording. We found -- it's a different company, but it's similar. The information that they provide allows me to see what they're tracking about me. And I could see that they're charging the advertiser about five cents to get a push notification onto my phone. And then I can also see that they've already computed my conversion rate or the likelihood of me to actually look at that ad to be almost zero, it's just slightly above zero. And yet they're pushing 100 notifications a day. So if you think about that from the AdTech or AdTech Holdings or Propeller side, they're being able to push, you know, 100 notices a day onto a single device charging five cents or one cent, whatever it is, for that device. They're getting that money no matter what, even if the user doesn't kind of click on it. So they can just roll in, you know, roll in cash through these notifications because they're charging the advertisers to be able to show the notification. Which is quite brilliant. That's one of the ways in which they're handling victims. And they get it on both sides, right? They get the victim, but they also get the advertiser who is paying them in order to show these advertisements, which is really interesting. The other thing that they do is they're providing a traffic distribution system, or TDS, is the term we would use. The concept there is that I'm giving you the offer or the ad that you're most likely to buy, which here is going to be the scam or the malware. So depending on your device type, where you are in the region, what kind of notification you already clicked. This would happen even if it was just a pop-up ad. So say, for instance, maybe you're on a gaming site or a movie streaming site, sort of, I know that, so I can make tailored things to you, as well as your IP address or your device type. And then I will funnel you through this TDS in order to deliver the offer that, one, you're more likely to buy, but two, I'm going to make money off of it as the advertising network.

Dave Bittner: We'll be right back. Now, you all found some of these campaigns that look to the user like normal software downloads or even search pages. How would a victim typically stumble into one of these traps?

Dr. Renee Burton: So they can just be regularly browsing the web. That is absolutely one way that can happen, especially with pages that are smaller or less common, and they've taken on advertising as a way to make some money off of that page. It can come through parking systems, we've found. It can come through compromised websites. It could come through spam. So A variety of ways will take the victim, you know, into that funnel, essentially. And then in those two cases that you were mentioning from the paper, in one case, we had a phone, and that phone kind of met the criteria for the malware download. And it essentially said, you know, you need to download this file. And when we did, clicked it and downloaded it, that turned out to be an information stealer, as I recall. But if you weren't the right person, like your device was too old or too new or whichever way in which you didn't match, or they thought you were, say, a security company, then instead you got a Google search page. So you had just suddenly clicked up and showed a Google search page. And that's the decoy part of it.

Dave Bittner: Right. Interesting. Now, one of the things that caught my eye in the research was sort of you and your colleagues going through this aha moment of shifting from, hey, Propeller ads is being abused, to wait a minute, Propeller ads might be complicit. Can you walk us through that process for you all

Dr. Renee Burton: Yes. I think this is the process that we have to go through whenever there's a commercial entity involved, whether it be a small one, or a big one like Google, right? Every time that you see a company that's offering a commercial service and is being abused, then you need to understand, okay, what role specifically are they playing? It could be that they're just lazy, that they aren't checking information from their advertisers. It could be that they're overwhelmed, right? Some people would argue this about how much Google -- you know, there's a ton of malvertising that comes through Google search. And people would argue whether there's too much or for whatever reasons, they struggle to be able to handle that, right? It's one of the more popular things that happen. The other thing that happens is that the advertisers who are, say, doing malware scams, those are typically what we call "cloaked." Meaning they're hiding as well. And they're doing that, say, independent of Propeller in this case. So Propeller could make an argument that, we can't even see that it's bad because they've cloaked the ad. That is certainly true in the case of large groups like Facebook and Google. Those ads are cloaked, it may be hard for them to tell that. So there's a lot of complexity that comes down to, am I actually going to make an accusation of being involved or being complicit, knowingly catering to cybercriminals? In our case, we were able to show not once, but many times -- we only highlight a few of those within the paper -- that we were getting malicious content delivery and specifically malware directly from the IP addresses that are known to be owned by Propeller ads. So this wasn't a redirection where they were sending stuff to an external advertiser, and that external "advertiser" was delivering the malware. They were doing it off of their own infrastructure, which makes them responsible.

Dave Bittner: Looking at the bigger picture here, when we consider Vane Viper, is this just kind of part of the digital advertising ecosystem in which we live these days is it's sort of the, I don't know, the dark underbelly of that world? 

Dr. Renee Burton: Well, I'm really optimistic. I think what has happened is that a group, a large number of groups of organized crime, it predominantly driven out of Russian-speaking areas. It's not exclusive, but it's predominantly that. Starting in around 2015, were able to create an entire ecosystem. And they're successful in staying off the radar in part because they weren't trying to be on CBS's front page, right? They were working in this other world of compromising domains and doing smaller sites and advertising. Because of the successful nature of their cloaking or their hiding of domains, it took a very long time for people to start to realize, wait a second, this is actually connected to the distribution of all kinds of malicious content, including ones that lead to, you know, data breaches that people care a lot about, and disinformation like the doppelganger, Russian disinformation campaigns. Once that starts rolling and people start realizing these things go together, there is a traffic distribution system involved, now we're moving along three, four, five more years in understanding things within the security industry, people are gaining momentum and realizing, oh, wait a second, these are registered companies. So the scrutiny on these companies is gaining momentum, it is going to get bigger and bigger and bigger. And I am an optimist. I think they will be held accountable, and I think we will find better defenses as we go forward [laughter].

Dave Bittner: I admire your optimism, Renee. So based on the information that you all have gathered here, what are your recommendations? I mean, for both business leaders who are looking to protect their organization, but then also for everyday users, any words of wisdom here?

Dr. Renee Burton: So for users, really don't accept notifications. That's an important thing altogether. And to be somewhat suspicious. If you see something that suddenly redirects you -- like you hit on something and then it showed you a Google search page, or it showed you a Facebook or an Amazon just out of the blue -- that is probably part of malicious advertising. And in every country in the world, there is a way in which you can report that activity to law enforcement. It is really important for us to report these things to law enforcement, whether we saw them and weren't victimized, or more importantly, when we are victimized. Because that is what the momentum requires in order to get people taken care of, to be able to understand the victimology of those things. Certainly putting in security measures, you know, wherever you can find security measures that are going to specifically tackle traffic distribution systems. Those are so hard to see and recognize and track that that kind of thing is going to be really helpful for you. As a consumer where you don't have money for big devices, things like an ad blocker will certainly help. It's not perfect, but it would definitely help. [ Music ]

Dave Bittner: Our thanks to Dr. Renee Burton from Infoblox for joining us. The research is titled "Deniability by Design: DNS-Driven Insights into a Malicious Ad Network." We'll have a link in the Show Notes. And that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.