The Shadowy Ecosystem Fueling Disinformation: How Malicious Ad Tech Is Winning
Nearly 40% of compromised websites redirected visitors to a single malicious traffic distribution system (TDS) – VexTrio – in 2024. This isn’t just about annoying pop-ups or questionable dating sites; it’s a stark illustration of how a sophisticated, resilient network of malicious advertising technology is being exploited to spread disinformation, facilitate scams, and potentially influence public opinion. Recent investigations reveal a deeply interconnected world where Kremlin-backed operations seamlessly leverage the same infrastructure as everyday online hucksters, and the lines between legitimate advertising and criminal activity are increasingly blurred.
The Doppelganger Network and the Art of Deception
Researchers at Qurium first uncovered the extent of the problem with their investigation into “Doppelganger,” a pro-Russian disinformation network infiltrating European media. Doppelganger doesn’t rely on brute-force tactics; instead, it employs a clever technique called “domain cloaking.” This allows the network to present different content to search engines than to regular visitors, keeping the disinformation sites online longer and ensuring targeted audiences receive the intended messaging. The network uses a complex chain of domain redirections, bouncing users through multiple sites before delivering the fake news.
VexTrio: The Oldest Player in a Dangerous Game
What makes Doppelganger particularly insidious is its reliance on VexTrio, considered the oldest malicious traffic distribution system (TDS) in existence. While legitimate advertising networks use TDSs to manage traffic, VexTrio primarily handles traffic originating from phishing attacks, malware, and social engineering scams. This connection highlights a critical point: disinformation campaigns aren’t operating in isolation. They’re piggybacking on existing criminal infrastructure, amplifying their reach and minimizing their risk.
Breaking Bad and the LosPollos Connection
The investigation took a bizarre turn with the discovery of LosPollos, an advertising network that strikingly mirrors the fictional “Los Pollos Hermanos” restaurant from the television series Breaking Bad – a front for a drug cartel. LosPollos affiliates earn commissions by embedding “smartlinks” into hacked WordPress websites, directing unsuspecting users to a variety of malicious destinations, including dating scams, malware downloads, and deceptive mobile apps. The network’s use of the Breaking Bad theme isn’t merely aesthetic; it’s a deliberate branding choice that speaks to the clandestine and illicit nature of its operations.
Push Notifications as a Weapon
Alongside LosPollos, Qurium identified TacoLoco, another traffic monetization network employing deceptive tactics. TacoLoco tricks users into enabling push notifications through disguised “CAPTCHA” challenges. These notifications are then relentlessly used to bombard victims with phony virus alerts and misleading pop-up messages. This tactic, while seemingly minor, represents a significant revenue stream for malicious actors and a constant source of annoyance and potential harm for users.
The Russian Nexus and a Shifting Landscape
The investigation traced the operation of LosPollos and TacoLoco to Adspro Group, a company registered in the Czech Republic and Russia. Further digging revealed connections to Swiss firms ByteCore AG and SkyForge Digital AG, all ultimately linked to Guilio Vitorio Leonardo Cerutti. While Cerutti vehemently denies any association with VexTrio, the evidence suggests a complex web of interconnected entities. Interestingly, after Qurium’s report, LosPollos suspended its push monetization service and Adspro rebranded as Aimed Global – a clear indication of an attempt to evade scrutiny.
A Revealing Pivot: The Rise of Help TDS
Perhaps the most concerning development is the recent shift in traffic patterns. In late 2024, malware families previously reliant on VexTrio began redirecting traffic through a new TDS called Help TDS. Infoblox’s analysis revealed a long-standing, exclusive relationship between VexTrio and Help TDS, suggesting a deliberate effort to diversify and strengthen the network. This pivot also connected VexTrio to four additional Russia-based push monetization programs – Partners House, BroPush, RichAds, and RexPush – further solidifying the Russian nexus within this malicious ad tech ecosystem.
Beyond Scareware: The Real Threat of Malicious TDSs
Renee Burton, VP of Threat Intelligence at Infoblox, argues that the security industry has historically underestimated the danger posed by these malicious TDSs, often dismissing them as a nuisance associated with adware and scareware. However, Burton emphasizes that these networks are directly linked to the delivery of far more serious threats, including information stealers and scams costing consumers billions annually. The core takeaway is alarming: Russian organized crime appears to have significant control over this malicious ad tech infrastructure.
Protecting Yourself in a Deceptive Online World
So, what can you do? As security experts have long advised, be extremely cautious when approving website notifications. While some are legitimate, many are traps designed to deliver unwanted advertisements and malicious content. All major browsers allow you to disable notification requests entirely, a simple step that can significantly reduce your risk. You can find instructions for doing so in Mozilla Firefox, Google Chrome, and Apple Safari.
The fight against disinformation and online fraud is an ongoing battle. Understanding the underlying infrastructure and tactics employed by malicious actors is crucial for staying safe in an increasingly deceptive digital landscape. The resilience and adaptability of networks like VexTrio demonstrate that simply shutting down one component won’t solve the problem. A more comprehensive, collaborative approach – involving security researchers, law enforcement, and the advertising industry – is essential to disrupt this shadowy ecosystem and protect users worldwide. What steps will you take to safeguard your online experience?
