CyberWire Daily - Beyond the smoke screen. [Research Saturday]
Episode Date: August 23, 2025This week, we are joined by Dr. Renée Burton, VP of Infoblox Threat Intel, who is discussing their work on VexTrio, a notorious traffic distribution system (TDS) involved in digital fraud. The VexTri...o investigation uncovers a massive global ad fraud and scam operation powered by just 250 virtual machines, tying it directly to named individuals and shell companies across Europe. The research exposes VexTrio’s full criminal supply chain—including fake apps, dating scams, affiliate networks, and payment processors—alongside a powerful CDN infrastructure ranked among the world’s top 10k domains. It also calls on the adtech industry to take accountability for enabling and sustaining such widespread abuse. Complete our annual audience survey before August 31. The research can be found here: VexTrio’s Origin Story : From Spam to Scam to Adtech Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington.
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of cyber
innovation. Visit DMVRising.com to secure your spot.
trust enterprise solution that stops ransomware in its tracks. Allow listing is a deny-by-default
software that makes application control simple and fast. Ring fencing is an application containment strategy,
ensuring apps can only access the files, registry keys, network resources, and other applications
they truly need to function. Shut out cybercriminals with world-class endpoint protection
from Threat Locker.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
So Vexrio came to our attention in the same way that it came, you know, to others within the industry.
In particular, there were really large numbers of compromised websites, which when visitors went to them, they would conditionally, meaning sometimes, redirect those people to a variety of scams.
So it was really originally about these compromised websites and then seeing that there was.
a common BNS theme within that.
That's Dr. Renee Burton, VP of Threat Intelligence at InfoBlocks.
Today we're discussing their work on Vex Trio,
a notorious traffic distribution system involved in digital fraud.
Well, you all describe Vex Trio as having its roots in spam,
and then evolving through scam.
tactics and eventually becoming part of malicious ad tech. Can you walk us through that journey
from their early days to where they are today? Yeah. So if we look at Vectrio, when we try to think
of as an origin story, we really are trying to pull back to what are the earliest things that we can
find people who have been involved with them during the days that we have, you know, as a security
industry have thought of Vexrio. So that's, you know, this period between 2017 and
2025. And we looked at those key figures and then we tried to draw back how far can we
track those key figures back? And the roots actually come out of two different areas. So we
see one group coming out of Turin, Turin Italy. And that was the group that was more involved
with spam from all records that we can see.
They really came into the dating industry, and they were very, very successful.
They had partners in major mobile networks in the mid-200, 2008, 2009.
And in 2012, they reportedly had one of the fastest growing Facebook games.
And if you remember, you know, there was that period, right, where Facebook was like all of these little pop-up
games that were coming into feeds.
At that time, their one-date server, one-date app, was part of that growing population.
But they were also attached to a lot of accusations of spam, and there were a couple of lawsuits
associated with that behavior.
So that's the Italians.
And then we see the Italians move to Lugano in 2015, and they continue to be in their,
they're mostly their dating verticals in that area is separate of them and it also coincidentally
i think in 2015 we see a variety of eastern european russian speaking people kind of move and companies
move into prague and there we see a sort of similar behavior that group is a lot more
computer science they have really good at devops they're good at scaling stuff they're good
algorithms. And they're the ones who have actually built these, what we call traffic distribution
systems, TDS, which hide or cloak the domains from people. So they were all in Prague. And then
in 2020-ish, we don't know exactly what it appears to be sometime in 2020. They merge in some way
and the headquarters get moved into Logano. So at this point, even though there's people still around the
world in particular in Prague and elsewhere, the headquarters, the financial center is in Lugano and
becomes kind of one group. Now, was it 2022 or so when they were formally recognized?
So we discovered them as a group in, yeah, 2022, I believe it was, and started tracking.
We didn't publish about them until we'd been tracking them, I think, for a close.
to a year. So it might have been 2021. What happened then is, you know, as always happens with
the security industry, is once we recognize that something is not, you know, a series of random
campaigns or we're able to associate it with some kind of threat actor, then we and other
collaborators can start to look backwards and say, okay, where can I find the origin? Where can
I find the origin. And our understanding of their activity has matured, it continues to mature as
this week, honestly. It's like crazy that you're able to keep pulling and pulling back. But together
with our collaborators, you know, we can now date that activity back to about 2015, which is,
by the way, when they went to Prague. Interesting. Now, you mentioned the traffic distribution systems
or TDS that seem to be kind of central to their operations.
Can you explain to us how TDS works in this particular context
and why it's such an effective tool?
Yes, so TDS to me is probably the single most important
and single least understood phenomenon in the security industry
or in the cybercrime world today.
What it's doing is think of it.
as there's a couple ways to think about. One is it's sort of like a maze that you're not going to see. So it's like a black box maze. And the purpose of that black box is to disguise and the word that industry would use is cloak to cloak the true mechanism or the true domain that you're going to go to. So in essence, for instance, you visit this website and that happens to be a compromised website. So you're going to, you know, ABC News or something. They are not compromised.
mind, but let's use them as an example. You're going to your local news site, and that site
is compromised, what they will do, the malware that's on there, it will fingerprint you. So it's
going to say, oh, you are in this location, you're using this kind of device, mobile or desktop.
It's going to get your browser information. I'll try to get your operating system
information. And that will create a little fingerprint, and then that will send you into the TDS.
And there's a variety of ways to think about that.
Some people think of it as a Plinkgo games, as a maze.
But that's basically like a big decision framework.
In fact, those ad tech people often call it a funnel.
So they're like deciding, ooh, what is the most likely thing that you are going to buy?
Now, buy here means as a scam, right?
Or as a malware.
Okay, yeah.
So it's like, what's the most likely thing?
And then it will route through this, you know, maze that you can't see and then pop you back out into what is the real end thing, whether that be a scam or an information steal or that kind of output.
But malicious nonetheless.
So to put that back together again, the purpose of the TDS is to provide the infrastructure that maximizes the profit for the cyber criminals.
That's really the way to think about it.
And for me, the user, you know, I'm visiting what I think is my local website that's been compromised.
What's my experience like as I'm being routed through this TDS?
Sometimes you will see a, you know, at the bottom of your screen or the top of your screen, you will see redirecting to and you might see things flashing past.
But very often you won't.
So very often what will happen is you're going to your local.
news site. And there's like a fraction, you know, it's just like a fractional pause because that's
where it's fingerprinting and deciding what it's going to do with you. And then instead of seeing
news, you're going to see something else, whichever thing they've decided you're most likely to get.
I think one of the more alarming ones for consumers is the tech support scams. So you, again,
you're browsing the internet. I think most of us have had this happen to us. Doing normal things.
suddenly your machine has taken over
and it says, you know, Windows Defender
or, you know, pick some product,
has decided that you've got malware
and you need to call this phone number
or you need to download this file or something like that.
That's that scareware notion
and it's usually extremely alarming,
may have noise even with it.
That is a typical experience for a user.
We'll be right back.
Toronto.
There's another great city that starts with a tea.
Tampa, Florida.
Fly to Tampa on Porter Airlines to see why it's so terrific.
On your way there, relax with free beer, wine, and snacks,
free fast-streaming Wi-Fi, and no middle seats.
You've never flown to Florida like this before,
so you'll land in Tampa ready to explore.
Visit Flyporter.com and actual.
enjoy economy.
You tune in here at Research Saturday every single week.
Now we'd love to hear from you.
Your voice can help shape the future of N2K networks.
Tell us what matters most to you
by completing our annual audience survey.
Your insights help us grow to better meet your needs.
There's a link to the survey in our show notes.
We're collecting your comments through August 31st.
Thanks.
CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1,
and without securing them, trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform purpose-built to secure every machine identity,
certificates, secrets, and workloads across all environments, all clouds, and all AI agents.
Designed for scale, automation, and quantum.
Quantum Readiness, CyberArk helps modern enterprises secure their machine future.
Visit cyberarch.com slash machines to see how.
You know, it's interesting because I remember a specific case where my father had fallen prey to this sort of thing.
And one of the challenges for us to figure out what had happened was trying to figure out whether his computer itself had been compromised or it was a website that he was visiting that had been compromised.
And so it strikes me that that's sort of a key element of this as you're looking at it.
In this case, it is the websites themselves that have been compromised, right?
Yes.
And that is the real tricky thing is,
for a security team
so we typically talk to a sock
and you know you might say
something happened on my machine and then they
want to know where it came from
and because of the way the
TDS works you frequently
cannot recreate that
experience because
it's checking first it's looking
for security groups it's checking
to see whether or not you're coming out of
some anonymous kind of proxy
so there's a lot of protection
on their part to prevent
non-victims from coming through their system.
And they'll also do things like put cookies on your machine,
which allows them to know that they've already scammed you,
or you've already had that visit,
and then they won't do it again so that it can't be recreated.
It's an extremely tricky thing.
How kind of them.
Exactly.
Exactly.
So what sort of scale do we suppose we're talking about here?
How big of an operation is this?
They're absolutely enormous.
And Vectro is only one, you know, one group within this malicious ad tech industry.
We have associated about 100 companies and brands directly to eight key figures within Vectro.
Not all of those are in ad tech.
They have a lot of money.
So they have companies in construction, they have payment processing companies, they have crypto currency, blockchain companies, they've got restaurants, energy companies.
They're very well diversified from a corporate perspective, as well as, of course, everything to do with advertising.
They've got email, direct email marketing companies, email validation companies, of course, multiple affiliate network.
orcs, which are how you get those ads changed.
They've got brand awareness, search engine optimization.
They really are dug in everywhere.
And then we also study other groups.
We're not like only targeting them.
We're targeting all the bad guys.
And you have this similar sort of phenomenon of classic large-scale shell company
kind of operations.
I see.
Well, I know you and your InfoBlock's colleagues are leveraging DNS data to try to enable early detection here.
Can you explain how you all are going about that?
Yeah, so what we do, I mean, this is where our real wheelhouse is.
We're not going around and watching malware by itself on websites.
We partner with a number of others whose specialty is in that area.
our specialty is in DNS.
So what we do is we say, okay, we know that these traffic distribution systems, these TDS,
they have to use domain names.
That's how the Internet works.
Basically, everything needs a domain name.
And they have to have very protected assets because their transactions,
according to them, and our evidence supports their claims,
are 20 billion-plus transaction a day, right?
And we think about all of them.
together, right? We're talking about probably 100 billion transactions a day. So they need a very
resilient, robust system that nobody can easily break. That typically means they're going to need
a wide variety of domain names. And just human nature that you create patterns in how you're
going to register and use your domains. And in some ways, when you create no patterns,
you also create a pattern, right?
I spent 23 years at the National Security Agency.
And so have a lot of experience in looking for patterns
where other people are not looking for patterns
or where you don't realize that you're placing that down.
And then we combine all of those things together
and we have like a fairly complex apparatus
that is watching for domain name creation and use in these contexts.
I see.
So what are your recommendations then?
I mean, based on the information that you've gathered here,
what should people do to protect themselves?
Well, there's a couple of things.
So there's always education, of course,
you know, in the sense that if your machine suddenly comes up
and says you have malware, Google or Microsoft,
say, you know, something's wrong with your machine.
You don't, right?
in most cases these things are you can actually back out of them or if you're suddenly redirected to a variety of places or something seems to be too good to be true of course education wise you know for our end users we want to do that for our security we also want to be aware most people in the security industry are not aware of TDS it's it's been quite a educational process to bring us this far and from a really from a security or protection apparatus
apparatus. DNS is the most effective in the sense that it has the largest, you know,
largest application because every connection that you're going to need, whether that's coming
from a compromised site or whether they've done the lures through Instagram or whether it's
a Google ad or a Facebook ad, in the end, they're going to need a domain name. And so protective
DNS, whether that's, you know, provided through a commercial company or some other fashion,
people can roll their own if they really want to.
That is really the best way to be protected against these kind of folks.
And, of course, taking them down, right?
Right, right, right.
You mentioned that TDS is sort of flown under the radar when it comes to security professionals.
Why do you suppose that is?
It's really a visibility issue in the sense that when you work in the field,
you or your product or your company has a specialty.
You know, you're there to protect people's websites, for example,
or you're there to protect people's advertising,
whatever your specialty is.
And as a result, you might see a lot of times when I talk to people,
they're like, oh, yeah, I saw a bunch of redirects.
For you, that probably doesn't matter
because you're not a DNS company.
You're not really protecting in the domain space.
You're looking for malware and just isn't, you know,
isn't that important.
But for us, that's since what we do is domain name,
intelligence, DNS intelligence,
we are hyper-focused on breaking that cycle
within that maze or funnel aspect of things.
Right, right.
I'm just imagining you standing on a street corner,
you know, yelling out to all your colleagues.
Are you not seeing this?
Yes, that is what I do every day.
Right, right, right.
Well, I think I have everything I need for our story here.
Is there anything I missed?
Anything I haven't asked you that you think it's important to share?
We have seen Vextrio and some of the other major malicious ad tech.
We have seen them in over 50% of our customer networks.
It's extraordinarily broadly seen.
I think Vextrio is something like 88% over time we've seen.
And then they have insanely popular domains.
So they're CDNs where they're storing their images in order to do the content delivery fast.
Those domains are in the top 10,000 as measured by popularity worldwide, which means they're really, really, really popular.
Our thanks to Dr. Renee Burton from Info Blocks for joining us.
Today we were discussing their work on Vex Trio,
a notorious traffic distribution system involved in digital fraud.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of August.
There's a link in the show notes.
please do check it out.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilpy is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Thank you.