Pushed Down the Rabbit Hole

The Dangerous Combination of Compromised Websites and Malicious AdTech

In the security industry, we rarely tell a story from the victim's perspective. Instead, we focus on the adversarial world from a malicious actor's perspective: their tactics, techniques, and procedures (TTPs). I decided to take a turn as a victim and see what happened after visiting a compromised website that had been altered to integrate with malicious adtech. Adtech, or advertising technology, is the suite of software and tools that help make digital campaigns more effective. In some cases, its use is legitimate. But devious operatives and criminal organizations are also making hay with it, often by tying it to hacked websites. That integration gives threat actors a hook into the visitor's device, and I wanted to understand the impact not just in the moment, but in the days and weeks that followed.

The results of my experiment were surprising and far-reaching. I found that visiting a website linked with malicious adtech can have a long-lasting impact on the user's experience with their device. Threat actors accomplish adtech integration through website notifications, often called push notifications because they are pushed to the user's device. If the attacker tricks the user into accepting notifications, deceptive messages such as fake virus alerts will pop onto the screen. Clicking on those pop-ups will lead to more malicious content, which in turn negatively influences the user's experience with legitimate websites and newsfeeds.

It is easy to be exposed; there are hundreds of thousands of hacked websites on the internet and tens of thousands are newly compromised each day.¹ Integrating adtech is as simple as adding a single line of code to the site. In return the hacker will receive a share of the revenue from "ads" delivered to the victim after they leave the page. I put ads in quotes here because these are not traditional ads as I'll demonstrate below.

To start my experiment, I used my mom's old Google Pixel 2 phone with Chrome and Firefox browsers and began by visiting a compromised domain. The domain, germannautica[.]com, was identified by one of our detectors that tracks the threat actor VexTrio Viper. From there, I recorded what happened, creating a journal of sorts that I will share in a series of posts, beginning with this one.

Once I visited the compromised site and accepted notifications, I was "pushed" into an ecosystem that not only delivered an endless torrent of malicious content but also colored the mainstream content that was delivered to me. The built-in news feed and ads fed by major services like Google and Taboola were tainted by the manipulated content-and in a way that seemed irrevocable. Unlike my previous experiences with "clickbait" on my other personal devices, I found it difficult to discern the truth of many articles without external research and the "news" often mimicked the suspect content I had received from the push notifications or compromised sites. Simply by visiting an affected website, I was led into a news and advertising cycle that was driven by the threat actor, not me. I could not escape the cycle, even after clearing browser information. In other words, despite cleaning up the direct impact of visiting a compromised website, the distorted information stream created from advertisement tracking remained.

I received over 100 push notifications per day from various domains, each notification leading to malicious content and often accompanied by requests to allow more push notifications. Some messages were threatening, others hopeful. The notices often forged major brands and led to interactive content. Besides disinformation and information bias, the push notifications I received led to a wide variety of scams, fake apps, and malware including:

• Antivirus fraud
• Gift card or sweepstakes fraud
• Fake surveys
• Fake crypto mining sites
• Fake apps and adware
• Malware delivery
• Disinformation and tainted experiences

In this first entry, I'm going to share how the "scareware," or antivirus fraud industry, is thriving through malicious adtech, but let's start at the beginning of it all: the compromised website.

Getting the Push

When I visited germannautica[.]comfrom my phone, a DNS TXT record request, which contained information about my IP address, was made to a command and control (C2) server. The C2 server returned a new domain and website that redirected me into the traffic distribution system (TDS) operated by the threat actor named VexTrio Viper, whose operations we've described in several reports and posts. All of this activity happened in the blink of an eye. After a few redirections, during which the TDS used information about my device and location, I ended up with a request to allow push notifications, not from the site I initially visited, germannautica[.]com, but from a totally different domain name. The request was accompanied by a fake robot captcha that has long been associated with VexTrio Viper. The domain hosting this captcha content can vary, as does the accompanying image the threat actor uses for the captcha, but the purpose of the page is the same: get the user to accept push notifications. Some examples of VexTrio's captcha images are shown in Figure 1.

Figure 1. Examples of VexTrio Viper's landing page that leads the user to accept push notifications on their device; these were both seen when browsing to germannautica[.]com

Once I accepted notifications, the VexTrio Viper TDS again redirected me based on the browser and my user characteristics. Because the TDS will direct users to different malicious content based on several of their characteristics, I accessed the same compromised site several times, simulating different devices and locations, and was taken to fake giveaways, fake dating sites, fake apps, and virus scares. See Figure 2 for some examples of the content delivered when visiting the altered site, germannautica[.]com.

Figure 2. Various landing pages from the VexTrio TDS in November 2024. All of these resulted from visiting the same domain germannautica[.]com. In many other cases, the actor redirects to the legitimate website.

How did all these different landing pages arise out of a single compromised domain? It turned out that not just one TDS was involved, but that a series of them route traffic to evade detection and maximize the likelihood of profit from the visitor. The user doesn't see most of this traffic in their browser, but it can be picked up by scanning tools like Urlscan. If you look carefully at the example redirection chain in Figure 3, you'll see mentions of "tds" in the URLs, variations on "track," which are used to track the user connection, the "space-robot" used for push notifications, as well as various advertising parameters. In recent months, we have discovered that many of these TDSs are not the work of hackers in hoodies; they are operated by shady adtech companies. In other words, the website hacker isn't the only bad guy in this story; but that is a tale for another day.

Figure 3. From a single compromised domain, several redirections are made through different TDSs to determine the final landing page; the user will only see a few of these in the browser.
Source: https://urlscan.io/result/a72f9acb-6c10-46cd-8a88-7b7503900179/

Within a few seconds, my phone began buzzing with notifications like those shown in Figure 4. Clicking one of these push notifications led to yet another series of redirects as I was sent through various TDSs. I always ended up with malicious content. In addition, I was typically asked to allow notifications from new domains. Within a short period of time, I was receiving alerts from a dozen domains and was deep down the "rabbit hole" of push notifications.

Figure 4. Examples of push notifications from my phone

Studying the redirections revealed an ecosystem of affiliated adtech companies, each delivering malicious content and all profiting from a handful of compromised domains. Over a 12-week period, I subscribed to notifications from over 150 different domains and received as many as 130 notifications in a single day from a single domain. I clicked on hundreds of push notifications and captured the domains that were resolved for each one. Our research group was able to identify specific adtech companies that benefit from compromised domains and facilitate the delivery of malicious content to users via these chains and their DNS records.

There are many different ways that websites ask for push notifications. They might insist the users click "allow" to continue to the site, show a fake captcha test, or give multiple pop-up windows for notifications. Most websites use an embedded piece of code or a URL that links to an adtech service to manage the notification request on their behalf. Figure 5 shows a variety of malicious requests that I received.

Figure 5. Examples of push notification requests that were seen on my Pixel phone

Using my sacrificial phone taught me a lot about the experience of a user who has visited one of these compromised sites and fallen into the hole of push notifications. In addition to uncovering affiliate relationships our threat intel team hadn't encountered before, I experienced a few other quirks not discovered via sandboxes and scanners. One day the favicon for the compromised site I visited displayed as the well-known VexTrio Viper robot for about 24 hours before reverting to the default WordPress icon; see Figure 6. On another day, I received push notifications in Russian for several hours, and occasionally, I received a random notification in Italian or Spanish.

Figure 6. The favicon for the compromised website was temporarily shown as the VexTrio Viper robot and later reverted to a generic WordPress icon.

Is there really such a thing as malicious adtech? Yes. While some folks will argue that all adtech is malicious, what I am talking about here is an ecosystem of companies that are enabling cybercrime. They aren't just abused; minimally they are willfully ignorant and often active participants. They purposefully established business silos in an attempt to create plausible deniability and look like legitimate corporations.

We just explored how adtech proliferates so successfully through hacked websites. Now let's turn our focus to how this technology plays out in a particular category of scams: scareware.

Scareware Runs Rampant

These bad adtech organizations prey heavily on a user's fear. Alerts about hacked accounts or malware are extremely common, especially for older devices like my Pixel 2. Scare tactics are not new: the Washington State Attorney General filed a lawsuit in 2008 citing the Computer Spyware Act against a Texas firm. The firm had used false warnings about Windows viruses to peddle their Registry Cleaner XP software. The Attorney General at the time said, "We won't tolerate the use of alarmist warnings or deceptive 'free scans' to trick consumers into buying software to fix a problem that doesn't even exist. … We've repeatedly proven that Internet companies that prey on consumers' anxieties are within our reach."² Unfortunately, their success was short-lived, and scareware is a thriving industry.

The alarming messages vary, but all have the same goal: instill enough fear in the user that they purchase an unnecessary security product. This approach is also used to convince users to install fake apps, a topic we'll cover in a later journal entry. Figure 7 contains examples of the scare tactic notifications I received on my phone. The wording and images in these messages are called "creatives" and are supplied by different affiliates of the malicious adtech group. They can include fake buttons and a wide range of images, including animation.

Figure 7. Examples of antivirus messages; these notifications often have fake buttons such as "dismiss," which will not dismiss the message but open the browser with scareware

Clicking the notification leads the user into a TDS and to a landing page that contains a fake virus scan. The user will typically be encouraged to conduct a scan which will falsely identify a number of threats on the device, often accompanied by flashing screens and audio. See Figure 8 for examples of scare pages that resulted from push notifications. To see how threat actors use flashing lights, alarms, and other tactics, see these videos (McAfee Scare, Fake AV App, Fake AT&T chat).

Figure 8. Examples of antivirus pages that are shown after clicking a scareware notification; these pages often have animation and require user interaction

Between clicking on the notification and arriving at the final page, my device connected to four to eight different domains, which served to hide the malicious activity and profile the device. Most of these domains were not recorded in the browser history and rapidly flashed across the screen as the browser was redirected through various TDSs. Connections were also made to other domains used by actors for tracking. Those connections were invisible to me in the browser, but I was able to recreate them by using an external scanner. An example of a typical redirection chain is shown in Table 1.

Domain redirection path:

• Fatdoggish[.]net ->
• Puschme[.]net ->
• Kbvt0wytrk[.]com ->
• Trcksolution[.]com ->
• Totalav.com

Table 1. Redirection through TDS from a push notification to a final offer at TotalAV website; this scan is available at https://urlscan.io/result/b15e928a-e130-402e-b911-661d65289474

The final destination is often a real website: TotalAV, Norton, or McAfee. Why would malicious actors send users to these commercial sites? The answer: money! These antivirus companies offer generous affiliate programs that pay 70-90% of the revenue over the lifetime of a subscription. On my phone, I was repeatedly offered TotalAV subscriptions for US$1.99, but after a month, the rate went to $14.99 each month. If threat actors can draw users into a subscription, the users might not read the fine print that enters them into a high-cost recurring contract after a short trial period. Online reviews of TotalAV are filled with users who were duped into a subscription for the product and then found it difficult to cancel or were charged repeatedly by the vendor. The $1.99 soon becomes $100, and the affiliate is promised a large portion of this money.

On my phone, almost all scares led to TotalAV products. I took the bait and paid $1.99 with a prepaid credit card and fake information. Then I immediately set about trying to unsubscribe to avoid the monthly charge and get TotalAV off of my device. It took some work, but I was able to cancel. TotalAV sent a few threatening emails, but neither the initial threat actor nor TotalAV withdrew more funds from my card.

Six weeks after I canceled, I received an email from TotalAV claiming that my credit card payment had failed. Well, that's good; I don't have a TotalAV subscription! They had retained my payment information, so whether they really tried to charge the card or just wanted to scare me into another payment, TotalAV engaged in fraudulent behavior. Over two months after canceling my subscription, I continue to get emails from TotalAV for non-payment. See the email in Figure 9.

Figure 9. Email from TotalAV acknowledging that my subscription was canceled and then another six weeks later claiming that my payment had failed

In some cases, the notifications lead to a fake app. I'm going to cover fake apps in a different blog because the topic is so rich, but I'll give a sneak peek at the kind of apps I encountered in the push notification rabbit hole. I was led to the website called AdTranquility. Although their mobile app is available on the Chrome Play store, the threat actor hoped I would subscribe directly through them. I didn't. But reviewing the app information in the Play store, it becomes clear how prevalent adtech-fueled scams have become: AdTranquility has over 500k downloads and a 4.6 review score. Sounds pretty good. But a closer look at the low ratings reveals the true nature of this software: the developers make money by bombarding the user with ads … and possibly worse. See Figure 10.

Figure 10. Fake AT&T messages led to the AdTranquility app, which is adware software; though this app was not analyzed, we have found that fake security apps often contain malware components

News website Ars Technica summed up scareware tactics well in 2008 when they wrote about Registry Cleaner XP, "In a best-case scenario, scareware does no harm after the consumer has been tricked into installing it. Worst case, the stuff is as full of malware, exploits, and/or system-crashing instabilities as the problems it purports to solve. Malware exploits may give Microsoft a bad reputation in general, but scareware actually charges the user for her own infection, and that tends to make people a wee bit cranky."³

Using fear to drive consumers to buy unnecessary software remains highly profitable. All the bad players win here, and the consumers lose. Scammers get commissions, antivirus companies get subscriptions, and dodgy adtech companies get fees for orchestrating the entire thing. While this type of scam was originally driven through spam messages, it is now able to scale readily through push notifications arising from compromised websites. Wouldn't it be great if law enforcement knocked 'em all down?

In the next blog, I'll show how scammers take advantage of hope to con users.

Have you had experience with invasive pop-up notifications? Got some nuggets about the shady adtech industry? We'd love to hear about it. Let us know on LinkedIn, Mastodon, or email [email protected].

Footnotes

1. https://www.getastra.com/blog/security-audit/how-many-cyber-attacks-per-day/
2. https://www.atg.wa.gov/news/news-releases/fright-fight-washington-attorney-general-leading-battle-against-scareware
3. https://arstechnica.com/information-technology/2008/09/microsoft-tries-to-put-fear-of-god-into-scareware-vendors/

Public link

Please use the above public link if you want to share this noodl on another website.