- Push notifications are now used as delivery systems of malware, and users subscribe to them without knowing it
- The false Captcha prompts are now the bridge to diversion of persistent browser and phishing attacks
- WordPress sites quietly divert users via invisible DNS commands and useful shared javascript charges
Recent surveys have revealed a disturbing alliance between WordPress pirates and Adtech commercial companies, creating a vast infrastructure for the distribution of worldwide software.
The research of infoblox threatens that at the heart of this operation is vextrio, a traffic distribution system (TDS) responsible for the responsiveness of web users through diapers of false advertisements, deceptive redirections and fraudulent push notifications.
The report says that several commercial companies, including Los Pollos, Partners House and Richads, are entangled in this network, serving both intermediaries and catalysts.
Los Pollos Connection and a failed stop
Infoblox initially linked Los Pollos to Vextrio when the first was involved in the Russian disinformation campaigns.
In response, Los Pollos said he would put an end to his model of “push -up monetization”.
Despite this, the underlying malicious activity continued while the attackers moved to a new TDS known as aid, which was finally linked to Vextrio.
WordPress vulnerabilities have served as an entry point for several malicious software campaigns, while attackers have compromised thousands of websites, incorporating malicious redirection scripts. These scripts were based on TXT DNS records as a determining control and control mechanism where web visitors send.
The analysis of more than 4.5 million DNS responses between August and December 2024 revealed that even if various strains of malicious software seemed separate, they shared the infrastructure, accommodation and behavioral models that led to Vextrio or its attorney, including TDS and TD aid.
JavaScript on these platforms presented the same functions, deactivating browser navigation commands, forcing redirects and attracting users with false competition shooters.
Interestingly, these TDS are integrated into Adtechs commercial platforms which arise as legitimate affiliation networks.
“These companies have maintained exclusive relations with” affiliates of publishers “, in this context, the pirates and knew their identities,” noted the researchers.
Push notifications have appeared as a particularly powerful threat vector. Users are deceived to activate browser notifications using false CAPTCHA prompts.
The pirates then send phishing links or malware after a user subscribes, escaping the firewall parameters and even the best antivirus programs.
Some campaigns transport these messages through reliable services such as Google Firebase, which makes detection much more difficult.
The overlap between the Adtech platforms, including the bropush, the Richads and the partners, further complicates the allocation.
The poorly configured DNS systems and reused scripts suggest a common backend, perhaps even a shared development environment.
To combat risks, users must avoid activating suspicious browser alerts, use tools that offer access to zero-frust network (ZTNA) and be careful when using CAPTCHA.
By updating WordPress and monitoring DNS anomalies, site administrators can reduce the probability of compromise.
Adtech companies, however, could have the real lever and the key to close these operations if they choose to act.
