In the security industry, we rarely tell a story from the victim’s perspective. Instead, we focus on a malicious actor’s perspective: their tactics, techniques, and procedures (TTPs). So, I decided to take a turn as a victim and see what happened after visiting a compromised website with malicious adtech.

Adtech is the suite of software and tools that help make digital campaigns more effective. In some cases, its use is legitimate. But devious operatives and criminal organisations are also making hay with it, by tying it to hacked websites. That integration gives threat actors a hook into the visitor’s device, and I wanted to understand the impact.

The results of the experiment were surprising and far-reaching. I found that visiting a website linked with malicious adtech can have a long-lasting impact. Threat actors accomplish adtech integration through website notifications, known as push notifications. If the attacker tricks the user into accepting notifications, deceptive messages such as fake virus alerts will pop onto the screen. Clicking on those pop-ups will lead to more malicious content, which in turn negatively influences the user’s experience with legitimate websites and newsfeeds.

It is easy to be exposed; there are hundreds of thousands of hacked websites on the internet and tens of thousands are newly compromised each day. Integrating adtech is as simple as adding a single line of code to the site. In return the hacker will receive a share of the revenue from “ads” delivered to the victim after they leave the page.

To start my experiment, I used an old Google Pixel 2 phone with Chrome and Firefox browsers and began by visiting a compromised domain. The domain, germannautica[.]com, which was identified by a detector that tracks the threat actor VexTrio Viper. From there, I recorded what happened.

Once I accepted notifications, I was “pushed” into an ecosystem that not only delivered an endless torrent of malicious content but also coloured the mainstream content that was delivered to me.

The built-in news feed and ads fed by major services like Google and Taboola were tainted by the manipulated content—and in a way that seemed irrevocable. Unlike my previous experiences with “clickbait” on my other personal devices, I found it difficult to discern the truth of many articles without external research and the “news” often mimicked the suspect content received from the push notifications or compromised sites. By visiting an affected website, it led to an inescapable news and advertising cycle that was driven by the threat actor.

I received over 100 push notifications per day from various domains, each notification leading to malicious content and often accompanied by requests to allow more push notifications. Some messages were threatening, others hopeful. The notices often forged major brands and led to interactive content. Besides disinformation and information bias, the push notifications received led to a wide variety of scams.

I decided to focus on “scareware,” or the antivirus fraud industry, which is thriving through malicious adtech. But let’s start at the beginning: the compromised website.

Getting the Push

When I visited germannautica[.]com from my phone, a DNS TXT record request, which contained information about my IP address, was made to a command and control (C2) server. The C2 server returned a new domain and website that redirected me into the traffic distribution system (TDS) operated by the threat actor named VexTrio Viper. All of this activity happened in the blink of an eye. After a few redirections, during which the TDS used information about my device and location, I ended up with a request to allow push notifications, not from the initial site germannautica[.]com, but from a totally different domain name. The request was accompanied by a fake robot captcha that has long been associated with VexTrio Viper. The domain hosting this captcha content can vary, as does the accompanying image the threat actor uses for the captcha, but the purpose of the page is the same: get the user to accept push notifications.

Once notifications were accepted, the VexTrio Viper TDS redirected based on the browser and user characteristics. Because the TDS will direct users to different malicious content based on several of their characteristics, the same compromised site was accessed several times, simulating different devices and locations, and was taken to fake giveaways, fake dating sites, fake apps, and virus scares.

So how did all these different landing pages arise out of a single compromised domain?

It turned out that not just one TDS was involved, but that a series of them route traffic to evade detection and maximise the likelihood of profit from the visitor.

In recent months, I have discovered that many of these TDSs are not the work of hackers in hoodies; they are operated by shady adtech companies.

Within a few seconds, my phone began buzzing with notifications. Clicking one of these push notifications led to yet another series of redirects as I was sent through various TDSs. I always ended up with malicious content. In addition, I was typically asked to allow notifications from new domains. Within a short period of time, I was receiving alerts from a dozen domains and was deep in the push notification “rabbit hole”.

Studying the redirections revealed an ecosystem of affiliated adtech companies, each delivering malicious content and all profiting from a handful of compromised domains. Over a 12-week period, I subscribed to notifications from over 150 different domains and received as many as 130 notifications in a single day from a single domain. I clicked on hundreds of push notifications and captured the domains that were resolved for each one. Our research group was able to identify specific adtech companies that benefit from compromised domains and facilitate the delivery of malicious content to users via these chains and their DNS records.

There are many different ways that websites ask for push notifications. They might insist the users click “allow” to continue to the site, show a fake captcha test, or give multiple pop-up windows for notifications. Most websites use an embedded piece of code or a URL that links to an adtech service to manage the notification request on their behalf.

Using my sacrificial phone taught us a lot about the experience of a user who has visited one of these compromised sites. In addition to uncovering affiliate relationships our threat intel team hadn’t encountered before, I experienced a few other quirks not yet discovered. One day the favicon for the compromised site I visited displayed as the well-known VexTrio Viper robot for about 24 hours before reverting to the default WordPress icon. On another day, I received push notifications in Russian for several hours, and occasionally, in Italian or Spanish.

Is there really such a thing as malicious adtech? Yes. While some folks will argue that all adtech is malicious, what I was talking about here is an ecosystem of companies that are enabling cybercrime. They aren’t just abused; at best they are wilfully ignorant and at worst active participants. They purposefully established business silos in an attempt to create plausible deniability and look like legitimate corporations.

Now that the compromised website and push notifications are set in motion, how does this technology play out in a particular category of scams: scareware.

Scareware Runs Rampant

These bad adtech organisations prey heavily on a user’s fear. Alerts about hacked accounts or malware are extremely common, especially for older devices like my Pixel 2.

The alarming messages vary, but all have the same goal: instil enough fear in the user that they purchase an unnecessary security product. This approach can also be used to convince users to install fake apps.

Clicking the notification leads the user into a TDS and to a landing page that contains a fake virus scan. The user will typically be encouraged to conduct a scan which will falsely identify a number of threats on the device, often accompanied by flashing screens and audio.

Between clicking on the notification and arriving at the final page, the device connected four to eight different domains, which served to hide the malicious activity and profile the device. Most of these domains were not recorded in the browser history and rapidly flashed across the screen as the browser was redirected through various TDSs. Connections were also made to other domains used by actors for tracking. Those connections were invisible in the browser but could be recreated by using an external scanner.

The final destination is often a real website: TotalAV, Norton, or McAfee. Why would malicious actors send users to these commercial sites? The answer: money! These antivirus companies offer generous affiliate programs that pay 70-90 percent of the revenue over the lifetime of a subscription. I was repeatedly offered TotalAV subscriptions for US$1.99, but after a month, the rate went to $14.99 each month. If threat actors can draw users into a subscription, and users fail to read the fine print, they enter a high-cost contract after a short trial period. Online reviews of TotalAV are filled with users who were duped into a subscription for the product and then found it difficult to cancel or were charged repeatedly by the vendor. The $1.99 soon becomes $100, and the affiliate is promised a large portion of this money. In our research, almost all scares led to TotalAV products.

Using fear to drive consumers to buy unnecessary software remains highly profitable. All the bad players win here, and the consumers lose. Scammers get commissions, antivirus companies get subscriptions, and dodgy adtech companies get fees for orchestrating the entire thing.

While this type of scam was originally driven through spam messages, it is now able to scale readily through push notifications arising from compromised websites.