Researchers have uncovered a massive malware distribution campaign involving russian-affiliated hackers and commercial advertising platforms, targeting millions of users worldwide, compromised WordPress sites, and intrusive push notifications.
Researchers have uncovered a massive malware distribution campaign involving russian-affiliated hackers and commercial advertising platforms, targeting millions of users worldwide, compromised WordPress sites, and intrusive push notifications.
According to TechRadar, the cybercriminals are working with a number of commercial platforms, including Los Pollos, Partners House, RichAds, and BroPush. These networks not only host malicious ads, but also, according to researchers at Infoblox Threat Intel, knowingly collaborate with affiliated hackers.
The mechanism involves redirecting users through a series of fake banners, CAPTCHA prompts, and push notifications that ultimately lead to infected sites or phishing pages. Some of the messages are even sent through legitimate services like Google Firebase, making it difficult to detect.
Despite Los Pollos’ public statements that it has shut down the malicious push link monetization feature, attacks continue through new channels, including Help TDS and Disposable TDS, which also link to VexTrio. Analysis of over 4.5 million DNS queries showed that all of these TDS platforms share a common infrastructure, repetitive scripts, and behavior.
Attackers are exploiting vulnerabilities in WordPress to embed JavaScript redirects into compromised sites. These scripts block navigation, replace links, and offer prizes in fake sweepstakes, luring the user into clicking on a malicious message.
Researchers emphasize that ad networks could not have been unaware of who their «partners» were. In some cases, attackers had exclusive contracts for traffic placement, and affiliate data was known to platform administrators.
It is difficult to completely protect against this scheme, especially if the malicious push messages come after the user’s consent. Experts advise not to activate suspicious notifications in the browser, avoid fake CAPTCHAs, update WordPress, monitor DNS queries, and use tools with a Zero Trust architecture. At the same time, it is the advertising networks that have the resources and influence to stop such campaigns if they start operating.
We previously wrote how police in Kyiv detained a member of an international hacking group that attacked enterprises in the EU, the USA, and Canada using self-developed encryption viruses, after which they demanded a ransom in cryptocurrency.
