The Federal Bureau of Investigation (FBI) has released this Public Service Announcement (PSA) to warn of cyber criminal use of traffic distribution systems (TDSs) to gain access to victim networks for ransomware or other financial scams. TDS is a technology used to route internet traffic visitors to different destinations after users visit webpages, click advertisement links, sign up for promotions and discounts, or download an application. Cyber criminals use TDSs to selectively redirect users to compromised or fake login websites that can host phishing pages for online financial fraud or prompt users to download software updates containing malware.
How a Malicious Traffic Distribution System Works
-
Initiation of Redirection Cyber criminals use a variety of methods to drive users to a TDS, including social engineering techniques, such as links included in phishing emails, search engine optimization poisoning2 that promotes fraudulent advertisement links that mimic legitimate ones, or the compromise of legitimate websites through changes to the website code.
- Legitimate websites are vulnerable to cyber criminal compromise when using insecure passwords or outdated website themes and plugins. Cyber criminals obtain unauthorized access to websites by brute forcing3 weak administrative passwords or leveraging exploits for outdated website plugins. After obtaining administrative access to legitimate websites, cyber criminals edit the website’s code, which redirects website visitors to a malicious TDS.
- Redirection Bypasses Firewall4 Cyber criminals often use TDS to bypass traditional firewall rules that would otherwise block connections to malicious websites. The TDS uses a complex chain of intermediate nodes to hide the final malicious destination, making it difficult to trace and block.
- Filtering Website Visitors Cyber criminals use TDS to analyze potential victims to target by collecting their IP address, operating system, location, device, and browser information. Based on the collected information, a malicious TDS can determine if a payload is effective and filter traffic accordingly. A cyber criminal can use a TDS to identify users in regions they are not targeting, allowing them to avoid detection by displaying safe content to undesired targets, including security researchers.
- Cyber Criminal Exploitation of Users Cyber criminals can exploit website visitor devices at the end of the TDS redirection chain by delivering phishing pages, financial scams, and other malware. Cyber criminals sometimes use a TDS to gain access to a victim’s network, often through malware distribution. Access to victim accounts obtained via network access may be sold for a fee to other cyber criminals, including ransomware groups.
The original announcement can be found here.
