(Credit: Cole Kan; PCMag Composite | Andrey Mitrofanov, iiievgeniy, sajjat hoshan, Ulviye Mambetshaye)
At the Black Hat conference in Las Vegas this week, researchers at Infoblox, a threat intelligence firm, presented evidence that an organized crime group known as VexTrio is operating a traffic distribution system (TDS) that sends malware, fake alerts, and prompts unsuspecting consumers to download fake apps.
Ahead of the show, I spoke with Dr. Renee Burton, one of the researchers at Infoblox, about ways to identify malicious online advertising while browsing and how to avoid it.
“Windows Defender, Microsoft, Google, none of those guys are going to suddenly take over your screen," said Dr. Burton.
So if you see those alerts, are you in trouble? Let's walk you through how VexTrio scams work and what you can do to stay safe.
What Is VexTrio?
Let’s take a break for a quick visualization exercise: When you read the word "hacker," what image comes to mind? To give you a hint, here are the top Google image results:
(Credit: Google/PCMag)All 15 images depict a faceless man wreathed in shadow, wearing a gray hoodie. It's all very Mr. Robot, right? Infoblox researchers posited that VexTrio's activities may have flown under the radar due to their assumed image as a small-time gang of "hackers in hoodies."
According to research from Infoblox, VexTrio operates out of Russia and runs several companies in the adtech industry. “This is an organized crime effort run largely by Russians to take control of the world”, said Dr. Burton.
Burton said that some of the world’s most prolific cybercriminals are rich and powerful people who lead sophisticated criminal organizations. In other words, modern-day hackers are more likely to hide their eyes behind Cartier sunglasses than a Guy Fawkes mask.
Changing the public perception of a hacker may be the key to taking cybercrime seriously. VexTrio has been operating for a decade, delivering malware and scams across a wide range of services to unsuspecting victims. Burton said her team contacts law enforcement and government entities whenever possible to report their findings. It’s up to those organizations to protect us in whatever way they can.
With help from freelance cybercriminals, VexTrio exploits backend vulnerabilities in major websites.
“They have partnerships and financial relationships with website hackers,” Burton said. “So when you visit that site [the malicious TDS operator] will do a quick browser fingerprint of you.”
Here’s how a TDS works: The fingerprinting process creates a profile of you and your online activities based on your online activities, along with any information gleaned about the device you’re using. Based on the profile, the TDS either lets you view the content you came to see, or it redirects you to a link or an alert that will deliver malware to your device, urges you to download a fake app, or sends you to a scam website.
What Does a VexTrio Scam Look Like?
You’ve probably already encountered malicious ads while browsing. If you’ve ever had a peaceful scrolling session disrupted by a pop-up alert notifying you that you need a VPN right now, or recommending a virus scan, you may have encountered one of VexTrio’s schemes.
Recommended by Our Editors
Burton said that selling fake cybersecurity and privacy apps, known as scareware, is big business for the group. “They dig deep into that industry,” said Burton.
She also mentioned the group employs fake captchas to gain access to your browser data. “They'll show you a fake captcha to get you to allow them to send you browser notifications,” she explained.
You can avoid malicious alerts and ads by ignoring them. Burton suggested making a habit of not allowing notifications for apps or websites while browsing.
“Once you click Allow, you're now opted in and you’ll see a torrent of advertising, but it’s disinformation,” said Dr. Burton. “Everything is a scam.”
“As long as you don't allow anything, you’ll be OK. When all else fails, reboot your system.”
3 Ways to Fend Off VexTrio Scams
In addition to not allowing alerts on websites, it’s a good idea to stay vigilant while browsing because VexTrio appears to have its hands in a lot of lucrative yet illegal pies.
1. Fraudulent Apps
Burton said that VexTrio also owns a lot of scammy apps, and they’ve been downloaded millions of times. “The dating apps are the most popular, but they have VPNs, fake machine cleaners, fake ad blockers, all this. It's a crazy world,” said Dr. Burton.
If you’re invited to download a new VPN or ad blocker, run the name through a quick search on PCMag or another trustworthy site first. Find out if an app is legitimate before installing it on your device.
Once the fake apps are on your device, it can be hard to remove them. If you suspect that you’ve downloaded scareware recently, check out our list of the best malware removal services.
2. Fake Device Infection Alerts
Dr. Burton described this as a slightly updated version of the old tech support scam, in which an alert appears on your screen, warning you to call Microsoft or Apple support due to malware infecting your device.
To fend off this scam, dismiss the pop-up window, close the browser window, and do not engage further. Burton said she tells friends and family (who frequently call her after receiving an alert) to simply “Calm down. Do not call that phone number. The FBI would probably love to call that phone number, but you don't call the phone number.”
3. Dating Apps and Romance Scams
It’s no secret that the global online romance scam market is incredibly lucrative, and a lot of criminals are cashing in, including VexTrio. “They make a ton of money off of the dating world," said Dr. Burton.
The Infoblox research suggests that crime groups based in different countries use different tactics when scamming people who are looking for love online. For example, last year, the team at Infoblox revealed a network of China-based criminal organizations operating online gambling platforms. The scammers, who may be victims of human trafficking or extortion themselves, use romance baiting tactics to ensnare victims on these platforms. The attacks are usually targeted, and the perpetrators come away with huge sums of money.
Dr. Burton said that romance scammers from Russian groups like VexTrio operate differently. “It is high volume, low cost. They’re gonna take a dollar, five dollars, $30. They don't need that long game investment; they can just automate the process.”
If you suspect that you are chatting with a romance scam artist, stop all communication, do not click on any links they send you, and report the interactions to IC3, which sends these reports to law enforcement agencies like the FBI. Sending scam reports is the best way to get any recourse for these crimes.