Beyond the smoke screen. [Research Saturday] - CyberWire Daily

Summary5 min read

CyberWire Daily – Research Saturday: "Beyond the Smoke Screen"
A Deep Dive into Vextrio and the World of Malicious Ad Tech
Date: August 23, 2025
Host: Dave Bittner (N2K Networks)
Guest: Dr. Renee Burton, VP of Threat Intelligence, Infoblox

Episode Overview

This episode explores the shadowy operations of Vextrio, a prolific Traffic Distribution System (TDS) deeply entrenched in digital fraud and malicious ad tech. Dr. Renee Burton from Infoblox joins host Dave Bittner to unravel Vextrio’s origin, its sophisticated infrastructure, the scale of its operations, and the challenges defenders face in detecting and mitigating TDS-driven campaigns. The discussion emphasizes TDS’s centrality in modern cybercrime and provides recommendations for protecting users and enterprises.

Key Discussion Points & Insights

1. The Origin and Evolution of Vextrio

Roots in Spam and Digital Dating Industry
- Vextrio’s early actors originated from two main regions:
  - Italian Group (Turin → Lugano):
    - Successful in the dating vertical and early Facebook game development.
    - Linked to spam accusations and lawsuits (03:35).
  - Eastern European Group (Prague):
    - Highly proficient in DevOps, scaling, and algorithms.
    - Built advanced TDS infrastructures.
- The two factions merged, centralizing financial operations in Lugano by 2020 (03:35).
Vextrio’s Formal Discovery
- Recognized as a single entity around 2021/2022, after analysts grouped what were previously thought to be disparate campaigns (06:34).
- Historical activity traces back to 2015, aligning with the move to Prague.

2. How Traffic Distribution Systems (TDS) Work

TDS as a Black Box Maze
- Serves as an invisible routing and cloaking mechanism between compromised sites and end-stage scams.
- Fingerprints users (location, device, browser, OS) and decides on the most profitable attack (07:53, 09:35).
- "Ad tech people often call it a funnel...deciding what is the most likely thing you are going to buy...Buy here means as a scam." – Dr. Burton (08:34).
User Experience of a TDS Attack
- Many users don't notice the brief redirect or fingerprinting phase.
- Common scams include tech support pop-ups—alarming, sometimes accompanied by noise, and urging immediate action (10:24).
- Notable: TDS schemes are often not reproducible due to fingerprinting, cookies, and anti-analysis tactics, complicating incident response (13:57).

3. Vextrio’s Global Scale and Diversification

Enormous Infrastructure
- Vextrio is just one entity amidst a crowded malicious ad tech landscape.
- Associated with ~100 companies/brands connected to eight key figures (15:04).
- Diversified investments: construction, payments, crypto, restaurants, energy, direct marketing, affiliate networks, SEO, and more.
Operational Reach
- "Their transactions...are 20 billion plus transactions a day...all of them together...probably 100 billion transactions a day." – Dr. Burton (16:40).
- Vextrio domains routinely rank in the world’s top 10,000 for popularity (21:23).

4. Defender’s Perspective: DNS and Detection

Infoblox’s Approach
- Focused on DNS data—pattern analysis in domain registrations and usage.
- The need for resilient TDS operations inadvertently introduces detectable patterns, even in attempts to “create no patterns.” (16:40).
Challenges for Security Teams
- Many security professionals underestimate or misunderstand TDS’s threat due to a lack of visibility or specialty focus ("flown under the radar") (19:59).
- "Since what we do is domain name intelligence, we are hyper focused on breaking that cycle within that maze or funnel aspect of things." – Dr. Burton (20:08).

5. Prevalence and Impact

Extraordinarily Widespread
- "We have seen Vextrio and some of the other major malicious ad tech...in over 50% of our customer networks. I think Vextrio is something like 88%...over time we’ve seen." – Dr. Burton (21:23).

Notable Quotes & Memorable Moments

On TDS Mechanism:
- “TDS to me is probably the single most important and single least understood phenomenon in the security industry or in the cybercrime world today.” – Dr. Renee Burton (07:53)
User Victimization:
- “Suddenly your machine has taken over and it says...you need to call this phone number or you need to download this file or something like that. That’s that scareware notion. And it’s usually extremely alarming.” – Dr. Renee Burton (10:24)
On Detection Challenges:
- “Because of the way the TDS works, you frequently cannot recreate that experience...there’s a lot of protection on their part to prevent non victims from coming through their system.” – Dr. Renee Burton (13:57)
On TDS Ubiquity:
- “We have seen Vextrio and some of the other major malicious ad tech...in over 50% of our customer networks. I think Vextrio is something like 88%...over time we’ve seen.” – Dr. Renee Burton (21:23)

Recommendations & Defensive Strategies

For End Users:
- Maintain skepticism when redirected or shown alarming pop-ups.
- Don’t immediately trust warnings demanding urgent action or downloads (18:30).
For Security Teams:
- Invest in, or leverage, DNS-based protection—protective DNS offers broad coverage as all operations rely on domain names.
- Increase awareness and education about TDS, which often flies under defenders’ radar (18:30, 19:59).

Important Timestamps

02:26 | Vextrio’s emergence through compromised websites and DNS themes
03:35 | Origins: Italian & Eastern European roots, merging in Lugano
06:34 | Vextrio’s formal recognition as a major actor
07:53 | Explaining Traffic Distribution Systems (TDS)
10:24 | How TDS attacks manifest to end users
13:57 | Incident response challenges
15:04 | The scale of Vextrio and malicious ad tech industry
16:40 | DNS-based detection strategies
18:30 | Recommendations for user protection
19:59 | Why TDS remains underappreciated in cybersecurity
21:23 | Ubiquity and global reach of Vextrio

Summary:
This episode casts light on the hidden world of Traffic Distribution Systems, especially Vextrio’s massive operations in digital fraud. Dr. Renee Burton’s insights emphasize the sophistication and scale of these adversaries, the challenges caused by their evasive infrastructure, and actionable guidance for defenders—particularly the importance of DNS-focused intelligence.

For further details and the full research paper, see the show notes associated with this episode.

Loading summary

Transcript34 lines

[00:02]
Dr. Renee Burton
You're listening to the Cyberwire network. Powered by N2K.
[00:14]
Dave Bittner
The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested US Citizens should consider the Department of Defense's Cyberservice Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI hello everyone and welcome to the Cyberwires Research. Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
[02:27]
Dr. Renee Burton
So Vextrio came to our attention in the same way that it came to others within the industry. In particular, there were really large numbers of compromised websites which when visitors went to them, they would conditionally, meaning sometimes redirect those people to a variety of scams. So it was really originally about these compromised websites and then seeing that there was a common DNS theme within that.
[03:00]
Dave Bittner
That's Dr. Renee Burton, VP of Threat Intelligence at Infoblox. Today we're discussing their work on Vextrio, a notorious traffic distribution system involved in digital fraud. Well, you all describe Vextrio as having its roots in spam and then evolving through scam tactics and eventually becoming part of malicious ad tech. Can you walk us through that journey from, from their early days to where they are today?
[03:35]
Dr. Renee Burton
Yeah, so if we look at Vextrio and when we, we try to think of as, as an origin story, we really are trying to pull back to what are the earliest things that we can find people who have been involved with them during the days that we have, you know, as a, as a security industry have thought of Vextrio. So that's, you know, this period between 2017 and 2025 and we looked at those key figures and then we tried to draw back how far can we track those key figures back? And the roots actually come out of two different areas. So we see one group coming out of Turin, in Turin, Italy, and that was the group that was more involved with spam. From all records that we can see, they really came into the dating industry and they were very, very successful. They had partners in major mobile Networks in the mid 2000s, 2008, 2009, and in 2012 they reportedly had one of the fastest growing Facebook games. And if you remember, you know, there was that period right, where Facebook was like all of these little pop up games that were coming into feeds at that time. Their One Date server rundate app was part of that growing population, but they were also attached to a lot of accusations of spam and there were a couple of lawsuits associated with that behavior. So that's the Italians. And then we see the Italians move to Lugano in 2015 and they continue to be in their, they're mostly their dating verticals and in that area separate of them. Also, coincidentally, I think in 2015 we see a variety of Eastern European, Russian speaking people kind of move and companies move into Prague and there we see a sort of similar behavior. That group is a lot more computer science. They have really good at DevOps, they're good at scaling stuff, they're good at algorithms, and they're the ones who have actually built these what we call traffic distribution systems, tds, which hide or cloak the domains from people. So they were all in Prague. And then in 2020ish, we don't know exactly when it appears to be sometime in 2020, they merge in some way and the headquarters get moved into Lugano. So at this point, even though there's people still around the world, in particular in Prague and elsewhere, the, the headquarters, the financial center is in Lugano and becomes kind of one group.
[06:27]
Dave Bittner
Now, was it 2022 or so when they were formally recognized?
[06:34]
Dr. Renee Burton
So we discovered them as a group in, yeah, 2022, I believe it was, and started tracking. We didn't publish about them until we'd been tracking them, I think for close to a year. So it might have been 2021. What happened then is, as always happens with the security industry, is once we recognize that something is not a series of random campaigns or we're able to associate it with some kind of threat actor, then we and other collaborators can start to look backwards and say, okay, where can I find the origin? Where can I find the origin? And our, our understanding of their activity has matured, continues to mature as of this week. Honestly, it's like crazy that you're able to keep pulling and pulling back. But together with our collaborators, you know, we can now date that activity back to about 2015, which is, by the way, when they went to Prague.
[07:37]
Dave Bittner
Interesting. Now, you mentioned the traffic Distribution systems, or tds, that seem to be kind of central to their operations. Can you explain to us how TDS works in this particular context and why it's such an effective tool?
[07:54]
Dr. Renee Burton
Yes. So TDS to me is probably the single most important and single least understood phenomenon in the security industry or in, in the cybercrime world today. What it's doing is think of it as. There's a couple ways to think about. One is it's sort of like a maze that you're not going to see. So it's like a black box maze. And the purpose of that black box is to disguise. And the word that industry would use is cloak, to cloak the true mechanism or the true domain that you're going to go to. So in essence, for instance, you visit this website and it happens to be a compromised website. So you're going to, you know, ABC News or something. They are not compromised, but let's use them as an example. You're going to your local news site and that site is compromised. What they will do, the malware that's on there, it will fingerprint you. So it's going to say, oh, you are in this location, you're using this kind of device, mobile or desktop. It's going to get your browser information. I'll try to get your operating system information, and that will create a little fingerprint and then that will send you into the tds. And there's a variety of ways to think about that. Some people think of it as a Plinko game, as a maze. But that's basically like a big decision framework. In fact, those ad tech people often call it a funnel. So they're like deciding, ooh, what is the most likely thing that you are going to buy? Now, buy here means as a scam, right? Or as a malware.
[09:34]
Dave Bittner
Okay. Yeah.
[09:35]
Dr. Renee Burton
So it's like, what's the most likely thing? And then it will route through this, you know, maze that you can't see and then pop you back out into what. What is the real end thing, Whether that be a scam or an information steal or that kind of output, but malicious nonetheless. So to put that back together again, the, the purpose of the TDS is to provide the infrastructure that Maximizes the profit for the cybercriminals. That's really the way to think about it.
[10:09]
Dave Bittner
And for me, the user, you know, I'm, I'm visiting what I think is my local website that's been compromised. What's my experience like as I'm being routed through this tds?
[10:24]
Dr. Renee Burton
Sometimes you will see a, you know, at the bottom of your screen or the top of your screen you will see redirecting to and you might see things flashing past, but very often you won't. So very often what'll happen is you're going to your local news site and there's like a fraction, you know, it's just like a fractional pause because that's where it's fingerprinting and deciding what it's going to do with you. And then instead of seeing news, you're going to see something else, which whichever thing they've decided you're most likely to get. I think one of the more alarming ones for consumers is the tech support scams. So you again, you're browsing the Internet. I think most of us have had this happen to us doing normal things. Suddenly your machine has taken over and it says, you know, Windows Defender or you know, pick some product has decided that you've got malware and you need to call this phone number or you need to download this file or something like that. That's that scareware notion. And it's usually extremely alarming, may have noise even with it. That is a typical experience for a user.
[11:39]
Dave Bittner
We'll be right back.
[11:42]
GMC Terrain Elevation Advertiser
Put us in a box. Go ahead. That just gives us something to break out of. Because the next generation 2025 GMC terrain elevation is raising the standard of what comes standard. As far as expectations go, why meet them when you can shatter them? What we choose to challenge, we challenge completely. We are professional grade. Visit gmc.com to learn more.
[12:11]
Dave Bittner
You tune in here at Research Saturday every single week now. We'd love to hear from you. Your voice can help shape the future of N2K networks. Tell us what matters most to you by completing our annual audience survey. Your insights help us grow to better meet your needs. There's a link to the survey in our show notes. We're collecting your comments through August 31st. Thanks. CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1. And without securing them trust, uptime, outages and compliance are at risk. Cyberark is leading the way with the only unified platform purpose built to secure every machine identity, certificates Secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber ARC helps modern enterprises secure their machine future. Visit cyberark.com machines to see how. You know, it's interesting because I remember a specific case where my father had fallen prey to this sort of thing, thing. And one of the challenges for us to figure out what had happened was trying to figure out whether his computer itself had been compromised or it was a website that he was visiting that had been compromised. And so it strikes me that that's sort of a key element of this as you're looking at it, that in this case it is the websites themselves that have been compromised, right?
[13:58]
Dr. Renee Burton
Yes. And that is the real tricky thing is for a security team. So we typically talk to a soc and you know, you might say, oh, something happened on my machine. And then they want to know, you know, where it came from. And because of the way the TDS works, you frequently cannot recreate that experience because it's checking first, it's looking for security groups, it's checking to see whether or not you're coming out of some anonymous kind of proxy. So there's a lot of protection on their part to prevent non victims from coming through their system. And they'll also do things like put cookies on your machine, which allows them to know that they've already scammed you or you've already had that visit and then they won't do it again so that it can't be recreated. It's an extremely tricky thing.
[14:52]
Dave Bittner
How kind of them.
[14:56]
Dr. Renee Burton
Exactly?
[14:57]
Dave Bittner
So what sort of scale do we suppose we're talking about here? How big of an operation is this?
[15:05]
Dr. Renee Burton
They're absolutely enormous. And Vectra is only one, one group within this malicious ad tech industry. We have associated about 100 companies and brands directly to eight key figures within Vextro. Not all of those are in ad tech. They have a lot of money, so they have companies in construction, they have payment processing companies, they have cryptocurrency, currency blockchain companies, they've got restaurants, energy companies. They're very well diversified from a corporate perspective as well as of course, everything to do with advertising. They've got email, direct email marketing companies, email validation companies, of course, multiple affiliate networks which are how you get those ads changed. They've got brand awareness, search engine optimization. They really are dug in everywhere. And then we also study other groups. We're not like only targeting them, we're targeting all the bad guys. And you have this similar sort of phenomenon of classic Large scale shell company kind of operations.
[16:26]
Dave Bittner
I see. Well, I know you and your Infoblox colleagues are leveraging DNS data to try to enable early detection here. Can you explain how you all are going about that?
[16:41]
Dr. Renee Burton
Yeah, so what we do, I mean, this is where our real wheelhouse is. We're not, you know, going around and watching malware by itself on websites. We partner with a number of others whose specialty is in that area. Our specialty is in DNS. So what we do is we say, okay, we know that these, these traffic distribution systems, these tds, they have to use domain names. That's how the Internet works. Basically. Everything needs a domain name and they have to have very protected assets because they are their transactions, according to them and our evidence supports their claims, are 20 billion plus transaction a day. Right. And we think about all of them together, right. We're Talking about probably 100 billion transactions a day. So they need a very resilient, robust system that nobody can easily break. That typically means they're going to need a wide variety of domain names and just human nature that you create patterns in how you're going to register and use your domains. And in some ways when you create no patterns, you also create a pattern. Right. I spent 23 years at the National Security Agency and so have a lot of experience in looking for patterns where other people are not looking for patterns or where you don't realize that you're, you're placing that down. And then we combine all of those things together and we have like a fairly complex apparatus that is watching for domain name creation and use in these contexts.
[18:19]
Dave Bittner
I see. So what are your recommendations then? I mean, based on the information that you've gathered here, what should people do to protect themselves?
[18:30]
Dr. Renee Burton
Well, there's a couple of things, so there's always education, of course, in the sense that if your machine suddenly comes up and says you have malware, Google, Google or Microsoft, say you know, something's wrong with your machine. You don't. Right. In, in most cases these things are, you can actually back out of them or if you're suddenly redirected to a variety of places or something seems to be too good to be true. Of course, education wise, you know, for our end users, we want to do that for our security. We also want to be aware, most people in the security industry are not aware of tds. It's been quite a educational process to bring us this far. And from a, really, from a security or protection apparatus, DNS is the most effective in the sense that it has the largest you know, largest application. Because every connection that you're going to need, whether that's coming from a compromised site or whether they've done the lures through Instagram or whether it's a Google Ad or a Facebook ad, in the end they're going to need a domain name. And so protective DNS, whether that's, you know, provided through a commercial company or some other fashion, people can roll their own if they really want to. That is really the best way to be protected against these kind of folks and of course, taking them down. Right, right, right, right.
[19:59]
Dave Bittner
You mentioned that TDS is sort of flown under the radar when it comes to security professionals. Why do you suppose that is?
[20:09]
Dr. Renee Burton
It's really a visibility issue in the sense that when you, you know, work in the field, you, you, you or your product or your company has a specialty, you know, you're there to protect people's websites, for example, or you're there to protect people's advertising, whatever your specialty is. And as a result, you might see a lot of times when I talk to people, they're like, oh yeah, I saw a bunch of redirects for you. That probably doesn't matter because you're not a DNS company, you're not really protecting in the domain space. You're looking for malware and it just isn't, you know, isn't that important. But for us, that's. Since what we do is domain name intelligence, DNS intelligence, we are hyper focused on breaking that cycle within that maze or funnel aspect of things.
[20:59]
Dave Bittner
Right, right. I'm just imagine, you know, someone imagining you standing on a street corner, you know, yelling out to all your colleagues. Are you not seeing this?
[21:09]
Dr. Renee Burton
Yes, that is what I do every day. Right, right, right.
[21:15]
Dave Bittner
Well, I think I have everything I need for our story here. Is there anything I missed? Anything I haven't asked you that you think it's important to share?
[21:24]
Dr. Renee Burton
We have seen Vextrio and some of the other major malicious ad tech. We've seen them in over 50% of our customer networks. It's extraordinarily broadly seen. I think Vextrio is something like 88%. You know, over time we've seen. And then they have insanely popular domains. So they're CDNs where they're storing their images in order to do the content delivery fast. Those domains are in the top 10,000 as measured by popularity worldwide, which means they're really, really, really popular.
[22:16]
Dave Bittner
Our thanks to Dr. Renee Burton from Infoblox for joining us today. We were discussing their work on Vextrio a notorious traffic distribution system involved in digital fraud. We'll have a link in the Show Notes and that's Research Saturday brought to you by N2K CyberWire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the Show Notes. Please do check it out. This episode was produced produced by Liz Stokes, were mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin, Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.
[23:12]
Dr. Renee Burton
Foreign.
[23:16]
Adam Rogers
This episode is brought to you by FX's alien Earth, the official podcast. Each week, host Adam Rogers is joined by guests, including the show's creator, cast and crew in this exclusive companion podcast. They will explore story elements, deep dive into character motivations and offer an episode by episode behind the scenes breakdown of each terrifying chapter in this new new series. Search FX's alien Earth wherever you listen to podcasts.