Unmasking VexTrio: How an Organized Crime Group Operates a Global Scam Network Through Malware and Fake Alerts
At the Black Hat conference in Las Vegas this week, researchers from Infoblox, a leading threat intelligence firm, presented evidence of an organized crime group known as VexTrio operating a traffic distribution system (TDS). This system distributes malware, false alerts, and prompts unsuspecting users to download fraudulent applications.
Ahead of the event, I spoke with one of Infoblox’s researchers, Dr. Renee Burton, about identifying malicious online advertising during browsing sessions and avoiding it.
“Mainstream antivirus solutions such as Windows Defender, Microsoft, or Google won’t suddenly hijack your screen,” said Dr. Burton. So if you encounter such alerts, be vigilant.
Let’s delve into how VexTrio scams operate and how to stay secure online.
For a brief mental exercise, imagine a hacker. When you think of the term “hacker,” what visuals come to mind? Google’s top image search results suggest a faceless figure cloaked in shadow, dressed in a gray hoodie—a picture reminiscent of the TV series Mr. Robot. Infoblox researchers speculate that VexTrio may have remained undetected due to their assumed image as a small-time group of “hackers.”
Based on research from Infoblox, VexTrio operates out of Russia and manages several companies in the adtech industry. “This is an organized criminal effort primarily driven by Russians aiming to control global cyberspace,” said Dr. Burton.
Modern-day hackers are not confined to wearing Guy Fawkes masks or donning dark hoodies, as portrayed in popular culture. Instead, they often blend into society and maintain a low profile. High-profile cybercriminals lead sophisticated organizations and prefer to hide behind designer sunglasses rather than masks.
Changing the public’s perception of a hacker could be instrumental in combating cybercrime. VexTrio has been active for over a decade, distributing malware and scams across various services to unsuspecting victims. When possible, Infoblox researchers collaborate with law enforcement agencies and government entities to share their findings. However, the onus is on these organizations to safeguard users as best they can.
VexTrio leverages the help of freelance cybercriminals to exploit backend vulnerabilities in major websites. According to Dr. Burton, “They maintain partnerships and financial relationships with website hackers. So when you visit that site [the malicious TDS operator] will perform a quick browser fingerprinting analysis on your device.”
A traffic distribution system (TDS) operates by analyzing your online behavior and device information during the fingerprinting process, creating a user profile based on this data. Depending on your profile, the TDS either allows you to view the intended content or redirects you to a link, alert, or scam website delivering malware, promoting fake apps, or attempting to install scareware.
You’ve likely encountered malicious ads while browsing if you’ve ever experienced a pop-up notification urging you to obtain a VPN immediately or suggesting a virus scan.
Dr. Burton noted that selling fake cybersecurity and privacy apps, known as scareware, is a significant source of revenue for the group. “They delve deep into that industry,” she said.
Additionally, VexTrio employs fake captchas to gain access to your browser data. “They may display a false captcha to prompt you to allow them to send you browser notifications,” Dr. Burton explained.
To avoid malicious alerts and ads, ignore them. Dr. Burton suggested developing the habit of disabling notifications for apps or websites while browsing.
“Once you click ‘Allow,’ you’ve now opted in and will be bombarded with advertising, but it’s misinformation. Everything is a scam,” said Dr. Burton. “As long as you don’t allow anything, you’ll be safe. When all else fails, restart your system.”
In addition to ignoring alerts on websites, stay vigilant while browsing due to VexTrio’s involvement in numerous illicit activities.
Dr. Burton revealed that VexTrio also owns a multitude of fraudulent apps, which have been downloaded millions of times, particularly popular dating apps, VPNs, fake machine cleaners, and ad blockers. If prompted to download a new VPN or ad blocker, perform a quick search on reliable sites before installing the application on your device.
Once fraudulent applications are installed on your device, removing them can be challenging. If you suspect you’ve recently downloaded scareware, consult our list of top malware removal services for assistance.
Dr. Burton described this scenario as a modernized version of the old tech support scam, in which an alert appears on your screen, warning you to contact Microsoft or Apple support due to malware infecting your device. To avoid falling victim to this scam, dismiss the pop-up window, close the browser window, and refrain from engaging further.
“Just calm down. Do not call that phone number. The FBI would probably appreciate a call to that phone number, but you don’t call the phone number,” Dr. Burton advises her friends and family who often contact her after receiving such alerts.
The global online romance scam market is incredibly profitable, with VexTrio being among those cashing in. “They generate substantial income from the dating world,” said Dr. Burton.
Infoblox’s research suggests that crime groups based in different countries employ various tactics when scamming people seeking romantic connections online. For instance, last year, Infoblox uncovered a network of China-based criminal organizations operating online gambling platforms. The scammers, who may be victims of human trafficking or extortion themselves, use romance baiting tactics to ensnare victims on these platforms. These attacks are often targeted and result in substantial financial gains for the perpetrators.
Dr. Burton explained that Russian groups like VexTrio operate differently. “They opt for high volume, low cost strategies. They can automate the process without needing a long-term investment.”
If you suspect that you are communicating with a romance scam artist, cease all communication, do not click on any links they send you, and report the interactions to IC3, which forwards these reports to law enforcement agencies like the FBI. Reporting scams is the most effective way to seek justice in such cases.
