What is the connection between LosPollos and Doppelganger's cloaking service?

LosPollos ad network has been linked to Doppelganger's cloaking service.

Dark Adtech Empire Exposed: Doppelganger's Fake CAPTCHAs Trick Users for Malware

Q: What is the connection between Doppelganger and VexTrio?

Doppelganger's cloaking service shares much of the same infrastructure with VexTrio, which is thought to be the oldest malicious TDS in existence.

Q: What does VexTrio do?

VexTrio manages web traffic from victims of phishing, malware, and social engineering scams.

Q: What tactics does TacoLoco use?

TacoLoco uses deceptive tactics to trick Internet users into enabling push notifications.

Research reveals Doppelganger network, linked to Kremlin-backed disinformation campaigns, uses fake news and cloned websites to distribute malware. Infrastructure shared with VexTrio TDS.

A sprawling dark adtech empire has been exposed, leveraging fake CAPTCHAs to trick users into enabling push notifications that are then used to distribute malware and scams. The network, which includes malicious traffic distribution systems (TDSs) like VexTrio and Help TDS, has been linked to Kremlin-backed disinformation campaigns and is thought to be one of the oldest in existence.

What Happened

In November 2024, researchers at Qurium published an investigation into "Doppelganger," a disinformation network that promotes pro-Russian narratives and infiltrates Europe's media landscape by pushing fake news through a network of cloned websites. Doppelganger campaigns use specialized links that bounce the visitor's browser through a long series of domains before the fake news content is served.

Qurium found that Doppelganger relies on a sophisticated "domain cloaking" service, which allows websites to present different content to search engines compared to what regular visitors see. This technology helps the disinformation sites remain online longer than they otherwise would, while ensuring that only the targeted audience gets to view the intended content.

Qurium also discovered that Doppelganger's cloaking service promotes online dating sites and shares much of the same infrastructure with VexTrio, which is thought to be the oldest malicious TDS in existence. While TDSs are commonly used by legitimate advertising networks to manage traffic from disparate sources and track who or what is behind each click, VexTrio's TDS largely manages web traffic from victims of phishing, malware, and social engineering scams.

Background and Context

The LosPollos ad network, which incorporates elements and references from the hit HBO series "Breaking Bad," has been linked to Doppelganger's cloaking service. Affiliates who sign up with LosPollos are given JavaScript-heavy "smartlinks" that drive traffic into VexTrio's TDS, which in turn distributes the traffic among a variety of advertising partners, including dating services, sweepstakes offers, bait-and-switch mobile apps, financial scams, and malware download sites.

TacoLoco, another co-branded affiliate marketing service hosted on the same infrastructure as LosPollos, uses deceptive tactics to trick Internet users into enabling push notifications. These notifications are then used to continuously pepper the victim's device with a variety of phony virus alerts and misleading pop-up messages.

Why It Matters

The use of fake CAPTCHAs to trick users into enabling push notifications is particularly insidious because CAPTCHAs are commonly trusted security mechanisms intended to differentiate humans from bots. This makes it more likely that users will interact with the malicious content, potentially leading to credential theft, unauthorized access to corporate networks, data breaches, and malware infections.

The dark adtech industry's reliance on fake CAPTCHAs also highlights the need for better moderation and age-gating measures in online advertising. As the report notes, "the use of cloaking services helps the disinformation sites remain online longer than they otherwise would, while ensuring that only the targeted audience gets to view the intended content."

What Comes Next

Infoblox has released a report detailing the connections between VexTrio and Help TDS, as well as other malicious TDS operators. The report notes that an exhaustive analysis of the JavaScript code, website lures, smartlinks, and DNS patterns used by VexTrio and Help TDS linked them with at least four other TDS operators.

Renee Burton, vice president of threat intelligence at Infoblox, argues that the security industry's treatment of deceptive methods used by malicious TDSs as a kind of legally grey area is myopic. "These TDSs are a nefarious threat, because they're the ones you can connect to the delivery of things like information stealers and scams that cost consumers billions of dollars a year," she said.

Key Facts

Doppelganger is a disinformation network that promotes pro-Russian narratives and infiltrates Europe's media landscape by pushing fake news through a network of cloned websites.
VexTrio is thought to be the oldest malicious TDS in existence, and its infrastructure has been linked to Doppelganger's cloaking service.
LosPollos ad network incorporates elements and references from the hit HBO series "Breaking Bad" and uses JavaScript-heavy "smartlinks" that drive traffic into VexTrio's TDS.
TacoLoco, another co-branded affiliate marketing service hosted on the same infrastructure as LosPollos, uses deceptive tactics to trick Internet users into enabling push notifications.
Infoblox has released a report detailing the connections between VexTrio and Help TDS, as well as other malicious TDS operators.

The exposure of this dark adtech empire highlights the need for better moderation and age-gating measures in online advertising. It also underscores the importance of staying vigilant against the use of fake CAPTCHAs to trick users into enabling push notifications that are then used to distribute malware and scams.