Login

Recent searches

No recent searches

Search options

Not available on me.dm.
me.dm is one of the many independent Mastodon servers you can use to participate in the fediverse.
Ideas and information to deepen your understanding of the world. Run by the folks at Medium.

Administered by:

Server stats:

1.2K
active users

me.dm: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.9

#tds

9 posts6 participants0 posts today
Public
Paxil

Confronted a #MAGA yesterday they asked for it. They said something stupid and and I said they were MAGA and they said I had #TDS then I went off, something like this: 'This isn't any more about you hiding your ignorance behind #Trump than it is you hiding your hypocrisy behind Christ. This is about you and you alone and the people who have let you down and how you've let yourself down and let us all down. Society continues in spite of you it always has but it's why you've been left behind.'

Public
Infoblox Threat Intel

An interesting traffic distribution system (TDS) we're tracking routes users to quick cash and payday loan sites that are likely scams looking to steal people's personal and financial information.

The TDS chain starts with an RDGA-generated domain following the pattern: <5 to 9 random letters>.<cfd,cyou,info,etc.>. The user is then routed to one of the actor's TDS domains dfgtrk<1 to 10>[.]com. This domain will then redirect to landing pages hosting the scammy loan/cash sites which urge users to enter PII such as name, date of birth, address, social security number, and even bank account information in order to qualify for a loan.

A lot of these sites have generic titles and SLDs mentioning cash, loans, or other financial topics, and seem to mimic legitimate financial services companies.

#dns #Infoblox #rdga #tds #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #scam

Public *
Infoblox Threat Intel

Are Smartlinks the Charon of Adtech?

If you have been following our research on adtech, such as VexTrio origin story published last week (blogs.infoblox.com/threat-inte) , you've likely seen repeated references to Smartlinks, also known as Direct Offers.
Smartlinks may appear harmless as first glance – just as actors intend–, but much as Charon, who ferries souls into the kingdom of Hades, Smartlinks lead traffic into the TDS controlled by adtech operators. In both cases, once you are caught in the current, you have no control over your destination. And just as Charon’s passengers, you may land in a place you do not desire to be.
Analogies aside, Smartlinks are an integral feature of adtech and are here to stay. To help you better understand how they work and why they matter, we've created a cheatsheet that breaks down their role and relevance.

#dns#infosec#vextrio
Public
Renée Burton

New paper from Denis at GoDaddy / Sucuri on Help TDS and the connection to a malicious wordpress plug in, plus other good nuggets.

Help TDS has been having a rough time recently given a big industry hug from folks including @shadowserver @spamhaus SURBL and @InfobloxThreatIntel ....

but no worries, they'll be back.

#threatintel #scam #tds #cybercrime #cybersecurity #infosec

godaddy.com/resources/news/hel

GoDaddy Blog · Help TDS and its Malicious Plugins Redirect Thousands of Sites to Tech Support ScamsGoDaddy Security exposes Help TDS, a sophisticated traffic direction system behind tech support scams affecting 10,000+ WordPress sites via malicious woocommerce_inputs plugin that harvests credentials and redirects visitors to fraudulent Microsoft security alerts.
Public
Infoblox Threat Intel

@shadowserver helped us disrupt a prolific website malware multiple times in early August. This malware uses DNS TXT records for a C2 to redirect users to scams and malware. Exclusively redirecting to VexTrio for years, they've been disrupted a few times by us and partners this past year ... which each time allows us to understand the criminal enterprise a bit further.

Prior to the disruption, we analyzed over 4M DNS responses from the authoritative servers from several partners covering a short window of traffic.

The diagram below shows how the server is likely to redirect website visitors based on their geo and device type, which are encoded in the query. Connections to Strela Stealer in June. We are in the process of writing up research around how this all connects to the MikroTik router botnet we published early this year.

In mid-June, the C2 server domain had a global popularity level on Tranco of about 80k - pretty high for a niche domain.

What happened after Shadow Server sinkholed the C2 domain?? We saw nearly 30k sites reach out to the sinkhole in a 48 hour period. Lots of bot activity -- these queries only come from compromised websites and there were nearly 37M unique queries in that time!

of course the threat actors adjust.. that is part of the game. but we learnt a lot in the process.

Diagram also shows how several of the TDS are related to each other in these flows.

Website malware using DNS TXT records to reach C2 attack chain.
#dns#threatintel#scam
Public
Infoblox Threat Intel

Part three of our VexTrio full monty is now available. This one is for the geeks but also a pretty short read... especially given the previous two parts!

Major takeaways are:
* these networks receive a ton of traffic. The primary image server for VexTrio TDS has long been in the top 10k popular domains globally -- we've been pushing hard and it is down around 11k now.
* they use a few different cloakers / trackers. we talk about IMKLO, binom, and Keitaro.
* they run a pretty modern devops stack with all the tech you would expect.

#dns #vextrio #threatintel #scam #malware #phishing #tds #cybercrime #cybersecurity #infosec #infoblox

blogs.infoblox.com/threat-inte

Infoblox Blog · The Hidden Infrastructure Behind VexTrio's TDSVexTrio's traffic distribution system (TDS) processes billons of transactions daily, powering digital fraud on a global scale. Here's how we unraveled it.
ExploreLive feeds
About