{"id":10926,"date":"2025-01-27T08:45:40","date_gmt":"2025-01-27T16:45:40","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=10926"},"modified":"2025-01-27T08:45:22","modified_gmt":"2025-01-27T16:45:22","slug":"pushed-down-the-rabbit-hole","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/","title":{"rendered":"Pushed Down the Rabbit Hole"},"content":{"rendered":"<p><strong>The Dangerous Combination of Compromised Websites and Malicious AdTech<\/strong><\/p>\n<p>In the security industry, we rarely tell a story from the victim\u2019s perspective. Instead, we focus on the adversarial world from a malicious actor\u2019s perspective: their tactics, techniques, and procedures (TTPs). I decided to take a turn as a victim and see what happened after <strong>visiting a compromised website<\/strong> that had been altered to integrate with malicious adtech. Adtech, or advertising technology, is the suite of software and tools that help make digital campaigns more effective. In some cases, its use is legitimate. But devious operatives and criminal organizations are also making hay with it, often by tying it to hacked websites. That integration gives threat actors a hook into the visitor\u2019s device, and I wanted to understand the impact not just in the moment, but in the days and weeks that followed.<\/p>\n<p>The results of my experiment were surprising and far-reaching. I found that visiting a website linked with malicious adtech can have a long-lasting impact on the user\u2019s experience with their device. Threat actors accomplish adtech integration through website notifications, often called <strong>push notifications<\/strong> because they are pushed to the user\u2019s device. If the attacker tricks the user into accepting notifications, deceptive messages such as fake virus alerts will pop onto the screen. Clicking on those pop-ups will lead to more malicious content, which in turn negatively influences the user\u2019s experience with legitimate websites and newsfeeds.<\/p>\n<p>It is easy to be exposed; there are hundreds of thousands of hacked websites on the internet and tens of thousands are newly compromised each day.<sup>1<\/sup> Integrating adtech is as simple as adding a single line of code to the site. In return the hacker will receive a share of the revenue from \u201cads\u201d delivered to the victim after they leave the page. I put ads in quotes here because these are not traditional ads as I\u2019ll demonstrate below. <\/p>\n<p>To start my experiment, I used my mom\u2019s old Google Pixel 2 phone with Chrome and Firefox browsers and began by visiting a compromised domain. The domain, <span class=\"code-format\">germannautica[.]com<\/span>, was identified by one of our detectors that tracks the threat actor VexTrio Viper. From there, I recorded what happened, creating a journal of sorts that I will share in a series of posts, beginning with this one.  <\/p>\n<p>Once I visited the compromised site and accepted notifications, I was \u201cpushed\u201d into an ecosystem that not only delivered <strong>an endless torrent of malicious content but also colored the mainstream content that was delivered to me<\/strong>. The built-in news feed and ads fed by major services like Google and Taboola were tainted by the manipulated content\u2014and in a way that seemed irrevocable. Unlike my previous experiences with \u201cclickbait\u201d on my other personal devices, I found it difficult to discern the truth of many articles without external research and the \u201cnews\u201d often mimicked the suspect content I had received from the push notifications or compromised sites. Simply by visiting an affected website, I was led into a news and advertising cycle that was driven by the threat actor, not me. I could not escape the cycle, even after clearing browser information. In other words, despite cleaning up the direct impact of visiting a compromised website, the distorted information stream created from advertisement tracking remained.<\/p>\n<p>I received over 100 push notifications per day from various domains, each notification leading to malicious content and often accompanied by requests to allow more push notifications. Some messages were threatening, others hopeful. The notices often forged major brands and led to interactive content. Besides disinformation and information bias, the push notifications I received led to a wide variety of scams, fake apps, and malware including:<\/p>\n<ul class=\"list-spacing\">\n<li>Antivirus fraud<\/li>\n<li>Gift card or sweepstakes fraud<\/li>\n<li>Fake surveys<\/li>\n<li>Fake crypto mining sites<\/li>\n<li>Fake apps and adware<\/li>\n<li>Malware delivery<\/li>\n<li>Disinformation and tainted experiences<\/li>\n<\/ul>\n<p>In this first entry, I\u2019m going to share how the \u201cscareware,\u201d or antivirus fraud industry, is thriving through malicious adtech, but let\u2019s start at the beginning of it all: the compromised website.<\/p>\n<h3>Getting the Push<\/h3>\n<p>When I visited  <span class=\"code-format\">germannautica[.]com<\/span> from my phone, a DNS TXT record request, which contained information about my IP address, was made to a command and control (C2) server. The C2 server returned a new domain and website that redirected me into the traffic distribution system (TDS) operated by the threat actor named <a href=\"https:\/\/www.infoblox.com\/threat-intel\/threat-actors\/vextrio\/\" target=\"_blank\"><strong>VexTrio Viper<\/strong><\/a>, whose operations we\u2019ve described in several reports and posts. All of this activity happened in the blink of an eye. After a few redirections, during which the TDS used information about my device and location, I ended up with <strong>a request to allow push notifications, not from the site I initially visited<\/strong>, <span class=\"code-format\">germannautica[.]com<\/span>, but from a totally different domain name. The request was accompanied by a fake robot captcha that has long been associated with VexTrio Viper. The domain hosting this captcha content can vary, as does the accompanying image the threat actor uses for the captcha, but the purpose of the page is the same: get the user to accept push notifications. Some examples of VexTrio\u2019s captcha images are shown in Figure 1.<\/p>\n<div class=\"img-container\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-1a.png\" alt=\"Figure 1\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-1b.png\" alt=\"Figure 1\" \/>\n<\/div>\n<p class=\"image-caption\">Figure 1. Examples of VexTrio Viper\u2019s landing page that leads the user to accept push notifications on their device; these were both seen when browsing to <span class=\"code-format\">germannautica[.]com<\/span><\/p>\n<p>Once I accepted notifications, the VexTrio Viper TDS again redirected me based on the browser and my user characteristics. Because the TDS will direct users to different malicious content based on several of their characteristics, I accessed the same compromised site several times, simulating different devices and locations, and was taken to fake giveaways, fake dating sites, fake apps, and virus scares. See Figure 2 for some examples of the content delivered when visiting the altered site, <span class=\"code-format\">germannautica[.]com<\/span>.<\/p>\n<div class=\"img-container-3-col\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-2a.png\" alt=\"Figure 2\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-2b.png\" alt=\"Figure 2\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-2c.png\" alt=\"Figure 2\" \/>\n<\/div>\n<p class=\"image-caption\">Figure 2. Various landing pages from the VexTrio TDS in November 2024. All of these resulted from visiting the same domain <span class=\"code-format\">germannautica[.]com<\/span>. In many other cases, the actor redirects to the legitimate website.<\/p>\n<p><strong>How did all these different landing pages arise out of a single compromised domain?<\/strong> It turned out that not just one TDS was involved, but that a series of them route traffic to evade detection and maximize the likelihood of profit from the visitor. The user doesn\u2019t see most of this traffic in their browser, but it can be picked up by scanning tools like Urlscan. If you look carefully at the example redirection chain in Figure 3, you\u2019ll see mentions of \u201ctds\u201d in the URLs, variations on \u201ctrack,\u201d which are used to track the user connection, the \u201cspace-robot\u201d used for push notifications, as well as various advertising parameters. In recent months, we have discovered that many of <strong>these TDSs are not the work of hackers in hoodies; they are operated by shady adtech companies<\/strong>. In other words, the website hacker isn\u2019t the only bad guy in this story; but that is a tale for another day.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" style=\"width:385px\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-3.png\" alt=\"Figure 3\" \/><\/p>\n<p class=\"image-caption\">Figure 3. From a single compromised domain, several redirections are made through different TDSs to determine the final landing page; the user will only see a few of these in the browser.<br \/>\nSource: <a href=\"https:\/\/urlscan.io\/result\/a72f9acb-6c10-46cd-8a88-7b7503900179\/\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/a72f9acb-6c10-46cd-8a88-7b7503900179\/<\/strong><\/a><\/p>\n<p>Within a few seconds, my phone began buzzing with notifications like those shown in Figure 4. Clicking one of these push notifications led to yet another series of redirects as I was sent through various TDSs. I always ended up with malicious content. In addition, I was typically asked to allow notifications from new domains. <strong>Within a short period of time, I was receiving alerts from a dozen domains and was deep down the \u201crabbit hole\u201d of push notifications<\/strong>.  <\/p>\n<div class=\"img-container-3-col\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-4a.png\" alt=\"Figure 4\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-4b.png\" alt=\"Figure 4\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-4c.png\" alt=\"Figure 4\" \/>\n<\/div>\n<p class=\"image-caption\">Figure 4. Examples of push notifications from my phone<\/p>\n<p>Studying the redirections revealed an ecosystem of affiliated adtech companies, each delivering malicious content and all profiting from a handful of compromised domains. <strong>Over a 12-week period<\/strong>, I subscribed to notifications from <strong>over 150 different domains<\/strong> and received as many as <strong>130 notifications in a single day from a single domain<\/strong>. I clicked on hundreds of push notifications and captured the domains that were resolved for each one. Our research group was able to identify specific adtech companies that benefit from compromised domains and facilitate the delivery of malicious content to users via these chains and their DNS records.  <\/p>\n<p>There are many different ways that websites ask for push notifications. They might insist the users click \u201callow\u201d to continue to the site, show a fake captcha test, or give multiple pop-up windows for notifications. Most websites use an embedded piece of code or a URL that links to an adtech service to manage the notification request on their behalf. Figure 5 shows a variety of malicious requests that I received.<\/p>\n<div class=\"img-container-3-col\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-5a.png\" alt=\"Figure 5\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-5b.png\" alt=\"Figure 5\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-5c.png\" alt=\"Figure 5\" \/>\n<\/div>\n<p class=\"image-caption\">Figure 5. Examples of push notification requests that were seen on my Pixel phone<\/p>\n<p>Using my sacrificial phone taught me a lot about the experience of a user who has visited one of these compromised sites and fallen into the hole of push notifications. In addition to uncovering affiliate relationships our threat intel team hadn\u2019t encountered before, I experienced a few other quirks not discovered via sandboxes and scanners. One day the favicon for the compromised site I visited displayed as the well-known VexTrio Viper robot for about 24 hours before reverting to the default WordPress icon; see Figure 6. On another day, I received push notifications in Russian for several hours, and occasionally, I received a random notification in Italian or Spanish.<\/p>\n<div class=\"img-container\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-6a.png\" alt=\"Figure 6\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-6b.png\" alt=\"Figure 6\" \/>\n<\/div>\n<p class=\"image-caption\">Figure 6. The favicon for the compromised website was temporarily shown as the VexTrio Viper robot and later reverted to a generic WordPress icon.<\/p>\n<p>Is there really such a thing as malicious adtech? Yes. While some folks will argue that all adtech is malicious, what I am talking about here is an ecosystem of companies that are enabling cybercrime. They aren\u2019t just abused; minimally they are willfully ignorant and often active participants. They purposefully established business silos in an attempt to create plausible deniability and look like legitimate corporations.  <\/p>\n<p>We just explored how adtech proliferates so successfully through hacked websites. Now let\u2019s turn our focus to how this technology plays out in a particular category of scams: scareware. <\/p>\n<h3>Scareware Runs Rampant<\/h3>\n<p>These bad adtech organizations prey heavily on a user\u2019s fear. Alerts about hacked accounts or malware are extremely common, especially for older devices like my Pixel 2. Scare tactics are not new: the Washington State Attorney General filed a lawsuit in 2008 citing the Computer Spyware Act against a Texas firm. The firm had used false warnings about Windows viruses to peddle their Registry Cleaner XP software. The Attorney General at the time said, \u201cWe won\u2019t tolerate the use of alarmist warnings or deceptive \u2018free scans\u2019 to trick consumers into buying software to fix a problem that doesn\u2019t even exist. &#8230; We\u2019ve repeatedly proven that Internet companies that prey on consumers\u2019 anxieties are within our reach.\u201d<sup>2<\/sup> Unfortunately, their success was short-lived, and <strong>scareware is a thriving industry<\/strong>. <\/p>\n<p>The alarming messages vary, but all have the same goal: instill enough fear in the user that they purchase an unnecessary security product. This approach is also used to convince users to install fake apps, a topic we\u2019ll cover in a later journal entry. Figure 7 contains examples of the scare tactic notifications I received on my phone. The wording and images in these messages are called \u201ccreatives\u201d and are supplied by different affiliates of the malicious adtech group. They can include fake buttons and a wide range of images, including animation.<\/p>\n<div class=\"img-container-3-col\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-7a.png\" alt=\"Figure 7\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-7b.png\" alt=\"Figure 7\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-7c.png\" alt=\"Figure 7\" \/>\n<\/div>\n<p class=\"image-caption\">Figure 7. Examples of antivirus messages; these notifications often have fake buttons such as &#8220;dismiss,\u201d which will not dismiss the message but open the browser with scareware<\/p>\n<p>Clicking the notification leads the user into a TDS and to a landing page that contains a fake virus scan. The user will typically be encouraged to conduct a scan which will falsely identify a number of threats on the device, often accompanied by flashing screens and audio. See Figure 8 for examples of scare pages that resulted from push notifications. To see how threat actors use flashing lights, alarms, and other tactics, see these videos (<a href=\"https:\/\/imgur.com\/a\/vextrio-scareware-mcafee-to-avtotal-yoXVty0\" target=\"_blank\"><strong>McAfee Scare<\/strong><\/a>, <a href=\"https:\/\/imgur.com\/a\/monetizer-pushlink-leads-to-scareware-bxPEyhB\" target=\"_blank\"><strong>Fake AV App<\/strong><\/a>, <a href=\"https:\/\/imgur.com\/a\/JMuuhT2\" target=\"_blank\"><strong>Fake AT&#038;T chat<\/strong><\/a>).<\/p>\n<div class=\"img-container-3-col\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-8a.png\" alt=\"Figure 8\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-8b.png\" alt=\"Figure 8\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-8c.png\" alt=\"Figure 8\" \/>\n<\/div>\n<p class=\"image-caption\">Figure 8. Examples of antivirus pages that are shown after clicking a scareware notification; these pages often have animation and require user interaction<\/p>\n<p>Between clicking on the notification and arriving at the final page, <strong>my device connected to four to eight different domains, which served to hide the malicious activity and profile the device<\/strong>. Most of these domains were not recorded in the browser history and rapidly flashed across the screen as the browser was redirected through various TDSs. Connections were also made to other domains used by actors for tracking. Those connections were invisible to me in the browser, but I was able to recreate them by using an external scanner. An example of a typical redirection chain is shown in Table 1. <\/p>\n<p>Domain redirection path:<\/p>\n<ul>\n<li><span class=\"code-format\">Fatdoggish[.]net &#8211;><\/span><\/li>\n<li><span class=\"code-format\">Puschme[.]net &#8212;><\/span><\/li>\n<li><span class=\"code-format\">Kbvt0wytrk[.]com &#8211;><\/span><\/li>\n<li><span class=\"code-format\">Trcksolution[.]com &#8211;><\/span><\/li>\n<li><span class=\"code-format\">Totalav.com <\/span><\/li>\n<\/ul>\n<p class=\"image-caption\">Table 1. Redirection through TDS from a push notification to a final offer at TotalAV website; this scan is available at <a href=\"https:\/\/urlscan.io\/result\/b15e928a-e130-402e-b911-661d65289474\" target=\"_blank\"><strong>https:\/\/urlscan.io\/result\/b15e928a-e130-402e-b911-661d65289474<\/strong><\/a><\/p>\n<p><strong>The final destination is often a real website: TotalAV, Norton, or McAfee<\/strong>. Why would malicious actors send users to these commercial sites? The answer: money! These antivirus companies offer generous <strong>affiliate programs that pay 70-90% of the revenue over the lifetime of a subscription<\/strong>. On my phone, I was repeatedly offered TotalAV subscriptions for US$1.99, but after a month, the rate went to $14.99 each month. If threat actors can draw users into a subscription, the users might not read the fine print that enters them into a high-cost recurring contract after a short trial period. Online reviews of TotalAV are filled with users who were duped into a subscription for the product and then found it difficult to cancel or were charged repeatedly by the vendor. The $1.99 soon becomes $100, and the affiliate is promised a large portion of this money.   <\/p>\n<p>On my phone, almost all scares led to TotalAV products. I took the bait and paid $1.99 with a prepaid credit card and fake information. Then I immediately set about trying to unsubscribe to avoid the monthly charge and get TotalAV off of my device. It took some work, but I was able to cancel. TotalAV sent a few threatening emails, but neither the initial threat actor nor TotalAV withdrew more funds from my card. <\/p>\n<p>Six weeks after I canceled, I received an email from TotalAV claiming that my credit card payment had failed. <em>Well, that\u2019s good; I don\u2019t have a TotalAV subscription!<\/em>  They had retained my payment information, so whether they really tried to charge the card or just wanted to scare me into another payment, TotalAV engaged in fraudulent behavior. Over two months after canceling my subscription, I continue to get emails from TotalAV for non-payment. See the email in Figure 9.<\/p>\n<div class=\"img-container\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-9a.png\" alt=\"Figure 9\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-9b.png\" alt=\"Figure 9\" \/>\n<\/div>\n<p class=\"image-caption\">Figure 9. Email from TotalAV acknowledging that my subscription was canceled and then another six weeks later claiming that my payment had failed<\/p>\n<p><strong>In some cases, the notifications lead to a fake app<\/strong>. I\u2019m going to cover fake apps in a different blog because the topic is so rich, but I&#8217;ll give a sneak peek at the kind of apps I encountered in the push notification rabbit hole. I was led to the website called AdTranquility. Although their mobile app is available on the Chrome Play store, the threat actor hoped I would subscribe directly through them. I didn\u2019t. But reviewing the app information in the Play store, it becomes clear how prevalent adtech-fueled scams have become: AdTranquility has over 500k downloads and a 4.6 review score. Sounds pretty good. But a closer look at the low ratings reveals the true nature of this software: the developers make money by bombarding the user with ads &#8230; and possibly worse. See Figure 10.<\/p>\n<div class=\"img-container-3-col\">\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-10a.png\" alt=\"Figure 10\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-10b.png\" alt=\"Figure 10\" \/><br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/pushed-down-the-rabbit-hole-figure-10c.png\" alt=\"Figure 10\" \/>\n<\/div>\n<p class=\"image-caption\">Figure 10. Fake AT&#038;T messages led to the AdTranquility app, which is adware software; though this app was not analyzed, we have found that fake security apps often contain malware components<\/p>\n<p>News website <strong>Ars Technica summed up scareware tactics well in 2008<\/strong> when they wrote about Registry Cleaner XP, <em>\u201cIn a best-case scenario, scareware does no harm after the consumer has been tricked into installing it. Worst case, the stuff is as full of malware, exploits, and\/or system-crashing instabilities as the problems it purports to solve. Malware exploits may give Microsoft a bad reputation in general, but scareware actually charges the user for her own infection, and that tends to make people a wee bit cranky.\u201d<\/em><sup>3<\/sup> <\/p>\n<p><strong>Using fear to drive consumers to buy unnecessary software remains highly profitable<\/strong>. All the bad players win here, and the consumers lose. Scammers get commissions, antivirus companies get subscriptions, and dodgy adtech companies get fees for orchestrating the entire thing. While this type of scam was originally driven through spam messages, it is now able to scale readily through push notifications arising from compromised websites. Wouldn\u2019t it be great if law enforcement knocked \u2018em all down?  <\/p>\n<p>In the next blog, I\u2019ll show how scammers take advantage of hope to con users.  <\/p>\n<p><em>Have you had experience with invasive pop-up notifications? Got some nuggets about the shady adtech industry? We\u2019d love to hear about it. Let us know on <a href=\"https:\/\/www.linkedin.com\/company\/infoblox\/\" target=\"_blank\"><strong>LinkedIn<\/strong><\/a>, <a href=\"https:\/\/mastodon.social\/@InfobloxThreatIntel@infosec.exchange\" target=\"_blank\"><strong>Mastodon<\/strong><\/a>, or email <a href=\"mailto:threatintel@infoblox.com\" target=\"_blank\"><strong>threatintel@infoblox.com<\/strong><\/a>.<\/em>   <\/p>\n<h3 style=\"font-size: 18px;\">Footnotes<\/h3>\n<ol style=\"font-size: 14px;\">\n<li><a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/how-many-cyber-attacks-per-day\/\" target=\"_blank\"><strong>https:\/\/www.getastra.com\/blog\/security-audit\/how-many-cyber-attacks-per-day\/<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.atg.wa.gov\/news\/news-releases\/fright-fight-washington-attorney-general-leading-battle-against-scareware\" target=\"_blank\"><strong>https:\/\/www.atg.wa.gov\/news\/news-releases\/fright-fight-washington-attorney-general-leading-battle-against-scareware<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/information-technology\/2008\/09\/microsoft-tries-to-put-fear-of-god-into-scareware-vendors\/\" target=\"_blank\"><strong>https:\/\/arstechnica.com\/information-technology\/2008\/09\/microsoft-tries-to-put-fear-of-god-into-scareware-vendors\/<\/strong><\/a><\/li>\n<\/ol>\n<style>\n.savy-seahorse-table {\nfont-size:14px;\nword-break: keep-all;\n}\n.savy-seahorse-table td:last-child, .savy-seahorse-table th:last-child {\npadding-right:10px;\n}\n.code-format {\n\tfont-family: 'Courier New';\n}\n.image-caption {\n    font-size: 12px;\n}\n.list-spacing li{margin-bottom:20px}\n.img-container, .img-container-3-col {\ndisplay: flex;\nflex-wrap: wrap;\njustify-content: space-between;\n}\n.img-container img {\nwidth: 49%;\nmargin-bottom: 10px;\n}\n.img-container-3-col img {\nwidth: 30%;\nmargin-bottom: 10px;\n}\n@media (max-width: 767px) {\n.img-container, .img-container-3-col {\ndisplay: block;\n}\n.img-container img, .img-container-3-col img {\nwidth: 100%;\n}\n}<\/p>\n<\/style>\n<p><script>\njQuery('.single h1').html('Pushed Down the <span class=\"gradient\">Rabbit Hole<\/span>');\n<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Dangerous Combination of Compromised Websites and Malicious AdTech In the security industry, we rarely tell a story from the victim\u2019s perspective. Instead, we focus on the adversarial world from a malicious actor\u2019s perspective: their tactics, techniques, and procedures (TTPs). I decided to take a turn as a victim and see what happened after visiting [&hellip;]<\/p>\n","protected":false},"author":338,"featured_media":10956,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254,2],"tags":[1128,930,902,1146,1145,1147],"class_list":{"0":"post-10926","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"category-security","9":"tag-dns-threat-landscape","10":"tag-cybercrime","11":"tag-tds","12":"tag-domain-cloaking","13":"tag-compromised-domain","14":"tag-adtech","15":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Malicious Adtech Ensnares Victims through Compromised Websites<\/title>\n<meta name=\"description\" content=\"The adverse impact of visiting compromised domains that integrate malicious adtech.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Malicious Adtech Ensnares Victims through Compromised Websites\" \/>\n<meta property=\"og:description\" content=\"The adverse impact of visiting compromised domains that integrate malicious adtech.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-01-27T16:45:40+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/pushed-down-the-rabbit-hole-thumbnail.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"408\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ren\u00e9e Burton\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Malicious Adtech Ensnares Victims through Compromised Websites\" \/>\n<meta name=\"twitter:description\" content=\"The adverse impact of visiting compromised domains that integrate malicious adtech.\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ren\u00e9e Burton\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/pushed-down-the-rabbit-hole\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/pushed-down-the-rabbit-hole\\\/\"},\"author\":{\"name\":\"Ren\u00e9e Burton\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/d18b8543afa21fac6c03151b6f31f981\"},\"headline\":\"Pushed Down the Rabbit Hole\",\"datePublished\":\"2025-01-27T16:45:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/pushed-down-the-rabbit-hole\\\/\"},\"wordCount\":2923,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/pushed-down-the-rabbit-hole\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/pushed-down-the-rabbit-hole-thumbnail.jpg\",\"keywords\":[\"DNS Threat Landscape\",\"Cybercrime\",\"TDS\",\"Domain Cloaking\",\"Compromised Domain\",\"Adtech\"],\"articleSection\":[\"Infoblox Threat Intel\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/pushed-down-the-rabbit-hole\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/pushed-down-the-rabbit-hole\\\/\",\"name\":\"Malicious Adtech Ensnares Victims through Compromised Websites\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/pushed-down-the-rabbit-hole\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/pushed-down-the-rabbit-hole\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/pushed-down-the-rabbit-hole-thumbnail.jpg\",\"datePublished\":\"2025-01-27T16:45:40+00:00\",\"description\":\"The adverse impact of visiting compromised domains that integrate malicious adtech.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/pushed-down-the-rabbit-hole\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/pushed-down-the-rabbit-hole\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/pushed-down-the-rabbit-hole\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/pushed-down-the-rabbit-hole-thumbnail.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/pushed-down-the-rabbit-hole-thumbnail.jpg\",\"width\":612,\"height\":408},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/pushed-down-the-rabbit-hole\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Pushed Down the Rabbit Hole\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/d18b8543afa21fac6c03151b6f31f981\",\"name\":\"Ren\u00e9e Burton\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_338_1592324402-96x96.jpg\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_338_1592324402-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_338_1592324402-96x96.jpg\",\"caption\":\"Ren\u00e9e Burton\"},\"description\":\"Dr. Burton is the Vice President of Threat Intel for Infoblox. She is a subject matter expert in DNS-based threats and leads the algorithm development and research in DNS intelligence.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/renee-burton\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Malicious Adtech Ensnares Victims through Compromised Websites","description":"The adverse impact of visiting compromised domains that integrate malicious adtech.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/","og_locale":"en_US","og_type":"article","og_title":"Malicious Adtech Ensnares Victims through Compromised Websites","og_description":"The adverse impact of visiting compromised domains that integrate malicious adtech.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/","og_site_name":"Infoblox Blog","article_published_time":"2025-01-27T16:45:40+00:00","og_image":[{"width":612,"height":408,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/pushed-down-the-rabbit-hole-thumbnail.jpg","type":"image\/jpeg"}],"author":"Ren\u00e9e Burton","twitter_card":"summary_large_image","twitter_title":"Malicious Adtech Ensnares Victims through Compromised Websites","twitter_description":"The adverse impact of visiting compromised domains that integrate malicious adtech.","twitter_misc":{"Written by":"Ren\u00e9e Burton","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/"},"author":{"name":"Ren\u00e9e Burton","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/d18b8543afa21fac6c03151b6f31f981"},"headline":"Pushed Down the Rabbit Hole","datePublished":"2025-01-27T16:45:40+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/"},"wordCount":2923,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/pushed-down-the-rabbit-hole-thumbnail.jpg","keywords":["DNS Threat Landscape","Cybercrime","TDS","Domain Cloaking","Compromised Domain","Adtech"],"articleSection":["Infoblox Threat Intel","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/","name":"Malicious Adtech Ensnares Victims through Compromised Websites","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/pushed-down-the-rabbit-hole-thumbnail.jpg","datePublished":"2025-01-27T16:45:40+00:00","description":"The adverse impact of visiting compromised domains that integrate malicious adtech.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/pushed-down-the-rabbit-hole-thumbnail.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/pushed-down-the-rabbit-hole-thumbnail.jpg","width":612,"height":408},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pushed-down-the-rabbit-hole\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Pushed Down the Rabbit Hole"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/d18b8543afa21fac6c03151b6f31f981","name":"Ren\u00e9e Burton","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_338_1592324402-96x96.jpg","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_338_1592324402-96x96.jpg","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_338_1592324402-96x96.jpg","caption":"Ren\u00e9e Burton"},"description":"Dr. Burton is the Vice President of Threat Intel for Infoblox. She is a subject matter expert in DNS-based threats and leads the algorithm development and research in DNS intelligence.","url":"https:\/\/www.infoblox.com\/blog\/author\/renee-burton\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/10926","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/338"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=10926"}],"version-history":[{"count":13,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/10926\/revisions"}],"predecessor-version":[{"id":10971,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/10926\/revisions\/10971"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/10956"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=10926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=10926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=10926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}