Traffic Distribution Systems (TDS) have emerged as critical tools for both legitimate and malicious purposes, serving as sophisticated redirection networks that manage traffic flow across multiple endpoints.
While businesses use TDS to optimize marketing campaigns and improve service reliability, cybercriminals exploit this infrastructure to orchestrate phishing attacks, malvertising campaigns, and illicit services.
These systems obfuscate malicious activities by redirecting victims through complex chains of intermediate domains, making detection and mitigation challenging.
Characteristics of Malicious TDS
Malicious TDS traffic exhibits distinct topological features compared to benign TDS networks.
These include longer redirection chains, a higher number of unique URLs, and greater connectivity among nodes.
For instance, approximately 25% of malicious TDS activity involves redirection chains exceeding four hops, compared to only 10% in benign traffic.
Such extended chains help attackers obscure their final landing pages using intermediate cloaking nodes.
Additionally, malicious TDS networks often feature interconnected URLs within fewer isolated subgraphs, enhancing their resilience against takedown efforts.
Attackers leverage these systems for various purposes:
- Resilience: Malicious TDS infrastructure can swiftly adapt by changing entry points or landing pages when blocked.
- Obfuscation: Random redirections to legitimate websites allow these systems to evade automated detection tools.
- Monetization: Dynamic redirection logic enables attackers to sell traffic or host shady advertisements for financial gain.
Case Studies in Malicious TDS Exploitation
Phishing attackers frequently use TDS infrastructure to deliver fraudulent content.
For example, a campaign mimicking cryptocurrency airdrop services used squatting domains such as dapparadar[.]app and dappadar[.]bio.
Victims were redirected through multiple domains before landing on phishing pages designed to steal credentials.
Malvertising campaigns exploit TDS to redirect visitors from entry websites to shady advertising pages offering fake rewards or loans.
In one instance, visitors were directed through domains like vkmarketing2[.]com before landing on deceptive ad pages promoting gift cards or financial services.
TDS infrastructure also supports darknet operations such as gambling and adult content services.
A campaign utilizing domain generation algorithm (DGA)-based .lol domains demonstrated how attackers create resilient networks capable of evading takedowns by rapidly deploying new domains.
To conceal malicious activities, attackers use TDS systems to occasionally redirect victims to legitimate websites like Google Play or Yahoo.
According to Palo Alto Networks Report, this tactic misleads automated crawlers into categorizing the network as benign while simultaneously delivering phishing content through other pathways.
To combat malicious TDS activity, researchers have developed machine learning (ML) models that analyze topological and threat-related features of redirection graphs.
By extracting 20 key indicators such as redirection chain length and URL connectivity, these models achieve a detection precision of 93% with a false positive rate of just 0.4%.
Advanced DNS Security and URL Filtering services continuously monitor network traffic for malicious indicators using this technology, offering robust protection against emerging threats.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup ->Â Try for free
