[sonaar_audioplayer albums=”latest” progress_bar_style=”default” wave_bar_width=”1″ wave_bar_gap=”1″ player_layout=”skin_boxed_tracklist” show_track_market=”true”][/sonaar_audioplayer]
The Traffic Distribution System (TDS) has been around for many years now. It enables digital advertisers to manage and direct website traffic with ultimate dexterity. But of late, TDS has been a type of cybersecurity threat. Cyber actors are capable of exploiting the Traffic Distribution System for malicious purposes.
TDS, when used legitimately, can help in targeted marketing. Threat actors, on the other hand, leverage these platforms to redirect naive users to malicious websites. The malicious usage of TDS is emerging as a cybersecurity threat, making it extremely difficult for them to identify and prevent such cyberattacks.
Basically, Traffic Distribution Systems are intricate tools that help you control exactly how and where the web traffic is being directed. They enable businesses to send specific users to pre-defined web pages. These web pages are designated on the basis of a couple of factors, such as device type, geographical location, operating system, and browsing behavior.
Businesses such as the digital advertising industry are dependent on the TDS system in order to set up their ad campaigns in a way that reaches the target audience easily.
However, threat actors have found loopholes whereby they can exploit the TDS to carry out malicious activities. They use TDS platforms to redirect innocent users to malware-infested pages, phishing sites, or scam portals without their knowledge. This process is also known as malvertising. It involves injecting malicious content into so-called legitimate online advertisements. The main goal is to gain unauthorized access to user devices.
How did it all start?
TDS, although introduced for the legitimate purpose of web traffic management, is being used increasingly for malicious purposes. That’s exactly why so many digital advertising companies are gradually distancing themselves from TDS. Threat actors, on the other hand, are coming up with sophisticated and specialized redirection tools (Prometheus TDS, Parrot TDS, 404 TDS). Such tools are being openly sold on the Dark Web and underground forums.
Avoiding TDS and eliminating it from legitimate systems completely is not a solution. Experts believe that multiple legitimate businesses are still reliant on TDS platforms. It is, therefore, next to impossible to completely shut TDS systems out. Another concerning thing is that setting apart malicious TDS platforms from the legitimate ones can be quite complicated. This is so because threat actors keep upgrading themselves from time to time, thereby adapting to sophisticated exploitation of TDS platforms.
TDS and cybercrime- how are they interconnected?
Lately, there has been a sharp spike in the instances of cyberattacks that use TDS. For example, the Ransomhub campaign is getting lots of attention. They are using SocGholish, a malware framework that easily penetrates users’ networks and deploys ransomware. Highly effective in nature, the SocGholish operation involves threat actors who leverage multiple malicious websites.
Unsuspecting users are directed to these fraudulent websites. These websites contain fake software update prompts, clicking on which users will download malware into their devices unknowingly. After installation, the malware can be used by hackers as the gateway for ransomware attacks.
One such TDS platform that is being increasingly used by threat actors is Keitaro. Although this platform is marketed as a legitimate traffic management tool, hackers use it extensively for fraudulent activities..
Why is it so hard to stop TDS attacks?
When it comes to TDS, cybersecurity experts cannot adopt a complete black or white approach. TDS platforms are used by both legitimate and illegitimate organizations. That’s exactly why experts find it difficult to track and detect TDS-based cyber threats. Threat actors use multiple tactics to evade detection, such as:
Advanced filtering
Threat actors configure TDS in a way that can detect whether or not the visitor is using a security tool like anti-malware software or sandbox. If they find out that a cybersecurity researcher is trying to analyze their activity, they tactfully redirect the researchers to any harmless page rather than the malicious websites.
Cloaking
When a threat actor disguises malicious redirects as legitimate activities, it is known as cloaking. Threat actors tactfully insert harmless, real web pages in the redirection chain. This deceives the automated security crawlers easily. Thus, the traffic seems genuine to the researchers.
Frequent domain switching
Hackers keep registering new domains. They rotate them consistently so that security teams cannot pinpoint one and block the operations.
Can machine learning help?
Cybersecurity experts believe that machine learning can be the ultimate solution to curb TDS abuse. The expert team at Palo Alto Networks has developed a robust detection system backed by AI. It has the ability to detect malicious TDS patterns. It does so by evaluating different characteristics, such as distinct URL behaviors and extended redirection chains. Within just 30 days of deployment, this AI-based detection system was able to crack down about 200 malicious TDS domains.
Should TDS traffic be blocked once and for all?
Here’s why blocking out TDS completely is not a wise move:
Quick domain replacements
Threat actors can easily generate new domains. This makes it nearly impossible to block each and every malicious TDS instance.
False positives
It is not feasible to block all TDS traffic as so many ethical businesses are still reliant on TDS to track web traffic. Blocking out TDS permanently will badly hamper the normal operations for such businesses.
Legitimate use cases
There are certain redirection services and URL shorteners that are used for ethical purposes. You can’t block them completely as this would affect businesses dependent on such tools.
Instead of imposing complete restrictions on TDS platforms, it is more effective to implement fine-grained filtering and behavior-based detection. By carefully analyzing redirection patterns and identifying suspicious activity, security experts can effectively target TDS platforms while minimizing disruption to legitimate usage.
Phishing protection measures should also be integrated to safeguard users from malicious redirects and credential theft. Ultimately, vigilance is key—both individuals and businesses should utilize robust security tools to minimize exposure to TDS-related threats.