R0bl0ch0n Rogue Traffic Distribution System Impacted Over 110 Million Internet Users

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Affiliate marketing is a practice where firms compensate associates for bringing visitors or customers to their websites. It comprises sellers, publishers (affiliates), intermediaries, and consumers.

Affiliates earn commissions through content creation, direct offer mailing lists, ad banners, and blogs.

Some affiliate networks specialize in particular areas, such as betting, cryptocurrencies, and dating sites. They are the middlemen who connect merchants and marketers and handle tracking and payment processes.

Cybersecurity researchers at Orange CyberDefense identified the R0bl0ch0n rogue traffic distribution system that impacted more than 110 million internet users.

R0bl0ch0n Rogue Traffic Distribution System

However, not every affiliate network implements the same kind of verification procedures and there is a possibility to have both legit offers and deceptive deals on it at once.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

This is why many affiliate networks coexist simultaneously with genuine products and possible frauds in one area, indicating that the ecosystem is quite twisted.

Lifecycle of an affiliate offer (Source – OrangeCyberDefense)

Affiliate marketing platforms like Affplus and OfferVault aggregate offers, categorizing them by verticals, geos, and networks. 

These include scams like contests (amounting to $300m in losses) and misleading home improvement deals.

Recently, Palo Alto Networks analyzed a credit card infostealing campaign where emails with URLs followed the pattern /bb/[0-9]{18}.

This campaign employs a Traffic Distribution System (TDS) dubbed R0bl0ch0n, identifiable by the “0/0/0” pattern. 

The TDS filters and redirects users on the basis of fingerprints and uses tracking parameters like affId, c1, c2, and c3, which are probably associated with Konnektive CRM.

In this line, we have domains like chance-impression.com that perform IP checks to prevent multiple visits.

Over May 2024, more than 250 short-lived domains were identified, mainly hosted on Quadranet and Baxet AS servers.

This infrastructure illustrates how well-coordinated partners’ actions between affiliates-advertisers-of affiliate networks that organize complex fraudulent campaigns like this one can be understood.

To avoid detection, the R0bl0ch0n Traffic Distribution System (TDS) operates on a complicated, ever-changing infrastructure.

It is challenging to recognize new domains since it utilizes shared short-lived domains protected by Cloudflare.

Since the summer of 2021, the TDS has been discovered communicating with tracking domains that have followed an “event.trk-” pattern, signifying a large-scale operation.

Complete overview of a redirection chain including TDS and tracking infrastructure (Source – OrangeCyberDefense)

More than 300 dedicated AWS IP addresses are used in this tracking infrastructure, suggesting that they are part of an affiliate network.

There were almost 110 million unique users who may have been targeted since there were DNS query data.

Multiple email campaigns, URL shorteners, Amazon Web Services (AWS), and Microsoft Azure cloud services are used as distribution avenues.

By different affiliates utilizing these tactics, infrastructures can be easily changed quickly, bypassing Google Safe Browsing and anti-spam filters.

The TDS also makes use of subscription subdomains indicating successful user sign-ups for advertised services.

Though the specific affiliate network remains unknown, this structure’s magnitude and complexity indicate a well-coordinated operation focused on mass scam dissemination. Besides this, researchers recommend blocking this infrastructure.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo