VexTrio’s Origin Story: From Spam to Scam to Adtech

VexTrio is a sophisticated cybercriminal enterprise formed from Italian spammers and Eastern European developers, operating a vast malicious traffic distribution system that facilitates widespread digital fraud, including dating scams and cryptocurrency scams. Their affiliate advertising networks, such as Los Pollos, Taco Loco, and Adtrafico, are deeply intertwined with website hackers and use smartlinks to monetize compromised websites globally. #VexTrio #LosPollos #AdsPro #TacoLoco #Adtrafico

Keypoints

VexTrio originated from a merger between Italian spammers and Eastern European developers, establishing a large traffic distribution system (TDS) that redirects victims to various scams.
By 2024, nearly 40% of all compromised websites worldwide redirected traffic to VexTrio’s smartlinks and scams.
Affiliate advertising networks Los Pollos, Taco Loco, and Adtrafico form the core of VexTrio’s monetization, employing push notification scams and credit card fraud schemes.
VexTrio operates through nearly 100 intertwined companies globally, many acting as fronts or holding entities, making it difficult to trace ownership and control.
Los Pollos vets its advertisers and publishing affiliates strictly, knowingly accepting black hat traffic and affiliates linked to website hacking.
Adtrafico’s associated “blank credit card submit” offers enable large-scale fraudulent subscription and billing scams.
The group uses a combination of bulletproof hosting, leased IP ranges from a Swiss ISP in Lugano, and cloud hosting to sustain their infrastructure and evade takedowns.

MITRE Techniques

[T1071] Application Layer Protocol – VexTrio’s smartlinks exploit web protocols to redirect victims to fraudulent sites. (“…smartlinks are used to funnel victims from compromised websites to scams…”)
[T1589] Gather Victim Identity Information – The group uses stolen personal data from partner services to increase spam effectiveness. (“…their alleged theft of personal data from various partner services to fuel more spam.”)
[T1190] Exploit Public-Facing Application – Thousands of WordPress sites are hacked to route users through VexTrio’s TDS. (“…hundreds of sites hosted in a single WordPress provider have been hacked simultaneously to route visitors to VexTrio.”)
[T1098] Account Manipulation – VexTrio uses abuse reports and fake identities to manipulate and maintain their spam and ad networks. (“…using abuse reports to clean email lists, and their practice of fake identities…”)
[T1584] Compromise Infrastructure – Utilization of bulletproof hosting and leased IP addresses from multiple autonomous systems to maintain infrastructure resilience. (“…some of it hidden in bulletproof hosting providers and other elements in cloud providers… leasing IP addresses for multiple autonomous systems from Lugano-based ISP.”)
[T1406] Social Engineering – Scareware and fake CAPTCHA pages trick users into subscribing to push notifications leading to persistent scam traffic. (“…fake CAPTCHAs tricked users into accepting push notifications… creating a form of persistence.”)
[T1056] Input Capture – Use of interactive voice response (IVR) scams and forms to collect user information and credit card data fraudulently. (“…quiz questions… buy time for the TDS to profile the potential victim… involved credit card submission.”)

Indicators of Compromise

[Domain ] VexTrio and associated companies’ infrastructure domains – lospollos.com, adspro.eu, adtrafico.com, tacosloco.co, holaco.de
[IP addresses ] Hosting and mail servers related to VexTrio operations – 78.47.103.187 (hosting multiple company domains and fake apps)
[File names ] Fake VPNs and RAM cleaner apps developed by VexTrio – FastVPN, Booster Lite RAM Cleaner
[Affiliate URLs ] Smartlinks and push notification domains – nxt-psh.com (top 100,000 domain for push notifications)
[Company names ] Numerous micro-companies and brands linked to VexTrio including Teknology SA, Tekka Group, AdsPro Group, Los Pollos, Taco Loco, HolaCode, Apperito