Traffic Distribution Systems —often spelled just TDS— are becoming the next big thing in the world of cybercrime operations.
For the uninitiated in the lingo and terms used by security researchers, a TDS is a web application that takes incoming traffic, filters it based on various criteria, and then redirects the user to a "landing page" that can be an exploit kit, tech support scam, or website pushing a fake update.
The incoming traffic is always illicit and usually comes from two main sources —malicious ads (malvertising) that secretly swoops the user off a legitimate site to the TDS; or from hacked websites that redirect random users from the legitimate site to the TDS.
A few years ago, traffic distribution systems were nothing more than components of larger hacking utilities called exploit kits.
Older exploit kits such as Angler and Nuclear would usually include a TDS (usually referred as "gates" or "fingerprinting system") that filtered traffic before users landed on a web page where they were infected with malware via an exploit —hence the name exploit kit.
But exploit kits have been on the decline since the summer of 2016. Arrests and security improvements to modern browsers made it harder for crooks to run a fully-fledged exploit kit.
Exploit kit owners who were usually paid in "infections" saw the writing on the wall, and many abandoned ship, with multiple exploit kits closing shop since the autumn of 2016.
But as some of the larger and more profesionally-run exploit kits closed down, the malware distribution market remained thirsty for web traffic. Here is where some cybercriminals found a home by running standalone TDS-as-a-Service operations.
Nowadays, TDS systems such as EITest and Seamless are regularly detected in web-based malware distribution operations. They usually stand somewhere in the middle between a victim and a malicious site, directing traffic.
These are Crimeware-as-a-Service (CaaS) offerings, similar to legitimate services. Let's take for example BlackTDS, the newest player on the market, launched in December 2017, and detailed in a Proofpoint report released earlier this week.
BlackTDS is nothing more than a portal where cybercriminals sign up for an account. Inside, after paying the appropriate fees, they have a web panel where they can decide what type of users they want to infect based on details such as country, OS type, browser version, language settings, time of day, etc..
BlackTDS customers only have to provide the final landing spot where the TDS should redirect users, making the entire operation a point-and-click experience even for the most novice crook.
On the other hand, TDS operators have to detect and filter out security researchers, and always keep a steady stream of potential victims by adding new sources of traffic.
While TDS systems were once EK (exploit kit) components, now cybercriminals use third-party TDS systems to redirect users towards simplified exploit kits that just include the "exploitation" part. Furthermore, TDS systems are often used these days for redirecting users to phishing sites, tech support scams, and websites pushing fake app updates and fake font packs.
The biggest TDS on the market is by far EITest, a TDS system that started operating in the spring of 2017, and which got its name from its focus on filtering and redirecting only Internet Explorer (IE) users. More details about EITest were also published this week on the Malware Don't Need Coffee security blog, where experts detailed what they saw when they managed to penetrate one of the TDS platform's redirection servers.
All in all, we see a clear trend on the cybercrime landscape where TDS systems are becoming profitable and have carved a place on the market by providing services that were once part of professional EK operations.