Recent Breaches
Breaches
2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen
View All →
Breaking NewsUpdated as information becomes available
Back to Knowledge Vault
Breach AnalysisBreaking10 July 20265 min read

FBI Warns of Malicious TDS Attacks Bypassing Firewalls

FBI PSA I-061826-PSA warns of cyber criminals using Traffic Distribution Systems to deliver ransomware. Mark Fermor on the offline defence.

Mark Fermor

Mark Fermor

Director & Co-Founder, Firevault

Share
Empty modern data centre corridor at night with magenta accent lighting on server cabinet edges

The Federal Bureau of Investigation (FBI) has released a Public Service Announcement detailing a sophisticated threat where cyber criminals use malicious Traffic Distribution Systems (TDSs) to bypass traditional security measures. The alert, I-061826-PSA published on 18 June 2026, warns that these systems are being used to redirect unsuspecting users to fraudulent websites, leading to ransomware infections and significant financial fraud. As organisations fortify their digital perimeters, attackers are continuously evolving their methods to find new vulnerabilities, making robust data protection strategies more critical than ever.

What The FBI Warned

According to the FBI’s Internet Crime Complaint Centre (IC3), criminals are leveraging TDSs as a core component in their attack chain. A TDS is a technology designed to route internet visitors to different destinations based on a range of factors after they click on a link, advertisement, or download. Whilst these have legitimate uses in marketing and content delivery, their power is being abused for nefarious ends.

The FBI has identified that attackers are compromising legitimate websites, often through weak passwords or outdated plugins, and injecting code that sends visitors to a malicious TDS. Other initial attack vectors include Search Engine Optimisation (SEO) poisoning, where criminals create malicious pages that rank highly in search results, and classic phishing emails with deceptive links. Once a user clicks a compromised link, they are silently handed off to the TDS, which then begins a process of evaluation before sending them to a final, malicious destination. The ultimate goal is to deploy a harmful payload, such as ransomware, or to trick the user into divulging sensitive financial information.

How A Malicious TDS Works

A malicious TDS acts as an intelligent, clandestine gatekeeper. Instead of a direct link from a legitimate site to a malicious one, the user is passed through a chain of intermediate nodes. This complex path helps to hide the final destination and can make it difficult for network security tools to trace the connection back to its source.

The true danger of a TDS lies in its filtering capabilities. The system can inspect a visitor based on their IP address, geographical location, operating system, browser type, and even device. Using these filters, the TDS can specifically target victims it deems valuable, whilst redirecting anyone who appears to be a security researcher or an automated analysis tool to a harmless website. This built-in evasion makes the malicious activity incredibly difficult to detect and analyse.

If a user is identified as a suitable target, the TDS forwards them to the final payload. This could be a convincing phishing page designed to look like a legitimate bank or email login, a website that triggers a drive-by malware download, or a page promoting a financial scam. In some cases, the attackers do not deploy the payload themselves; instead, they sell the verified network access to other criminal enterprises, including notorious ransomware groups.

Why Network Defences Are Not Enough

The FBI has provided clear advice for businesses to help defend against these threats. Their recommendations include changing default file associations for JavaScript files, monitoring script execution processes like wscript.exe that invoke web requests, auditing content management system (CMS) and hosting accounts for unauthorised changes, and enforcing strong, unique passwords. Furthermore, they advise keeping all CMS platforms and plugins patched and providing user training on phishing awareness.

However, as Firevault security commentator Mark Fermor explains, these measures cannot be considered foolproof. "The FBI advice is excellent security hygiene, but we must acknowledge the reality that malicious TDSs are engineered specifically to defeat the network-based defences many organisations rely on," states Fermor. "Firewalls, Web Application Firewalls, and even advanced Endpoint Detection and Response (EDR) tools can be bypassed. The TDS is designed to test the incoming connection and, if it detects the signature of a security sandbox or a corporate proxy, it will simply serve benign content. The attacker can wait for the perfect moment to strike a vulnerable, unfiltered user."

The Offline Alternative

"Endpoint and network security provide essential, valuable layers of defence, but they are permeable layers," Fermor continues. "When a sophisticated attack like this succeeds and an endpoint is compromised, the question is no longer about prevention but about recovery. If ransomware gets a foothold in your network, it will attempt to encrypt everything it can reach, including your local and network-attached backups."

This is where an offline data storage strategy becomes paramount. Mark Fermor emphasises that data which is not physically connected to the network cannot be attacked. "A TDS-delivered payload cannot traverse a physical air gap. Ransomware cannot encrypt a storage device that is sitting on a shelf, completely disconnected from the compromised server. Firevault provides this critical Layer 1 physical air gap, ensuring that even if the worst happens and your live network is breached, your most valuable data backups and archives remain completely untouched and available for a full recovery. It is the ultimate failsafe in an era of increasingly evasive digital threats."

Key Takeaways

  • FBI Alert: Cyber criminals are actively using malicious Traffic Distribution Systems to redirect users, bypass security, and deploy ransomware or financial scams.
  • Complex Evasion: These systems use sophisticated filtering based on user location, device, and software to target victims while actively hiding from security researchers.
  • Attack Vectors: Initial infection occurs through SEO poisoning, phishing emails, or legitimate websites compromised with malicious redirects.
  • Network Defences Can Fail: As Mark Fermor highlights, TDSs are designed to probe for and evade firewalls and other security tools, making detection and prevention extremely challenging.
  • The Air Gap Solution: A physical air gap, as provided by Firevault’s offline storage, is the only method that guarantees data is immune to network-based attacks like ransomware delivered via a TDS.
  • Proactive Measures: Businesses should still implement the FBI's recommended security hygiene, including patching, password management, and user training, as part of a defence-in-depth strategy.

About the author

Mark Fermor

Mark Fermor

Director & Co-Founder

Co-founder of Firevault, focused on offline secure storage and protecting individuals and businesses from fraud, fines, loss and damage. Speaker, owner and advisor.

Share this article

Breaking News
Breach Analysis10 July 20265 min read

FBI Warns of Malicious TDS Attacks Bypassing Firewalls

FBI PSA I-061826-PSA warns of cyber criminals using Traffic Distribution Systems to deliver ransomware. Mark Fermor on the offline defence.

FBI Warns of Malicious TDS Attacks Bypassing Firewalls
Mark Fermor
Published by Mark Fermor, Director & Co-Founder