On June 18, 2026, the FBI’s Internet Crime Complaint Center published a Public Service Announcement about criminal abuse of Traffic Distribution Systems.

The warning matters to small businesses because these attacks do not always begin with an obviously malicious website. A person may click a search result, online advertisement, email link, compromised website, or fake software download that looks normal. Behind the scenes, a Traffic Distribution System can inspect the visitor and decide what to show them.

One visitor may see an ordinary page. Another may be sent to a fake login screen, financial scam, malicious download, or ransomware delivery site.

That selective behavior makes the attack harder to reproduce, report, and block.

What is a Traffic Distribution System?

A Traffic Distribution System, commonly called a TDS, is technology that receives web traffic and routes each visitor to a destination based on rules.

The technology itself is not inherently malicious. Advertising platforms, affiliate networks, content delivery services, and website operators can use routing systems for legitimate purposes.

Criminals abuse the same concept to hide malicious activity.

According to the FBI advisory, a malicious TDS may collect information such as:

  • IP address
  • Approximate location
  • Operating system
  • Device type
  • Browser type and version

The system can then decide whether the visitor looks useful to the attacker.

For example, it might send security researchers, automated scanners, or visitors outside a target region to a harmless page. A person using a Windows computer from a business network in the desired location might receive a fake Microsoft 365 login page or a malicious script instead.

This is one reason traditional firewall rules may not be enough. The first website or redirect may not have a known malicious reputation, and the final destination can change based on the person, device, location, or time of day.

How a small MSP could fall victim

Imagine a technician at a small managed service provider searching for an installer, remote-support utility, printer driver, or troubleshooting tool.

The technician clicks a promoted search result that appears to point to a familiar vendor. The first page looks harmless, but it passes the browser through a TDS. The system recognizes a Windows device, a business IP address, and a browser profile that matches the attacker’s target.

The technician is then offered a convincing fake installer or update.

If that device has access to remote monitoring and management tools, password vaults, customer documentation, or privileged client accounts, one compromised workstation can create a much larger problem. The MSP’s trusted access may become the attacker’s path into multiple customer environments.

MSPs should treat software downloads, administrative browsing, and RMM access as high-risk activities. Separate administrative accounts, phishing-resistant multi-factor authentication, application controls, endpoint monitoring, and limited customer access can reduce the blast radius.

How a website builder could become part of the attack

A freelance website builder or small agency may manage dozens of WordPress sites, hosting accounts, plugins, themes, and domain records.

An attacker who steals one hosting credential or exploits an outdated plugin may insert redirect code into a client website. The malicious code can send selected visitors into a TDS while allowing the website owner and most automated scanners to see the normal site.

That creates an especially frustrating situation:

  • The client receives reports that visitors are being redirected.
  • The site appears normal when the developer checks it.
  • Only certain devices, locations, or referral sources trigger the attack.
  • The malicious destination may change between visits.

The website builder may unknowingly operate a distribution point for phishing or malware. Beyond the immediate cleanup, the incident can damage search rankings, advertising accounts, customer trust, and the agency’s reputation.

Website professionals should maintain an inventory of sites, themes, and plugins; remove abandoned components; require multi-factor authentication on hosting and CMS accounts; monitor file changes; and investigate unexpected JavaScript, PHP, .htaccess, administrator, and redirect changes.

How an ordinary SMB employee could be targeted

Consider an employee at a local manufacturer, accounting firm, clinic, or retailer who receives an email about an invoice or document.

The link does not immediately open a fake login page. It first sends the employee through a series of redirects. The TDS determines that the visitor is in the United States, is using a business Windows computer, and has a browser configuration the attacker knows how to target.

The employee may then see:

  • A fake Microsoft 365 or vendor login page
  • A fraudulent payment or shipping notice
  • A fake browser update
  • A malicious JavaScript or PowerShell-based download
  • A page designed to begin a remote-support scam

Stolen credentials can lead to mailbox access, payment fraud, customer impersonation, or a ransomware foothold. A business does not need to be specifically famous or wealthy to be useful to an attacker. It only needs to have money, data, insurance, trusted relationships, or access to other organizations.

Warning signs worth investigating

Traffic distribution attacks can be inconsistent by design, so reports that are difficult to reproduce should not be dismissed.

Watch for:

  • Customers reporting redirects that staff cannot reproduce
  • Website behavior that changes by device, browser, location, or referral source
  • Unexpected website administrator accounts
  • Recently modified JavaScript, PHP, theme, plugin, or .htaccess files
  • New scheduled tasks or unfamiliar startup items on endpoints
  • Unexpected use of wscript.exe, cscript.exe, or PowerShell
  • Users downloading or opening unexpected .js, .ps1, or .svg files
  • Browser history showing several unfamiliar domains before a phishing page
  • Endpoint or DNS alerts tied to advertising, redirect, or newly registered domains

The FBI specifically recommends monitoring suspicious scripting activity and considering safer default file associations so JavaScript files do not execute casually when opened.

Practical steps for small organizations

No single security product will solve this problem. The most effective defense is a set of controls that interrupt different parts of the attack.

Protect users and endpoints

  • Use endpoint detection and response tools that monitor script interpreters and suspicious child processes.
  • Restrict PowerShell and script execution where practical.
  • Use DNS and web filtering, while recognizing that newly created destinations may not yet be categorized.
  • Require multi-factor authentication, especially for email, remote access, hosting, and administrative tools.
  • Teach employees to obtain software from a known vendor address rather than an advertisement or search result.
  • Give users a quick, blame-free way to report strange redirects and downloads.

Protect websites and hosting accounts

  • Keep the CMS, themes, and plugins supported and patched.
  • Remove unused plugins, themes, accounts, API keys, and integrations.
  • Use unique administrator accounts and multi-factor authentication.
  • Review hosting control-panel and CMS login history.
  • Monitor important files for unauthorized changes.
  • Use a web application firewall as an additional layer, not as a substitute for maintenance.
  • Maintain tested backups that allow the site to be restored to a known-clean state.

Limit MSP and administrator exposure

  • Separate everyday accounts from privileged administrative accounts.
  • Do not use a highly privileged workstation for general web browsing or software searches.
  • Protect RMM, documentation, password vaults, and remote-access systems with strong authentication and conditional access.
  • Limit each technician and tool to the customers and systems they actually need.
  • Log administrative actions and review unusual access promptly.
  • Build an incident plan for disabling compromised technician accounts without losing control of customer environments.

Preserve the full URL, browser history, screenshots, downloaded files, timestamps, and the device used. The redirect chain may disappear or behave differently during a later investigation.

Disconnect a device if malware may have executed, but avoid destroying evidence. Reset exposed credentials from a known-clean system, revoke active sessions, and review email forwarding rules, hosting accounts, website files, remote-access tools, and administrative logs.

Organizations can report suspected cybercrime to the FBI through IC3.gov.

The larger lesson

The important part of the FBI warning is not a new acronym. It is the way criminals use selective routing to make malicious activity look inconsistent.

A website can appear clean to its owner and dangerous to a customer. A link can be harmless during testing and malicious when an employee opens it. A firewall can allow the first connection even though the person eventually lands on a credential theft or malware page.

Small MSPs, website builders, and SMBs should take reports of unexplained redirects seriously, protect the administrative tools that create outsized risk, and collect evidence before the trail changes.

Primary source: FBI Internet Crime Complaint Center, “Cyber Criminal Use of Traffic Distribution Systems (TDSs) to Facilitate Malicious Activity,” June 18, 2026.