Researchers have observed a new malvertising campaign targeting victims in Europe and North and South America with fake investment schemes. The threat actor, named CashRewindo, is using aged domains for its attacks to bypass security platforms, among other tricks.

What has been detected?

According to Confiant researchers, the CashRewindo group is active since 2018 and uses customized currencies and languages to lure victims toward investment scam sites.
  • The group uses old domains that were registered years ago and have no involvement in any malicious activity, to build trust and bypass security scanners.
  • Just before use, the attacker activates them by updating the certificate and assigning a virtual server.
  • At least 487 domains have been registered by the group, some of which were registered as early as 2008 and used in 2022 for the first time.

Some time-based domain verification systems take the domain registration dates into account when checking for any fraudulent activities, and aged domains are likely to bypass such security checks with ease.

Creative adverts

Besides aged domains, CashRewindo leverages another innovative tactic of flipping between scam ads and ordinary posts, to make its malvertising effective.
  • At the beginning of the campaign, the adverts use simple language without any malicious actions, to avoid strong language detection.
  • Later on, the same ads are replaced with malicious call-to-action ads, promoting some scam or fraudulent scheme.
  • The adverts redirect the victims towards a crypto platform, where they are lured to make deposits into fake investment schemes.

Additional details

In the past 12 months, over 1.5 million CashRewindo impressions have been recorded, most of which were targeting Windows devices.
  • The most targeted countries include Hungary, Poland, Croatia, Serbia, the Czech Republic, Kenya, the U.K, Romania, and Slovakia.
  • Moreover, attackers are using local language and location-specific imagery, along with great attention to the details to make their adverts legitimate.

Ending note

CashRewindo threat actor has taken typical fake investment scams to a different level through new innovative approaches. Use of aged domains, frequent flipping of adverts, and use of local language and imagery greatly amplify the chances of getting potential victims into clicking the adverts.
Cyware Publisher

Publisher

Cyware