Cybersecurity researchers raised the lids on two threats organized by investment scams through deceived celebrities and hid their activities through traffic distribution systems (TDSs).
Activity clusters were called a reckless rabbit and a ruthless rabbit using the Infoblox intelligence firm.
The attacks were noted to attract the victims with fictitious platforms, including the exchange of cryptocurrencies, which are then advertised on social media platforms. An important aspect of these scams is the use of web -forms to collect users’ data.
“Free Rabbit creates advertising on Facebook, which lead to fake news articles, which presents the approval of celebrities for the investment platform,” – Darby’s security researchers, Peter Glazca and Laura to Rosh – Note. “The article includes a link to the scam platform containing a built -in web -form that convinces the user to enter their personal information for” register “for investment possibilities.
Some of these forms, except for users’ name request, phone numbers and email addresses, offer the opportunity to automatically produce a password, key information used to transition to the next check-checking phase.
The actors threaten the HTTP to obtain requests for legal IP checking tools such as iPinfo (.) IO, IPgeolocation (.) IO or IPAPI (.) CO to filter traffic from countries that do not interest them. Checks are also conducted to provide provided numbers and email addresses.
If the user is considered to be worthy of exploitation, they are further sent through the TDS, which either transfer them directly to the scam platform, where they are persuaded to say goodbye to their funds, promising a great profit, or to another page that instructs them to wait for the call of their representative.
“Some companies use the count centers to provide the victims of the instructions on how to create an account and transfer money to a fake investment platform,” the researchers explained. “Many companies will simply display the” Thank you “page for users who do not take a check -up.
An important aspect of activity is the use of a registered domain generation algorithm (Up to rd) To set up domain names for sketch platforms, technique that also accepted other threats such as PRLIE PUMA, Revolver Rabbit and Vextrio Viper.
Unlike traditional domain generation algorithms (DGAS), RDGA use a secret algorithm to register all domain names. It is said that the ill -advised rabbit creates domains back in April 2024, first of all focusing on users in Russia, Romania and Poland, excluding movement from Afghanistan, Somalia, Liberia, Madagascar and others.
Facebook ads used to refer users to fake news articles interspersed with advertising content related to items listed in markets such as Amazon to avoid detection and execution.
Moreover, the advertisement contains non -related images and reflects the bait domain (such as “Amazon (.) Pl”), which is different from the actual domain that the user will be redirected when they click on the link (such as “Tyxarai (.) Org”).
It is believed that the ruthless rabbit is believed to have been actively conducted by investment scams at least from November 2022 aimed at users of Eastern Europe. What distinguishes this actor threats is that they go through their own drawing service (“McRAFTDB (.) Tech”) to check the check.
Users undergo checking check are further sent to the investment platform, calling them to introduce their financial information to complete the registration process.
“TDS allows the subject to threaten its infrastructure, making it more supple, providing it with malicious content from security and bots,” Infoblox said.
This is not the first time when such fake investment scams were discovered in the wild. In December 2024 ESET expose A similar scheme called Nomani, which uses a combination in social media engaged in stamps, and artificial intelligence (AI) working on video footage representing famous persons.
Then last month Spanish authorities disclosed They arrested six people between the ages of 34 and 57 for allegedly launching a large -scale scam for cryptocurrency investment that used AI tools to create Deepfake’s advertising involving popular public figures to deceive people.
Rene Burton, Vice -President on Infoblox Infoblox, told The Hacker News that they “should look more closely if there is any evidence” to find out if there is any connection between these actions and those who are ill -advised and ruthless rabbits.
“The actors of threats, such as ill -advised and ruthless rabbits, will be tireless in trying to deceive as many users as possible,” the researchers said. “As these types of fraudsters were very profitable for them, they will continue to grow rapidly – both in number and in sophistication.”
Mystery Box afrigerates spread through advertising on Facebook
Development occurs when the Bitdefender warns of spay subscriptions that use a network of more than 200 convincing web -stytes to trick users to pay monthly subscriptions and share data from their credit cards.
“Criminals create pages on Facebook and shoot full advertising to promote already classic” mysterious box “and other options, Romanian company – Note. The “mysterious box” of the scam has evolved and now includes virtually hidden recurrent payments, as well as links to web -residues to different shops. Facebook is used as the main platform for these new and extended mysterious scammers. “
Advertised advertising ads advertise the sale of brands such as Zara, or offer the opportunity to buy a “mysterious box” containing Apple products, and seek to attract users by saying they can seize one of them by paying a minimum amount of money, sometimes low at $ 2.
Cybercriminals unfold various tricks to detect the parties, including the creation of multiple versions of AD, only one of which is harmful and the rest reflect the casual images of the product.
These scams, like those carried out by reckless rabbit and ruthless rabbits, contain a poll component to ensure that victims are real people, not boots. In addition, the payment pages of the rope, not suspended users of the subscription program that earns the threats that repeat the revenue under the pretext of providing them with a discount.
“The criminals pump the funds in advertising that promote content creators, using the same subscription model, which seems to now be the revenue flow from these frauds,” said Bitdefender Răzvan Gosa and Silviu Stahie researchers.
“The scammers often change the detected brands, and they have begun expanding past existing mysterious boxes. Now they are trying to sell substandard products or imitation articles, false investments, supplements and more.”
Treasury US sanctions related to police in Myanmar over scam
The results also follow with a wave of sanctions imposed by the US Treasury against Myanmar related to the national army Karen (KNA) for the help of syndicate organized crimes operating Multimile -billionaire joint scamsAs well as promoting trafficking and cross -border smuggling.
Actions also target The group’s leader saw the cheat -Chat, and his two sons saw the -eh -e -eh and saw the cheat. I saw the Rev.
“Cyber-bid operations such as managers – Note Deputy Secretary Michael Folkender.
In these so-called Romanesque scams, the scammers themselves visit the sites of the scams, their high-paying jobs are forced to orientation on strangers on the Internet, creating with them over time, and then make them invest in fake cryptocurrency and trade platforms.
“KNA’s profits from cyber schemes are an industrial scale, renting the land that it controls other organized criminal groups, and provides support for trafficking, smuggling and sales of utilities used to provide energy for scam operations,” the Treasury said. “KNA also provides security in a scam in Karen.”
Last month UN Office on drugs and Crime (UNODC) start The scam centers are still expanding, despite recent repressions, bringing an annual profit of about $ 40 billion.
