Cybersecurity researchers have coordinated investment fraud through the support of spoofed celebrities and lifted the lids of two threat actors who hide their activities through the Transportation Distribution System (TDSES).
Activity clusters are called Reckless Rabbit and Ruthless Rabbit by DNS threat intelligence company Infoblox.
The attacks have been observed to seduce victims on fake platforms, including cryptocurrency exchanges promoted on social media platforms. An important aspect of these scams is the use of web forms to collect user data.
“Reckless Rabbit creates ads on Facebook and leads to fake news stories featuring the support of celebrities on the investment platform,” said Darby Wise, Piotr Glaska and Laura Da Rocha. “This article contains a link to a scam platform that contains embedded web forms, which persuades users to enter their personal information and “register” investment opportunities. ”
Some of these forms provide the ability to automatically generate passwords in addition to requesting a user’s name, phone number and email address. This is the important information used to proceed to the next phase of the attack, the validation check.
Threat actors perform HTTP Get Requests to legitimate IP validators such as IPINFO[.]IO, IpGeolocation[.]IO, or IPAPI[.]COs are also performed to ensure that the numbers and email addresses provided are authentic to rule out traffic from countries they are not interested in.
If a user is deemed worthy of exploitation, it is then routed through TDS. The TDS will either move directly to a fraud platform that separates funds by committing high returns, or be placed on another page instructing you to wait for a call from a representative.
“Some campaigns use call centres to provide instructions on how to set up accounts for victims and send money to fake investment platforms,” the researchers explained. “For users who do not pass the verification step, many campaigns simply display the “Thank you” landing page. ”
An important aspect of activity is to set up a rough investment platform domain name using registered domain generation algorithms (RDGAs). This is a technology that has also been adopted by other threat actors such as Puma, Revolver Rabbit, and Vextrio Viper.
Unlike traditional Domain Generation Algorithms (DGAs), RDGA uses a secret algorithm to register all domain names. The reckless rabbit has created a domain dating back to April 2024, and is said to be targeted primarily at users in Russia, Romania and Poland, but excludes traffic from Afghanistan, Somalia, Liberia and Madagascar.
Facebook ads used to direct users to fake news stories are scattered with advertising content related to items sold in markets such as Amazon to avoid detection and enforcement actions.
Additionally, the ads contain unrelated images and display the decoy domain (for example)[.]pl “) It’s not like the real domain, and users will be redirected when they click on the link (e.g. ” tyxarai[.]org “).
Meanwhile, the ruthless rabbit is believed to have been actively running an investment fraud campaign targeting Eastern European users since at least November 2022. What sets this threat actor apart is that they run their own cloaking service (“McrafDB”)[.]Technology: Perform a validation check.
Users who have overcome the validation check will then be routed to an investment platform where they are asked to enter their financial information to complete the registration process.
“TDS allows threat actors to strengthen their infrastructure and become more resilient by providing the ability to hide malicious content from security researchers and bots,” Infoblox said.
This is not the first time such a fraudulent investment fraud campaign has been discovered in the wild. In December 2024, ESET exposed a similar scheme called Nomani, which uses a combination of social media fraud, company-branded postings and artificial intelligence (AI)-driven video testimony featuring well-known personalities.
Later last month, Spanish authorities revealed that they had arrested six individuals, ages 34 to 57.
Renee Burton, vice president of threat intelligence at Infoblox, told Hacker News: “We need to check if there is evidence to see if these activities have something to do with activities carried out by reckless and ruthless rabbits.”
“A reckless, ruthless rabbit-like threat actor will be relentless in his attempts to deceive as many users as possible,” the researchers said. “These types of scams have proven to be extremely profitable for them, so they continue to grow rapidly in both numbers and refinements.”
Mystery Box Scams Proliferate via Facebook Ads
This development is because BitDefender is taking advantage of a network of over 200 compelling fake websites to warn of sophisticated subscription scams that allow users to pay monthly subscriptions and share and share credit card data.
“Criminals have created Facebook pages, pulled out full ads, promoting the already classic ‘mystery box’ scams and other variants,” the Romanian company said. “The ‘mystery box’ scam has evolved and includes almost hidden repeat payments, along with links to websites to various shops. Facebook is being used as the main platform for these new enhanced mystery box scams. ”
Rogue Sponsered Ads offers the opportunity to promote clearance sales from brands like Zara, or to try to seduce users by purchasing “mystery boxes” that contain Apple products and claiming that you can grab one of the users by paying a minimum amount.
Cybercriminals deploy a variety of tricks, including creating multiple versions of AD.
These scams, like scams committed by reckless and ruthless rabbits, incorporate an investigation component to ensure that the victims are real people, not bots. Additionally, the payment page ropes users who are unsuspecting their subscription programs that will capture repeated threats of repeating revenue under the pretext of giving discounts.
“Criminals have now put their funds into ads that promote high-performing content creators using the same subscription model that appears to be a driving revenue stream for these frauds,” said Rîvan Gosa and Silviu Stahie, researchers at Bitdefender.
“Cheaters often changed successful brands and began to expand past existing mystery boxes. They are now trying to sell low-quality products and copycat articles, fake investments, supplements and more.”
US financial sanctions include militia-related militia held in Myanmar over fraudulent compounds
The findings also run billion-dollar fraud compounds, following a wave of sanctions imposed by the U.S. Treasury on the Karen National Army (KNA) related to Myanmar to support organized crime syndicates, to promote human trafficking and cross-border aspiration.
The action also targeted the group’s leaders, with Chutoo and his two sons looking at Chitt as they saw htoo eh moo. Saw Chit Thu was approved by the UK in 2023 and by the European Union in 2024 to become a key enabler of fraud operations in the region.
“The operations of cyber fraud like those run by KNA are generating billions of income for criminal Kingpin and his companions, while robbing the victims of their hard-earned savings and security,” Deputy Chief Michael Foulkender said.
In these so-called romance bait scams, scammers – themselves being trafficked to fraudulent sites by seducing them with high paying jobs – target strangers online, develop relationships with them over time, and induce them to invest in Borgs’ cryptocurrency and trading platforms controlled by criminal actors.
“KNA benefits from cyber fraud schemes on an industrial scale by leasing land managed to other organized crime groups and leasing land that supports the sale of utilities used to provide energy to human trafficking, smuggling and fraudulent businesses,” the Treasury Department said. “KNA also provides security for Karen State’s fraudulent compounds.”
Last month, the United Nations Office for Drugs and Crime (UNODC) said that despite recent crackdowns, fraud centres are still expanding, generating about $40 billion in annual profits.
Source link
