HQ/EMEAFind out how we can help your business
A new malvertising scheme called CashRewindo targets victims in Europe and America with fake investment scams. The operators of this recent attack are using old domains to bypass security defenders.
Based on reports, the CashRewindo threat group has been operating since 2018 and utilises especially crafter currencies and languages to convince their victims to invest in their scam websites. Moreover, the group uses aged domains registered by other users years ago.
The domains used by the group became efficient to use as the operators picked the ones with no record of participation in any malicious activity. Hence, most security scanners do not raise any suspicions from these entities.
Subsequently, the threat actors trigger them by updating the certificate and assigning a virtual server before using it for their attacks. Currently, there is an estimated 500 domains that the group has registered, some of which were registered more than a decade ago and was used this year.
Few time-based domain verification systems consider taking the domain registration dates when checking for fraudulent activities. However, aged domains have usually bypassed such security checks easily.
CashRewindo operators constantly switch from ordinary posts to fraud schemes to make their attacks more efficient.
Some researchers noticed that the CashRewindo group often starts their campaign with simple language without any illegal activities to avoid security detection. Then, they will slowly transition to malicious call-to-action ads, fraudulent schemes, and promoting scams.
The adverts will then redirect targets to a crypto platform, where they are deceived into creating deposits into phoney investment transactions.
For the last year, more than 1.5 million CashRewindo impressions have been recorded by several researchers, most of which are targeting Windows devices. The most focused countries of this scheme are European countries such as Croatia, Hungary, Kenya, Serbia, Slovakia, the Czech Republic, and the United Kingdom.
Lastly, the adversaries use local language and imagery that depends on the targeted country. The schemes also have great attention to detail to make their malicious advertisements look more legitimate, which could make their attack more effective.
