A sophisticated and very patient threat group behind a global malvertising scheme uses so-called stale domains to bypass legacy cybersecurity tools and catch investment fraud victims.
The attackers behind the CashRewindo campaign act in many ways like other malvertising crooks. They inject malicious code into digital advertisements on legitimate ad networks and use the infected ads to redirect website visitors to pages that might install malware or run scams.
Cyber criminals running malvertising campaigns usually create a domain and start using it quickly.
However, CashRewindo has domains that have been registered for years and remain dormant, only activating them – updating certificates and assigning a virtual server – just before launching the malvertising campaign, according to researchers at Confiant, whose tools protect companies’ online reputations .
Confiant has been tracking CashRewindo – which was first discovered in 2018 – for two years, Daniel Fonseca Yarochewsky, security software engineer at the provider, wrote in a report this week
Outdated domains are neither new nor illegal. A quick Google search shows where people can buy abandoned domains that still have plenty of backlinks pointing to them before they expire. Smaller businesses buy them to launch a website faster and capture the traffic already associated with the domain.
CashRewindo is patient and ages the domains before they are used. In total, Confiant linked 486 domains to the group, some of which were registered back in 2006 but only activated this year. Others were activated weeks after registration.
“We speculate that they either buy these in markets that boost their reputations or wait for them to age, probably the former,” Yarochewsky wrote. “Whether outsourced or not, this technique is capable of bypassing security systems that consider registration timing to be legitimate.”
The technique works because such domains — which are older and have no history of malicious activity — are trusted and therefore less likely to be flagged as suspicious by security software.
Melissa Bischoping, Director of Endpoint Security Research at Tanium, narrates The registry that research shows that at least 20 percent of aged domains could be classified as suspicious. Such techniques require an investment of time and money by the attacker, who may continuously buy and age domains in the background while performing other operations in the meantime.
With that in mind, the technique is likely to be used by criminals with long-term operations or those aging domains to sell to other threat groups, Bischoping said.
“An attacker who invests time in aging domains is more likely to have an established and more sophisticated operation,” she said. “For example, the APT behind SolarWinds has used domain names in its operations for years.”
Javvad Malik, security awareness advocate at KnowBe4, said The registry that “criminals often set up such domains or fake profiles on social media sites like LinkedIn and then do nothing malicious for a long time before carrying out their actions. This shows how far criminals go to avoid detection by security technologies. “
Confiant saw more than 1.5 million CashRewindo impressions over 12 months, with more than three quarters hitting Windows devices. The group’s attacks touched more than 100 countries across Europe, North and South America, Africa, the Middle East and Asia. The countries with the most impressions came from Eastern Europe.
According to Yarochewsky, CashRewindo’s malvertising campaigns are tailored to specific regions, from the use of the local language, the currency and the photos placed on the page.
Attackers don’t just rely on domain aging to evade detection. The group also alternates between scam ads and innocuous wording to avoid triggering software that recognizes “strong language,” Yarochewsky wrote. At the beginning of a campaign, CashRewindo uses harmless ads before later switching to “call-to-action” ads.
The attackers also placed a small red circle in the middle of images to block computer vision detection tools. Furthermore, they target specific victims determined by the language, time zone, and device platform used on the systems.
From there, the victim is redirected to a scam site and then redirected to a platform offering fake cryptocurrency investments.
Tanium’s Bischoping said that protecting against such a campaign requires a combination of tools, from next-generation firewalls and DNS filtering to email threat protection and threat intelligence feeds. ®
https://www.theregister.com/2022/12/02/cashrewindo_scam_domain_aging/ Attackers use domain aging in global malvertising campaign • The Register