They tune the digital ads that appear on legitimate sites to redirect users to a fake landing page, which may eventually result in stealing their funds through various means. The scammer here is said to be so sophisticated, considering his acts of customizing the ads according to the target audience.
Aged Domains and Malvertising
As per Confiant, a sophisticated threat actor named CashRewindo has been malvertising on legitimate sites to lure people into investing in fake options. Targeting people in Europe, Asia, Africa, and North and South America, the scammer is using customized language and currency to seem legitimate to the local audience. Tracking since 2018, the Confiant researchers said that CashRewindo is using aged domains in his campaign to avoid suspicion. This is a different approach compared to the current scammers, who use new domains to host their fake pages and rug pull when done. Also, CashRewindo is cleverly malvertising on legitimate sites to avoid suspicion. The campaign includes injecting malicious JavaScript code into the digital ads promoted by a legitimate network, which are then shown to the general public. Confiant detected 487 domains used by CashRewindo, with some being registered in 2008 and used for the first time in 2022. The ads are customized to show according to the viewers’ timezone, device platform, and language – so as to get a better click rate. If the users clicking on their ads are out of their target audience, they’ll be displayed a blank page. But if they fall in the target range, they’ll be taken to a phishing page promoting a fake cryptocurrency platform, promising unrealistic profits. Over the 12 months, Confiant recorded over 1.5 million CashRewindo ad impressions, primarily targeting Windows devices. Any investment option that guarantees a fixed return or unrealistic profits in short term is likely a scam. So be aware of such rug-pull schemes and ignore them whenever you come across them.