Ddos 
In a revealing new report, Infoblox Threat Intelligence warns that investment scams are evolving rapidly—contributing to record-breaking consumer losses. According to the Federal Trade Commission (FTC), “consumers lost more money to investment scams than any other kind in 2024,” totaling an astonishing $5.7 billion, a 24% increase from 2023.
Infoblox’s research sheds light on the tactics, techniques, and procedures (TTPs) employed by cybercriminal groups, including notorious actors dubbed Reckless Rabbit and Ruthless Rabbit, who are actively exploiting DNS infrastructure to scale and sustain their fraudulent operations.
Investment scams are now typically anchored around fake websites, known as “profit platforms,” designed to look like legitimate financial institutions or crypto exchanges. As Infoblox notes, “fake news often featuring spoofed government endorsements, a celebrity, or fake first-hand accounts of the investment program” is used to lure victims.
Key TTPs identified include:
- Registered Domain Generation Algorithms (RDGAs) for mass domain creation
- Embedded web forms to capture user details like names, emails, and phone numbers
- Traffic Distribution Systems (TDS) to dynamically route users based on geolocation
- Spoofed endorsements from celebrities or reputable agencies
Once users engage, attackers perform validation checks to filter out bots, security researchers, or low-quality leads. These checks, according to Infoblox, “often perform HTTP GET requests to legitimate IP validation tools, such as ipinfo[.]io or ipgeolocation[.]io.”
Only validated users are directed to the final scam pages where they are pressured into transferring funds. If a user fails validation, the attackers typically display a fake “thank you” page to avoid arousing suspicion, a technique prominently used by groups like Ruthless Rabbit.
Threat actors leverage custom TDS infrastructures to maximize targeting efficiency and minimize detection. For example, Infoblox highlights a campaign where U.S. visitors to a scam domain were redirected to legitimate websites like eToro to evade detection.
As the report explains, “This threat actor routes users from different countries to different fake investment platforms, with U.S. users sometimes redirected to legitimate sites.”
Unlike traditional malware domain generation algorithms (DGAs), Registered Domain Generation Algorithms (RDGAs) involve pre-registering massive batches of domains using secret algorithms.
Since 2023, Infoblox has observed “over 3 million RDGA domains on the internet,” a number continuing to climb as scammers integrate RDGA domains into advertising ecosystems like Facebook.
Actors like Reckless Rabbit exploit RDGAs by launching fresh campaigns daily, mixing scam advertisements among innocuous ones to evade social media platform enforcement.
- Reckless Rabbit: Targets victims through malicious Facebook ads mixed with legitimate marketplace listings. Utilizes dynamic landing pages featuring spoofed news stories and celebrity endorsements. Often configures wildcard DNS responses to their domains, complicating security monitoring.
- Ruthless Rabbit: Focuses on Eastern European audiences, spoofing legitimate brands like Google Finance or Channel One Russia. They run their own cloaking service (mcraftdb[.]tech) to validate user data and filter traffic. Campaigns heavily use obfuscated scripts and randomized registration processes.
One striking tactic by Ruthless Rabbit is auto-generating email addresses behind the scenes, indicating that “the actor may not actually use the phone number and email address to contact the user but instead uses them only to perform the validation checks.”
Infoblox emphasizes that DNS abuse remains central to the infrastructure of modern scams. “Actors take advantage of RDGAs to create large numbers of domains to use in their campaigns, which enables them to hide in plain sight and change out domains often,” the report warns.
By focusing on DNS fingerprinting and blocking malicious domains before redirection occurs, defenders have a crucial opportunity to disrupt the scam lifecycle before victims are exposed.
Donate