Inside the world of investment scam actors in Australia/New Zealand

The Daily Examiner

The Daily Examiner.

A $ 194 million – that is how much money New Zealand consumers reported losing to investment scams in 2024. Often victims are only trying to create financial security and build a failsafe for the future. Instead, they are manipulated, defrauded, and left more vulnerable than before by the criminals.

New research from Infoblox Threat Intel spotlights two of these investment scam actors: Reckless Rabbit and Ruthless Rabbit.

Reckless and Ruthless Rabbit both use registered domain generation algorithms (RDGAs) to scale their malicious campaigns and lure victims by using well-known names to appear trustworthy.

Reckless Rabbit
Reckless Rabbit

Reckless Rabbit is a threat actor that uses Facebook ads to promote fake investment platforms. They exploit fake celebrity endorsements and create thousands of domains to evade detection.

  • Malicious Facebook Ads: Reckless Rabbit uses Facebook ads to lure victims into their scams. These ads often feature fake celebrity endorsements to make the scams appear more credible.
  • Wildcard Domain Name System (DNS) Responses: The actor sets up its domains so that queries to any subdomain will return a response. This creates noise in DNS and makes it difficult to identify which subdomains are actually being used for scams by the actor.
  • Global Targeting: Reckless Rabbit targets victims across multiple countries, using localised content to increase the believability of their scams.
Ruthless Rabbit

Ruthless Rabbit is a threat actor that operates its own cloaking service to perform validation checks on users. They target victims globally, including A/NZ, impersonating real local news websites or even big brands like WhatsApp or Meta.

  • Cloaking Service: Ruthless Rabbit operates a cloaking service to perform validation checks on users, filtering out non-target traffic and making their scams harder to detect.
  • Spoofed News Sites: They often spoof real news websites or big brands, to lure victims into their scams.
  • Dynamic URL Paths: Ruthless Rabbit uses dynamic URL paths for their scam landing pages, constantly changing them in order to make tracing harder.

The success of these investment scams hinges on two key elements: chaos and trust. In chaotic times, individuals are more likely to seek quick financial gains. Cybercriminals exploit this chaos by creating a sense of urgency and tap into consumers fear of missing out on a good and easy investment opportunity. At the same time, they leverage trust by using familiar and accepted sources, such as celebrity endorsements and well-known news sites, to make their scams appear legitimate.

The fact that criminals rely on DNS exploitation for their large and sophisticated campaigns enables defenders to use DNS as an important pillar for security. Through the lens of DNS, Infoblox Threat Intel researchers are able to leverage automated detection and correlate these investment scam domains at scale.

Users should exercise extreme caution when asked to invest in any project or company. Double-check any domain with a major search engine to ensure it is not a spoofed or fake site. Any media claiming sponsorship of the platform by major sports figures or celebrities should be treated with caution and users should consider that those claims could have been produced using AI.

Organisations that use Protective DNS services with strong threat intelligence behind it can protect all of their users from these scams by preventing access to fake media and platforms.

On RDGAs:

RDGAs are a sophisticated evolution of traditional domain generation algorithms (DGAs) used by cybercriminals to generate large numbers of domain names for malicious activities. These algorithms are utilised in malware, phishing, spam, scams, gambling, traffic distribution systems (TDSs), VPNs, and advertising. They not only allow threat actors to continuously create new domains, but by being registered, they make it difficult for security systems to block them all and so it requires advanced detection methods to stay ahead of these evolving threats.

Rabbits and RDGAs:

The Infoblox Threat Intel team names RDGA actors as “rabbits.” This means that actors in this category algorithmically create and then register domains. They differ from traditional DGAs in that all of the domains are registered. These malicious domains may be used for a wide range of purposes including malware, phishing, scams, and spam.

Spread the Truth:
Latest Stories
keyboard_arrow_up