The number will shock you, $ 5.7 billion – that is how much money U.S. consumers reported losing to investment scams in 2024. For context, that is enough to fund five Mars rover missions. The painful irony? These victims were not being reckless—they were trying to create financial security and build a failsafe for the future. Instead, they were manipulated, defrauded, and left more vulnerable than before.
New research from Infoblox Threat Intel spotlights two of these investment scam actors: Reckless Rabbit and Ruthless Rabbit.
Reckless and Ruthless Rabbit both utilize registered domain generation algorithms (RDGAs) to scale their malicious campaigns and lure victims into their trap by using well-known names to appear trustworthy.
Spotlight on Reckless Rabbit and Ruthless Rabbit
Reckless Rabbit
Reckless Rabbit is a threat actor that uses Facebook ads to promote fake investment platforms. They exploit fake celebrity endorsements and create thousands of domains to evade detection.
- Malicious Facebook Ads: Reckless Rabbit uses Facebook ads to lure victims into their investment scams. These ads often feature fake celebrity endorsements to make the scams appear more credible.
- Wildcard Domain Name System (DNS) Responses: The actor sets up its domains so that queries to any subdomain will return a response. This creates noise in DNS and makes it difficult to identify which subdomains are actually being used for investment scams by the actor.
- Global Targeting: Reckless Rabbit targets victims across multiple countries, using localized content to increase the believability of their investment scams.
Ruthless Rabbit
Ruthless Rabbit is a threat actor that operates its own cloaking service to perform validation checks on users. They primarily target victims in Eastern Europe, impersonating real local news websites or even big brands like WhatsApp or Meta.
- Cloaking Service: Ruthless Rabbit operates a cloaking service to perform validation checks on users, filtering out non-target traffic and making their investment scams harder to detect.
- Spoofed News Sites: They often spoof real news websites or big brands, such as Russian news sites or WhatsApp, to lure victims into their scams.
- Dynamic URL Paths: Ruthless Rabbit uses dynamic URL paths for their scam landing pages, constantly changing them in order to make tracing them harder.
Chaos and Trust
The success of these investment scams hinges on two key elements: chaos and trust. In chaotic times, individuals are more likely to seek quick financial gains. Cybercriminals exploit this chaos by creating a sense of urgency and fear of missing out on a good and easy investment opportunity. At the same time, they leverage trust by using familiar and accepted sources, such as celebrity endorsements and well-known news sites, to make their investment scams appear legitimate.
Conclusion
The fact that criminals rely on DNS exploitation for their large and sophisticated campaigns enables defenders to use DNS as an important pillar for security. Through the lens of DNS, Infoblox Threat Intel researchers are able to leverage automated detection and correlate these investment scam domains at scale.
Users should exercise extreme caution when asked to invest in any project or company. Double-check any domain with a major search engine to ensure it is not a spoofed or fake site. Any media claiming sponsorship of the platform by major sports figures or celebrities should be treated with caution and users should consider that those claims could have been produced using AI.
Organizations that use Protective DNS services with strong threat intelligence behind it can protect all of their users from these investment scams by preventing access to the fake media and platforms.
On RDGAs:
RDGAs are a sophisticated evolution of traditional domain generation algorithms (DGAs) used by cybercriminals to generate large numbers of domain names for malicious activities. These algorithms are utilized in malware, phishing, spam, scams, gambling, traffic distribution systems (TDSs), VPNs, and advertising. They not only allow threat actors to continuously create new domains, but by being registered, they make it difficult for security systems to block them all and so it requires advanced detection methods to stay ahead of these evolving threats.
Rabbits and RDGAs:
The Infoblox Threat Intel team names RDGA actors as “rabbits.” This means that actors in this category algorithmically create and then register domains. They differ from traditional DGAs in that all of the domains are registered. These malicious domains may be used for a wide range of purposes including malware, phishing, scams, and spam.
