Skip to content

Brand new investment scam checks your IP address before scamming

  • by
  • 3 min read

Security researchers have caught two threat actors running investment scams. The scams use fake celebrity endorsements and Facebook ads to lure unsuspecting victims. The campaign also validates IP addresses as an added layer of security and decides whether the victim should be exploited.

The scam, first spotted by security researchers from intelligence firm Infoblox, creates fake ads on Facebook that lead to fake news articles with a celebrity endorsing a bogus investment platform. The article then has a link to an embedded web form that asks for the users’ personal information to register them for the investment opportunity.

Infoblox’s report claims that the forms collect users’ names, phone numbers, and email addresses. Some forms also let users generate a password later used to run validation checks on potential victims. The provided data is also checked for authenticity, including:

  • Valid user email and phone number
  • Duplicated email or phone numbers
  • Multiple attempts to register with the same IP addresses within a short period of time
  • Missing data from the form
This is an image of facebook ads investment scam
Facebook ads run by scammers. | Source: Infoblox

The threat actors then use legitimate IP validation tools like ipgeolocation.com or ipinfo.io to filter victims from specific countries. If a user passes validation, they’re directly transferred to the fake investment platform where they’re “encouraged to transfer money.” Another approach is redirecting targeted users to a thank-you page claiming a representative will reach out. For users who fail validation, a simple thank-you page is shown.

The scammers, named Reckless Rabbit and Ruthless Rabbit by the researchers, use Traffic Distribution Systems (TDS) to collect this data and decide what web content to show. Users in countries like Australia, Canada, Switzerland, and the United States are redirected to legitimate platforms to deter security researchers investigating the scam.

Another essential part of the campaign’s threat evasion toolkit is domain generation algorithms (DGAs). These algorithms use secret methods to register domain names often used for malicious purposes. Reckless Rabbit has been known to use DGSs since at least April 2024, targeting users in Russia, Romania, and Poland while excluding traffic from countries like Afghanistan, Somalia, Liberia, Madagascar, and more.

In the News: Indian government directed to block Proton Mail

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

How to download print google calendar? | candid. Technology

Chinese hackers are using Google Calendar to target governments

Illustration: jmiks | shutterstock

Fake AI software installers are spreading ransomware

This is an image of router vs wifi

ASUS routers hacked in mass backdoor campaign

This is an image of dark web hacker security

Victoria’s Secret website taken down after cyber attack

This is an image of spyware malware cybersecurity privacy featured 31

Virgin Media’s O2 network exposed customer phone locations

This is an image of malware featured security

Hackers caught using fake AI websites to spread malware

>