n Internet parlance, “old” has a much younger meaning — domains, virtual servers, image assets — everything is now or never. So much so that many security vendors rely heavily on what is called “domain reputation”, or the history a particular domain name has acquired over time on the Internet; a domain that is days old for a supposedly established online shop for example can raise concerns, while a 5-year-old digital presence works like a kosher staple.
Despite having extensively talked about investment scams for quite some time, we’d like to bring attention to this actor we’ve been tracking for almost two years now whose tactics are particular in ways we’ve never seen before; CashRewindo, first seen in 2018, distributes attacks all around the globe, smuggling malicious code in common JavaScript libraries and aging domains like fine scotch.
.... Apart from A/B-testing campaigns and in so doing abusing time-based creative verification systems, CashRewindo has yet another trick up its sleeves: domain aging.
Most of the IOCs we collected have domains that were registered two or three years ago, only to be activated, i.e. certificates updated and virtual server assigned, just in time for the campaigns. We speculate that either they buy these from reputation-building markets, or wait around for them to age, likely the former. Being outsourced or not, this technique is able to bypass security systems that classify registration timing as reputable.
read more
Despite having extensively talked about investment scams for quite some time, we’d like to bring attention to this actor we’ve been tracking for almost two years now whose tactics are particular in ways we’ve never seen before; CashRewindo, first seen in 2018, distributes attacks all around the globe, smuggling malicious code in common JavaScript libraries and aging domains like fine scotch.
.... Apart from A/B-testing campaigns and in so doing abusing time-based creative verification systems, CashRewindo has yet another trick up its sleeves: domain aging.
Most of the IOCs we collected have domains that were registered two or three years ago, only to be activated, i.e. certificates updated and virtual server assigned, just in time for the campaigns. We speculate that either they buy these from reputation-building markets, or wait around for them to age, likely the former. Being outsourced or not, this technique is able to bypass security systems that classify registration timing as reputable.
read more