A sophisticated threat actor named 'CashRewindo' has been using 'aged' domains in global malvertising campaigns that lead to investment scam sites.
Malvertising involves the injection of malicious JavaScript code in digital ads promoted by legitimate advertising networks, taking website visitors to pages that host phishing forms, drop malware, or operate scams.
The CashRewindo malvertising campaigns are spread across Europe, North and South America, Asia, and Africa, using customized language and currency to appear legitimate to the local audience.
Analysts at
Confiant have been tracking 'CashRewindo' since 2018 and report the threat actor stands out for an unusually crafty approach in setting up malicious advertising operations with great attention to detail.
Domains get better with age
Domain aging is when threat actors register domains and wait years to use them, hoping to bypass security platforms.
This technique works as old domains that have not been involved in malicious activity for a long time earn trust on the Internet, making them unlikely to be flagged by security tools as suspicious.
Confiant says CashRewindo uses domains that have aged for at least two years before they are activated (have their certificates updated and a virtual server assigned).
The security firm was able to identify at least 487 domains used by the particular threat actor, some having been registered as far back as 2008 and used for the first time in 2022.
Victims end up on these landing sites by clicking on infected ads found on legitimate sites.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}