Scams & Phishing News Inside Keitaro Abuse: A Persistent Stream of AI-Driven Investment Scams

Khushal

Khushal

Level 14
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
697
4,116
1,269
Content source
https://www.infoblox.com/blog/threat-intelligence/inside-keitaro-abuse-a-persistent-stream-of-ai-driven-investment-scams/
Cloaking—the act and art of hiding a website’s true nature—is a critical component of cybercriminal operations today. Threat actors use domain cloaking, implemented through traffic distribution systems (TDSs) and cloaking kits, to evade content restrictions in advertising, for precision targeting of victims for malware and scams, and to protect themselves from each other. Some actors develop their own TDS or purchase access to wholly criminal operations like BlackTDS, 404TDS, and ParrotTDS. But many avail themselves of commercially available software. After all, cybercrime is like any other economy: Why build when you can use highly sophisticated products developed by others?

www.infoblox.com

Inside Keitaro Abuse Part 1: Cloaking AI‑Enhanced Scams

Infoblox and Confiant reveal how Keitaro is exploited for cloaking scams, targeting victims, and automating AI‑enhanced fraud in today’s threat landscape.
www.infoblox.com www.infoblox.com

1773940295363.png
Click to expand...
 
  • Like
Reactions: simmerskool, Halp2001 and rashmi
Keitaro itself is not a “malware product,” but it is a traffic tracker/TDS platform that can be abused for malicious campaigns.

What the quote is saying

  • “Cloaking” means showing different content to different visitors.
  • In legitimate marketing, that can be used for traffic routing or campaign tracking.
  • In criminal use, it can hide scam or malware pages from ad networks, researchers, and automated scanners while showing the real payload only to selected victims.

Why Keitaro is being mentioned

From the article context, the point is not that Keitaro is inherently malicious. The point is that a commercially available TDS/tracker can be repurposed by threat actors because it already provides features such as:

  • Traffic filtering
  • Geo/device/browser targeting
  • Redirection logic
  • Campaign management
  • Conditional delivery of content

Those same features are useful in normal advertising, but they are also useful for scams, phishing, and malware distribution.

Security takeaway

Tools like this are best understood as “dual-use” software.

  • Legitimate users may use them for analytics and traffic management.
  • Malicious actors may use them for cloaking and victim targeting.
  • The abuse depends on how the tool is deployed, not just on the product name itself.

So if someone sees “Keitaro” in a report, that should be treated as a possible indicator of traffic redirection or cloaking activity, but not automatic proof that every Keitaro-hosted setup is malicious.

Practical conclusion

The Infoblox post is highlighting abuse of a legitimate or commercially available traffic-distribution platform in AI-themed investment scam campaigns. The important point is the abuse pattern: cloaking, selective targeting, and evasion.

Source
 
  • Like
Reactions: simmerskool

You may also like...