"Crafty Threat Actor Uses 'Aged' Domains to Evade Security Platforms"

'CashRewindo,' a sophisticated threat actor, has been using 'aged' domains in global malvertising campaigns that lead to investment scam sites. Malvertising is the injection of malicious JavaScript code into legitimate advertising networks' digital ads, redirecting website visitors to pages that host phishing forms, drop malware, or run scams. CashRewindo malvertising campaigns have impacted people in Europe, North and South America, Asia, and Africa, with customized language and currency used to appear legitimate to the local audience. Confiant analysts have been monitoring CashRewindo since 2018, and the threat actor stands out for an unusually crafty approach to setting up malicious advertising operations with great attention to detail. Domain aging occurs when threat actors register domains and then wait years to use them in order to avoid detection by security platforms. This method works because old domains that have not been involved in malicious activity for a long time gain trust on the Internet, making them less likely to be flagged as suspicious by security tools. According to Confiant, CashRewindo uses domains that have been inactive for at least two years before having their certificates updated and a virtual server assigned. The security firm identified at least 487 domains used by the specific threat actor, some of which were registered as early as 2008 and were used for the first time in 2022. Victims arrive at these landing pages after clicking on infected ads on legitimate websites. This article continues to discuss the use of aged domains in CashRewindo malvertising campaigns.

Bleeping Computer reports "Crafty Threat Actor Uses 'Aged' Domains to Evade Security Platforms"