A massive investment scam campaign involves thousands of websites and a common trait: fraudsters abuse a legitimate advertising performance tracking tool to profile victims, direct them to targeted scams, while showing benign content to security researchers and tools.

Infoblox Threat Intel researchers unveiled massive scam campaigns that abuse a legitimate Keitaro ad tracking platform.

Fraudsters are using the professional tool, used by marketers, to bypass security tools, as well as a gatekeeper that profiles every click and directs visitors to the appropriate scam, whether an AI-powered trading platform, a fake news story, a fraudulent update warning, a “lucky” casino spin, or other.

In just four months, the researchers found approximately 15,500 domains used by cybercriminals to deliver scams and other purposes, such as sending spam emails or embedding malicious code on compromised websites.

Investment scams are the dominant lure. Scammers will advertise “advanced AI” or “AI-driven algorithms” on social media or elsewhere to attract victims. AI mass-produces headlines, content, and visuals for scammers, and helps deploy pages and ad creatives en masse.

Keitaro acts as a funnel, profiling visitors and directing victims to the appropriate scams, while security bots and users who do not meet targeting parameters are redirected to benign sites.

“Cloaking – the act and art of hiding a website’s true nature – is a critical component of cybercriminal operations today,” Infoblox said in the report.

In milliseconds, the Keitaro platform analyses where the clicks are coming from, whether the user clicked the ad, what browser the visitors use, and other fingerprints. The victims, who pass the filter, are redirected to a fraudulent website.

“The level and persistence of abuse is quite staggering,” the report reads.

The researchers tested how the company behind Keitaro responds to abuse and concluded that it promptly blocks the reported accounts. However, the sheer volume of scams and diversity of the threats generated with AI make the abuse a persistent and underreported issue, according to the report.

Keitaro tracker is a self-hosted tool, and multiple hosting platforms can spin up its instances in minutes. Cybercriminals are also using illicit copies of the software.

Researchers also noted that while thousands of malicious sites are localized for specific countries, the final lures are predominantly in English and Russian. Many threat actors specifically target the United States, but there are numerous global campaigns as well.

“You’re shown the real investment scam landing page only if you match the ‘ideal victim’ profile,” Malwarebytes said in their take on the report.

“Everyone else, like a security researcher, ad platform reviewer, or automated scanner, gets shown a benign page, like a generic blog or placeholder site.”

Security researchers warn that effective social engineering is critical to the success of these scams because crooks are relying on submitted contact details and following their instructions over the phone.

While security tools, such as ad blockers, anti-malware solutions, and web protection tools can help prevent many of these scams, it's paramount to ignore or at least verify any unsolicited offers, stick to trusted investment platforms, and avoid acting on impulse.

---

Unlock more exclusive Cybernews content on YouTube.