Fake Celebrity Endorsements Fuel Investment Scams Targeting Facebook Users

Cybersecurity researchers have uncovered two threat actors running investment scams that use fake celebrity endorsements. They're also using some clever tricks to hide what they're doing, including traffic distribution systems (TDSes).

These groups are being called Reckless Rabbit and Ruthless Rabbit by Infoblox, a DNS threat intelligence company.

Here's how it works: The attackers lure people in with fake platforms, often cryptocurrency exchanges, advertised on social media. A key part of the scam involves web forms that collect your personal data.

"Reckless Rabbit puts ads on Facebook that link to fake news articles. These articles claim a celebrity is endorsing the investment platform," said security researchers Darby Wise, Piotr Glaska, and Laura da Rocha in a report. "The article then links to the scam platform, which has a web form asking for your personal info to 'register' for the investment."

These forms ask for the usual stuff – name, phone number, email – but some even offer to auto-generate a password. This is important because it's used to move you to the next stage: validation checks.

The scammers use legitimate IP validation tools (like ipinfo[.]io, ipgeolocation[.]io, or ipapi[.]co) to filter out traffic from countries they aren't interested in. They also check to make sure your phone number and email are real.

If you pass these checks, you're sent through a TDS. This either takes you straight to the scam platform, where they try to get you to invest with promises of huge returns, or to a page that tells you to wait for a call from a "representative."

"Some campaigns use call centers to tell victims how to set up an account and transfer money into the fake platform," the researchers explained. "If you don't pass the validation, you might just see a 'thank you' page."

Another important element is the use of a registered domain generation algorithm (RDGA). This is used to create domain names for the dodgy investment platforms. Other groups, like Prolific Puma, Revolver Rabbit, and VexTrio Viper, use this technique too.

Unlike regular domain generation algorithms (DGAs), RDGAs use a secret algorithm to register all their domain names. Reckless Rabbit has been creating domains since at least April 2024, targeting users in Russia, Romania, and Poland, while blocking traffic from countries like Afghanistan, Somalia, and Madagascar.

The Facebook ads that link to the fake news articles are mixed with ads for regular products sold on Amazon, to avoid being detected.

Plus, the ads use unrelated images and show a fake domain (like "amazon[.]pl") that's different from the real domain you're sent to when you click the link (like "tyxarai[.]org").

Ruthless Rabbit, on the other hand, has been running investment scams since at least November 2022, targeting Eastern European users. What makes them different is that they run their own cloaking service ("mcraftdb[.]tech") for validation checks.

If you pass the verification, you're taken to an investment platform where they ask for your financial information to finish registering.

"A TDS helps attackers make their infrastructure stronger and harder to detect by hiding malicious content from security researchers and bots," Infoblox explained.

This isn't the first time we've seen these kinds of investment scams. In December 2024, ESET reported on a similar scam called Nomani. It uses social media ads, company-branded posts, and AI-powered video testimonials featuring famous people.

Last month, Spanish authorities arrested six people for running a huge cryptocurrency investment scam that used AI to create deepfake ads with public figures to trick people.

Renee Burton, VP of threat intelligence at Infoblox, told The Hacker News that they "would have to take a closer look to see if there is any evidence" to confirm if these activities are connected to Reckless Rabbit and Ruthless Rabbit.

"Threat actors like Reckless and Ruthless Rabbits will keep trying to trick as many users as they can," the researchers said. "These scams are very profitable, so they'll keep growing in number and sophistication."

Mystery Box Scams Are Exploding on Facebook

Bitdefender is also warning about a surge in subscription scams. These scams use a network of over 200 fake websites to trick people into paying monthly subscriptions and giving up their credit card info.

"Criminals create Facebook pages and run ads to promote 'mystery box' scams," Bitdefender said. "The 'mystery box' scam now includes hidden recurring payments and links to various online shops. Facebook is the main platform for these new and improved scams."

The fake ads advertise clearance sales from brands like Zara or offer a chance to buy a "mystery box" with Apple products for a very low price, sometimes as little as $2.

The scammers use tricks to avoid being detected, such as creating multiple versions of the ad, where only one is malicious and the others show random product images.

These scams, like the ones from Reckless Rabbit and Ruthless Rabbit, include a survey to make sure the victims are real people and not bots.