Cybercriminal groups use RDGAs in scams, phishings

Cybersecurity company Infoblox has released new research highlighting two cybercriminal groups using registered domain generation algorithms (RDGAs) to carry out investment scams, phishing, and other malicious activities.

According to Infoblox, the two groups, identified as Reckless Rabbit and Ruthless Rabbit, employ RDGAs to create large volumes of malicious domains, allowing them to scale operations and deceive victims with campaigns that mimic trusted brands and personalities.

The newly published findings arrive amid growing concerns as consumers in the United States alone reported losses of USD $5.7 billion to investment scams in 2024.

"$5.7 billion—that is how much money U.S. consumers reported losing to investment scams in 2024. For context, that is enough to fund five Mars rover missions. The painful irony? These victims were not being reckless—they were trying to create financial security and build a failsafe for the future. Instead, they were manipulated, defrauded, and left more vulnerable than before."  Infoblox notes.

Reckless Rabbit leverages Facebook advertising to attract potential victims to fraudulent investment platforms. According to the researchers, the group creates false perceptions of legitimacy by using fake celebrity endorsements in their ads.

"Reckless Rabbit is a threat actor that uses Facebook ads to promote fake investment platforms. They exploit fake celebrity endorsements and create thousands of domains to evade detection." Infoblox  said.

One of Reckless Rabbit's tactics is configuring wildcard DNS responses, which causes queries for any subdomain to generate a response. This method creates substantial noise within the DNS ecosystem, complicating efforts to trace the specific subdomains being utilised in scams.

The group also targets victims globally. As Infoblox puts it, "Reckless Rabbit targets victims across multiple countries, using localized content to increase the believability of their scams."

Ruthless Rabbit, meanwhile, operates a cloaking service that conducts validation checks on users to filter out non-targeted traffic and avoid detection. The group often spoofs major brands or local news websites, particularly focusing on targets in Eastern Europe.

Infoblox details, "Ruthless Rabbit is a threat actor that operates its own cloaking service to perform validation checks on users. They primarily target victims in Eastern Europe, impersonating real local news websites or even big brands like WhatsApp or Meta."

Ruthless Rabbit's methods include regularly changing URL paths on scam landing pages, which further complicates detection and takedown. Infoblox explains, "They often spoof real news websites or big brands, such as Russian news sites or WhatsApp, to lure victims into their scams. Dynamic URL Paths: Ruthless Rabbit uses dynamic URL paths for their scam landing pages, constantly changing them in order to make tracing them harder."

Infoblox highlights that the effectiveness of such scams can be attributed to two main elements: chaos and trust. 

The success of these investment scams hinges on two key elements: chaos and trust. In chaotic times, individuals are more likely to seek quick financial gains. Cybercriminals exploit this chaos by creating a sense of urgency and fear of missing out on a good and easy investment opportunity. At the same time, they leverage trust by using familiar and accepted sources, such as celebrity endorsements and well-known news sites, to make their scams appear legitimate." Infobox

Infoblox researchers note that while RDGAs complicate detection efforts by traditional security systems, the reliance of criminals on DNS exploitation provides an opportunity for defenders.

"The fact that criminals rely on DNS exploitation for their large and sophisticated campaigns enables defenders to use DNS as an important pillar for security. Through the lens of DNS, Infoblox Threat Intel researchers are able to leverage automated detection and correlate these investment scam domains at scale." Infoblox Threat Intel team observes. 

Users are advised to be cautious when considering investments promoted through online campaigns. 

"Users should exercise extreme caution when asked to invest in any project or company. Double-check any domain with a major search engine to ensure it is not a spoofed or fake site. Any media claiming sponsorship of the platform by major sports figures or celebrities should be treated with caution and users should consider that those claims could have been produced using AI." the report said. 

The company recommends that organisations employ Protective DNS services strengthened with robust threat intelligence to prevent access to scam-related domains.

The report explains that RDGAS are a progression from traditional domain generation algorithms, with the distinctive element that the domains generated are registered. 

"RDGAs are a sophisticated evolution of traditional domain generation algorithms (DGAs) used by cybercriminals to generate large numbers of domain names for malicious activities,"  

"These algorithms are utilised in malware, phishing, spam, scams, gambling, traffic distribution systems (TDSs), VPNs, and advertising. They not only allow threat actors to create new domains continuously, but by being registered, they make it difficult for security systems to block them all and so it requires advanced detection methods to stay ahead of these evolving threats."

The Infoblox Threat Intel team designates groups like Reckless Rabbit and Ruthless Rabbit as "rabbits"—actors who algorithmically create and register domains. This approach sets them apart from traditional DGA practitioners, as all the generated domains are registered and serve purposes such as malware deployment, phishing, scams, and spam.