{ "id": "1865fe77-a6cf-4697-bd93-cb72534782bd", "created_at": "2026-04-17T02:19:55.593355Z", "updated_at": "2026-04-18T02:21:45.534625Z", "deleted_at": null, "sha1_hash": "7dc13ca89d115dd93d72932f600d10e8469247c6", "title": "CashRewindo Investment Scam, Ad Security Threat Unveiled", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 32710, "plain_text": "CashRewindo Investment Scam, Ad Security Threat Unveiled\r\nBy Jerome Dangu, CTO and Cofounder\r\nPublished: 2022-12-01 · Archived: 2026-04-17 02:04:36 UTC\r\nHidden Threat: Cloaked Investment scammers Exposed\r\nCashRewindo (monikered by Confiant’s security team) uses the programmatic process to place their investment\r\nscam ads into digital advertising networks alongside legitimate advertisers. They manipulate domain trust to fool\r\nordinary protection solutions, allowing them to attack publishers’ audiences with scam ads. Recently unmasked in\r\nConfiant Security Engineer Daniel Fonseca Yarochewsky’s article, “CashRewindo: how to age domains for an\r\ninvestment scam like fine scotch,” where he uncovers how this threat actor’s ad security attack tactics effectively\r\nlure victims into investment scams, through digital ads worldwide. Cloaked investment scam ads like\r\nCashRewindo negatively affect your site's reputation and degrade trust with your users. \r\nIdentifying Malicious Ads: how to stop cloaked investment scammers on YOUR\r\nsite\r\nThe technical article peels back the onion with detailed examples of how CashRewindo uses legitimate ads with\r\neffective creative content and graphics but then swaps out to bait ads that lead victims to their scams.\r\nYarochewsky exposes CashRewindo’s malicious ‘cloaked’ landing pages designed to hide their malevolent\r\ncontent and avoid detection from ordinary scanner solutions, most savvy users, and even many security experts.\r\nThe article offers a technical overview of how this threat actor uses ‘aged’ assets, like older domains, virtual\r\nservers, and image asset histories, to bypass reputation-based security controls.\r\nThe programmatic process feeds CashRewindo and other ad security threats to sites like yours daily. Unless you or\r\nyour ad tech staff do something about it, it’s only a matter of time before your users are served the CashRewindo\r\nads. \r\nThe full article is an eye-opener that’s worthy of your tech team’s attention. Read it here.\r\nSource: https://www.confiant.com/news/cashrewindo-investment-scam-unveiled\r\nhttps://www.confiant.com/news/cashrewindo-investment-scam-unveiled\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.confiant.com/news/cashrewindo-investment-scam-unveiled" ], "report_names": [ "cashrewindo-investment-scam-unveiled" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-18T02:00:05.113415Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "be847ce9-0e83-4f84-bfe3-0bdeae523702", "created_at": "2026-04-17T02:00:03.80328Z", "updated_at": "2026-04-18T02:00:04.27129Z", "deleted_at": null, "main_name": "CashRewindo", "aliases": [], "source_name": "MISPGALAXY:CashRewindo", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1776392395, "ts_updated_at": 1776478905, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7dc13ca89d115dd93d72932f600d10e8469247c6.pdf", "text": "https://archive.orkl.eu/7dc13ca89d115dd93d72932f600d10e8469247c6.txt", "img": "https://archive.orkl.eu/7dc13ca89d115dd93d72932f600d10e8469247c6.jpg" } }