From Ads to Account Drain: Inside the Investment Fraud Ecosystem of BaitTrap

Baiting News Sites (BNS) are fraudulent online platforms designed to imitate credible news outlets such as CNN, BBC, CNBC, News24, ABC News and regional media. Their core objective is to build trust with unsuspecting users and direct them toward investment fraud schemes, particularly in cryptocurrency. These sites promote fake endorsements from celebrities, banking officials, or government leaders to manipulate victims into believing in the legitimacy of the investment.

Severity Level: High

Threat Details

• Campaign Scale: Over 17,000 Baiting News Sites identified across 50 countries, with attacks localized by language, cultural figures, and financial institutions to increase credibility.
• Targeted Regions: Middle East, Asia Pacific, Oceania, Europe, The Americas, Africa.
• Targeted Countries: the U.S., China, India, Japan, Germany, UK, France, Brazil, Canada, Russia, Italy, South Africa, Saudi Arabia, Australia, Indonesia, etc.

Attack Chain

1. Resource Development

• Infrastructure: Attackers purchase or compromise domains (especially low-cost TLDs like .xyz, .click, .shop) or use shared hosting.
• Spoof Sites: Fake investment platforms are set up to appear like legitimate trading services.
• Content Creation: Fake news articles and video testimonials are fabricated.

2. Trigger and Distribution

• Ad Campaigns: Scammers create social media ads using Meta Ads and Google Ads.
• Headline Baiting: Clickbait titles like “Central Bank Chief Accidentally Reveals Crypto Wealth Secret” are used.
• Visual Engineering: Ads include national symbols and photos of high-profile individuals to establish fake legitimacy.

3. Target Interaction

• Redirection: Clicking on the ad redirects users to a BNS site.
• Fake News Simulation: The BNS simulates reputable media sites (e.g., CNN or Bloomberg) and showcases fake stories with manipulated quotes from public figures.
• Click-through Path: Victims are funneled to a fake platform (Trap10, Solara, Vynex).

4. User Registration and Data Collection

• Registration Form: Victims are prompted to input personal details (name, phone, email).
• Fake Expert Calls: Users are contacted by a so-called “financial advisor” to walk them through onboarding.
• KYC Data Harvesting: They are then asked for sensitive documents like Passport, National ID, Proof of Address, Bank Details

5. Monetization Phase

• Initial Deposit: Users are required to “activate” their account with an initial investment (typically around $240).
• Fake Profit Dashboard: Platforms simulate trading activity and show false gains to lure victims into depositing more.
• Multiple Payment Methods: Including crypto wallets, credit cards, Google gift cards, and direct transfers.

6. Withdrawal Trap & Scam Exposure

• Withdrawal Issues: Victims who attempt to withdraw face “System errors”, “Account not verified”, “Unlock fees”, “Minimum balance” requirements
• Continued Manipulation: The platform continues pushing users to deposit more while blocking any actual fund transfer.
• Abuse of Harvested Data: Collected PII is sold or used for future fraud (phishing, identity theft, etc.).

MITRE ATT&CK

Tactic	Technique	ID
Reconnaissance	Search Open Websites/Domains	T1593.002
	Gather Victim Identity Information	T1589
Resource Development	Acquire Infrastructure: Domains	T1583.001
	Web Services: Web Hosting	T1583.006
Initial Access	Phishing: Spearphishing via Services	T1566.002
Execution	User Execution: Malicious Link	T1204.001
Persistence	Valid Accounts	T1078
Collection	Email Collection	T1114.002
Impact	Financial Theft	T1657

Recommendations

1. Conduct periodic training to help users identify fake investment offers, impersonated public figures, and manipulated news stories.
2. Warn users about sponsored content on Meta, YouTube, and Google that claims celebrity investment tips.
3. Include fake investment and fake news scenarios in phishing simulations.
4. Brand Monitoring: Continuously monitor for misuse of your institution’s name or executives in BNS and ad campaigns.
5. Monitor Google Reverse Image Search and Meta Ads Library for fraudulent use of company or public figure images.
6. Enforce MFA for users and staff to prevent unauthorized access using harvested credentials.
7. Block access to known malicious TLDs (e.g., .xyz, .click, .shop) and suspicious domains flagged in threat intel feeds.

Source:

• https://www.ctm360.com/reports/baittrap-rise-of-baiting-news-sites
• https://www.malwarebytes.com/blog/news/2025/07/cnn-bbc-and-cnbc-websites-impersonated-to-scam-people

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.