17,000+ Fake News Websites Caught Promoting Investment Frauds

A massive network of fraudulent news websites has been uncovered, with cybersecurity researchers identifying over 17,000 Baiting News Sites (BNS) across 50 countries orchestrating sophisticated investment fraud schemes.

These malicious platforms masquerade as legitimate news outlets, publishing fabricated stories featuring well-known public figures and respected financial institutions to build trust and lure unsuspecting victims into high-risk financial scams including Trap10, cryptocurrency trading fraud, and other deceptive investment schemes.

The BaitTrap campaign employs a multi-stage attack methodology, utilizing Google Ads and Meta advertising platforms as primary distribution vectors.

Scammers create sponsored content with compelling headlines such as “Central Bank Governor Accidentally Reveals Secret Wealth Strategy” paired with official photographs and national symbols to enhance credibility.

These advertisements redirect users to professionally crafted fake news articles that impersonate trusted media outlets like CNN, BBC, and CNBC, featuring fabricated quotes from celebrities and financial authorities endorsing fraudulent trading platforms.

CTM360 researchers noted that the campaign’s sophistication extends beyond simple phishing tactics, incorporating a comprehensive framework they’ve termed the “Scam Navigator” – a six-stage analysis model inspired by the MITRE framework.

This systematic approach encompasses resource development, trigger mechanisms, distribution channels, target interaction protocols, motive identification, and monetization strategies, providing cybersecurity professionals with a structured methodology for understanding and combating these threats.

The global reach of BaitTrap demonstrates its unprecedented scale, with the highest concentration of malicious sites targeting the Middle East (10,529 sites), Asia Pacific (3,399 sites), and Europe (1,843 sites).

The campaign exhibits remarkable regional customization, utilizing local languages, familiar media brands, and regional public figures to increase authenticity and maximize victim engagement across diverse geographical markets.

Technical Infrastructure and Domain Analysis

The technical infrastructure underlying BaitTrap reveals sophisticated evasion techniques designed to circumvent traditional security measures.

The majority of identified Baiting News Sites utilize free or low-cost top-level domains including .xyz, .shop, and .click extensions, which provide scammers with cost-effective registration options while complicating detection efforts.

More concerning is the practice of compromising legitimate domains to host fake news pages, creating a hybrid infrastructure that blends malicious content with trusted domain reputations.

The hosting architecture predominantly relies on shared hosting platforms, allowing threat actors to rapidly deploy and scale their operations while maintaining anonymity through distributed infrastructure.

When users interact with these sites, they encounter a carefully orchestrated redirection mechanism that seamlessly transitions victims from fake news articles to fraudulent trading platforms branded as “Eclipse Earn,” “Solara Vynex,” or “Azorilix.”

These platforms employ sophisticated user interface designs that mimic legitimate financial services, complete with fake profit dashboards displaying fabricated returns to convince users to make initial deposits averaging $240, though no actual trading occurs and funds are directly transferred to scammer-controlled accounts.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now