In a recent cybercrime development, a new DNS threat actor known as Savvy Seahorse has emerged, employing sophisticated techniques to lure unsuspecting targets into fake investment platforms and steal their funds. This novel tactic compromises legitimate websites or online resources, redirecting user traffic toward malicious investment schemes.
The Sophisticated Approach
- Savvy Seahorse: This DNS threat actor convinces victims to create accounts on fraudulent investment platforms, prompting them to make deposits into personal accounts. Subsequently, the stolen funds are transferred to a bank in Russia.
- Wide Net of Targets: The campaigns target users across various languages, including Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English. Social media platforms like Facebook serve as the initial lure, enticing victims with high-return investment opportunities through fake ChatGPT and WhatsApp bots.
- DNS Canonical Name (CNAME) Records: The financial scam campaigns utilize CNAME records to create a traffic distribution system (TDS). This technique allows threat actors to evade detection since at least August 2021. Unlike traditional DNS A records that point to IP addresses, CNAME records map a domain or subdomain to another domain (an alias). By registering short-lived subdomains that share a CNAME record and IP address, Savvy Seahorse maintains an ever-changing infrastructure, making takedown efforts challenging.
- Domain Generation Algorithm (DGA): The threat actor generates specific subdomains using a DGA, associating them with the primary campaign domain. This dynamic approach ensures resilience against disruptions.
- User Validation: Savvy Seahorse validates user information, excluding traffic from predefined countries such as Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova. The reasoning behind these exclusions remains unclear.
Implications and Countermeasures
- First Use of CNAME Records: While DNS has been used as a TDS by other threat actors, this discovery marks the first time CNAME records have been leveraged for such purposes.
- Continuous Adaptation: The ever-changing nature of domains and IP addresses allows Savvy Seahorse to create new domains or alter CNAME records, evading detection.
- Guardio Labs’ Findings: Thousands of legitimate brand and institution domains have been hijacked using a technique called CNAME takeover to propagate spam campaigns.
Stay vigilant and exercise caution when encountering investment opportunities online. Cybercriminals continue to innovate, and their tactics evolve rapidly. Protect your personal information and verify the legitimacy of any investment platform before making financial transactions.