DNS Scams Target Investment Platforms by Savvy Seahorse
Savvy Seahorse, a group involved in DNS threats, has been employing intricate strategies to deceive individuals into fake investment platforms, directing funds to Russian bank accounts. Through Facebook ads, Savvy Seahorse lures users to deceptive websites posing as legitimate investment platforms, often impersonating well-known companies such as Tesla and Facebook/Meta.
Infoblox's research reveals that Savvy Seahorse stands out due to its sophisticated techniques, including the use of counterfeit ChatGPT and WhatsApp bots. These bots automate responses to users, persuading them to share personal information in return for promised high investment returns.
The campaigns orchestrated by Savvy Seahorse target speakers of Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English, with a focus on safeguarding potential victims in Ukraine and select other countries, as explained by Infoblox researchers Stelios Chatzistogias, Laura da Rocha, and Darby Wise.
One unique tactic employed by Savvy Seahorse involves utilizing DNS canonical name (CNAME) records to establish a traffic distribution system (TDS) for their financial scams. This allows Savvy Seahorse to control content access and dynamically update the IP addresses of malicious campaigns. The use of CNAMEs in this manner has enabled the threat actor to evade detection by the security industry, marking the first report to highlight this technique as a TDS engineered for malicious purposes.
Operating since August 2021, Savvy Seahorse manages to avoid detection despite occasional flags on participating domains by security tools. The threat actor further complicates passive DNS analysis by employing wildcard DNS entries to swiftly create independent campaigns.
For Further Reference