Skip to content Skip to footer

Savvy Seahorse DNS Threat Actor Lures Victims into Fake Investment Platforms

Infoblox has identified a new DNS group with the moniker Savvy Seahorse for using advanced techniques to lure victims into fraudulent investment platforms and steal their money. The group is notorious for convincing users to create accounts on fake investment platforms and then transferring the deposits to a bank account. The widespread campaigns target victims who speak , Polish, Italian, German, Czech, Turkish, French, Spanish, and English. The group uses social media platforms like Facebook to advertise its fraudulent schemes, and it also uses fake and WhatsApp bots to trick users into parting with their personal information in exchange for high-return investment opportunities.

These campaigns are notable for using DNS canonical name (CNAME) records to create a traffic distribution system (TDS), making it difficult for threat actors to be detected since August 2021. Using CNAME records, the group can map a domain or subdomain to another domain and avoid pointing to an IP address. Thus, when the IP address of the host changes, only the DNS A record for the root domain needs to be updated. Savvy Seahorse takes advantage of this technique by registering several short-lived subdomains that share a CNAME record and an IP address. These subdomains are created using a domain generation algorithm (DGA) and are associated with the primary campaign domain.

The group's ever-changing domains and IP addresses make it difficult to take down their infrastructure and allow them to continuously create new domains or modify their CNAME records to a different IP address as their sites are disrupted. The group validates user information to exclude traffic from countries such as Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova. However, their reasons for choosing these countries still need to be determined. Guardio Labs has also reported that thousands of domains belonging to legitimate brands and institutions have been hijacked using the CNAME takeover technique to spread spam campaigns.

To avoid falling victim to these campaigns, users should be careful when clicking on links embedded in social media ads and be wary of investment opportunities that promise high returns. It's also essential to verify the legitimacy of investment platforms before depositing any funds.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Shall we play a game?Joshua

Deitasoft © 2024. All Rights Reserved.