DNS threat actors operating under the moniker Savvy Seahorse have been observed employing sophisticated tactics to lure victims into fake investment platforms and siphon funds into Russian bank accounts.
Utilizing Facebook ads, Savvy Seahorse entices users to fraudulent websites masquerading as legitimate investment platforms, often impersonating renowned companies like Tesla and Facebook/Meta.
According to findings by Infoblox, what sets Savvy Seahorse apart is its advanced methods, including the use of fake ChatGPT and WhatsApp bots. These automate responses to users, coaxing them to divulge personal information in exchange for promised high returns on investments.
“These campaigns are known to target Russian, Polish, Italian, German, Czech, Turkish, French, Spanish and English speakers, while specifically protecting potential victims in Ukraine and a handful of other countries,” Infoblox researchers Stelios Chatzistogias, Laura da Rocha and Darby Wise explained.
One particularly obscure technique employed by Savvy Seahorse involves leveraging DNS canonical name (CNAME) records to establish a traffic distribution system (TDS) for their financial scam campaigns.
“As a result, Savvy Seahorse can control who has access to content and can dynamically update the IP addresses of malicious campaigns,” the researchers wrote.
“This technique of using CNAMEs has enabled the threat actor to evade detection by the security industry; to our knowledge, this is the first report to focus on the use of CNAMEs as a TDS engineered for malicious purposes.”
The research published by Infoblox on Wednesday also sheds light on Savvy Seahorse’s modus operandi, revealing key findings such as their reliance on Facebook ads, frequent IP address changes and short-lived campaign durations – each subdomain is advertised for five to ten days.
“Savvy Seahorse has been operating since August 2021. Although participating domains are sometimes flagged by security tools, the greater infrastructure and actor behind them have gone undetected by the security industry,” reads the report.
Additionally, the threat actor employs wildcard DNS entries to rapidly create independent campaigns, complicating passive DNS analysis.