A recently identified DNS threat actor known as Savvy Seahorse is employing advanced tactics to lure victims into fraudulent investment platforms and pilfer their funds.
According to a report released last week by Infoblox, Savvy Seahorse, a DNS threat actor, persuades individuals to establish accounts on counterfeit investment platforms, deposit funds into a personal account, and subsequently transfers those funds to a bank in Russia.
The targets of these campaigns encompass individuals who speak Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English, suggesting that the threat actors are extending their reach widely in their assaults.
Users are enticed through advertisements on social media platforms such as Facebook, simultaneously being deceived into divulging their personal information in exchange for purported high-return investment prospects via counterfeit ChatGPT and WhatsApp bots.
Since at least August 2021, the financial scam campaigns have garnered attention for their utilization of DNS canonical name (CNAME) records to establish a traffic distribution system (TDS), enabling threat actors to circumvent detection.
A CNAME record is employed to link a domain or subdomain to another domain (i.e., an alias) rather than directing to an IP address. One benefit of this method is that only the DNS A record for the root domain needs updating when the IP address of the host changes.
Savvy Seahorse capitalizes on this technique by enrolling numerous short-lived subdomains that share a CNAME record (and consequently an IP address). These specific subdomains are generated using a domain generation algorithm (DGA) and are linked to the primary campaign domain.
The dynamic and fluid character of the domains and IP addresses renders the infrastructure highly resilient to takedown endeavors, enabling the threat actors to consistently establish new domains or modify their CNAME records to redirect to different IP addresses when their phishing sites are disrupted.
While threat actors such as VexTrio have employed DNS as a Traffic Distribution System (TDS), this discovery signifies the inaugural instance of CNAME records being utilized for such.
Victims who click on links within Facebook ads are prompted to provide their names, email addresses, and phone numbers. They are then redirected to a fraudulent trading platform to deposit funds into their accounts.
Infoblox pointed out that the threat actor verifies the user’s information to filter out traffic from certain countries, including Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova. However, their rationale for targeting these specific countries remains unclear.
Meanwhile, Guardio Labs disclosed that thousands of domains owned by reputable brands and institutions have been hijacked through a method known as CNAME takeover, which is being used to spread spam campaigns.
Indicators of Compromise
| Indicator | Type of Indicator |
| getyourapi[.]site | Savvy Seahorse secondary TDS domain |
| land-nutra[.]b36cname[.]site | Subdomain used as CNAME record for parked domains |
| land<1-4>[.]b36cname[.]site | Subdomains used as CNAME records for inactive campaigns |
| prx<1-16>[.]b36cname[.]site | Subdomains used as CNAME records for active campaigns |
| new[.]xsdelx[.]top | Subdomains for active Savvy Seahorse campaigns |
| bwn[.]objectop[.]xyz | |
| sej[.]progmedisd[.]site | |
| adin[.]czproftes[.]xyz | |
| visa[.]lukzev[.]xyz | |
| sun[.]autotrdes[.]top | |
| hmz[.]coivalop[.]xyz | |
| news[.]beneffit[.]top | |
| goiin[.]baltez-offic[.]xyz | |
| ultra-vest[.]one | Fake trading websites the user is redirected to in some campaigns |
| kingsman-adv[.]org | |
| abyss-world-asset[.]net | |
| sci[.]pointpayment[.]net | Payment processing domains to collect victim’s financial information |
| makeyourpay[.]com | |
| qiwi[.]bppsa[.]com | |
| ymoney[.]bppsa[.]com | |
| processing[.]betatransfer[.]io | |
| crypto-payer[.]co | |
| ap-gateway[.]mastercard[.]com | Legitimate domain for Mastercard used collect victim’s financial information |
| checkout[.]flutterwave[.]com | Legitimate domain for Flutterwave, a Nigerian payment service used to collect victim’s financial information |
| auproject[.]xyz | Savvy Seahorse base domains |
| badanie-pl[.]site | |
| blog-vcnews[.]site | |
| capital-inwest[.]site | |
| dasms[.]xyz | |
| duums[.]xyz | |
| esbopehan[.]xyz | |
| futtes[.]site | |
| gernik[.]site | |
| groovetonprogramz[.]xyz | |
| lintant[.]top | |
| mipinves[.]site | |
| mixx-today[.]site | |
| newprogrms[.]xyz | |
| oksitepl[.]site | |
| onlinedietslimm[.]xyz | |
| prostprogr[.]xyz | |
| rslimess[.]xyz | |
| satin1[.]xyz | |
| sunproflts[.]site |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment