Infoblox cybersecurity researchers are warning users about a fraudulent scheme launched by a DNS threat actor Savvy Seahorse, which uses Facebook advertisements to trick users into fraudulent investment platforms and transfers deposits to Russian-state-owned banks.
California-based IT automation and security company Infoblox has discovered a relatively new DNS threat actor called “Savvy Seahorse.” According to the company’s report, the actor creates fake investment platforms using popular icons like Tesla, Meta, and Imperial Oil and lures unsuspecting users into depositing funds.
Savvy Seahorse prefers using Facebook ads to trick users into trusting fake investment platforms and transfers deposits to Russian-state-owned banks. Savvy Seahorse employs advanced techniques like fake ChatGPT and WhatsApp bots to lure users into high-return investment scams, which are the costliest category of threat reported to the FBI’s Internet Crime Complaint Center.
ChatGPT and WhatsApp bots engage users through automated responses for high-return investment opportunities. These campaigns target users in various countries, including Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers but interestingly users in Ukraine are protected.
Through DNS canonical name (CNAME) records, the actor creates a traffic distribution system (TDS) for conducting sophisticated financial scams, controlling access to content and updating the IP addresses of malicious campaigns. This also helps them evade detection by the security industry. It is worth noting that Savvy Seahorse, active since 2021, is the first publicly reported threat actor abusing DNS CNAME records for sophisticated scam campaigns.
In a blog post, Infoblox researchers have identified several red flags associated with the Savvy Seahorse scam. These include short-lived campaigns (active for only 5-10 days), using a phased deployment system, frequent changes in IP addresses (to complicate/block tracking of malicious infrastructure), and the use of wildcard DNS entries.
These entries entail creating numerous subdomains, potentially confusing passive DNS analysis. These characteristics make it difficult to track and block malicious infrastructure. Victims’ data is sent to a secondary HTTP-based TDS server for validation and geofencing.
Around 4.2k base domains with CNAME records are used by Savvy Seahorse to host campaigns, Infoblox researchers confirmed. The attackers create subdomains for each SLD using a domain generation algorithm, using pseudo-random hostnames. Registration forms are used to gather victim information, and after validating it, they are redirected to the fake trading platform. The actor monitors users to prevent security threats.
The scam poses potential risks to individuals, including financial loss, data theft, and malware infection. Users who invest in the fake platform may lose their funds, while the scammers may steal personal and financial information.
Therefore, consumers must be vigilant when trusting unverified sources for making deposits. Remember that the US cumulatively lost over $4.6 billion in 2023 over investment scams.
RELATED TOPICS
- WhatsApp Pink is malware spreading through group chats
- Thousands of Dark Web Posts Expose ChatGPT Abuse Plans
- China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks
- Fake Telegram, WhatsApp clones aim at crypto on Android, Windows
- SpyNote Android Spyware Poses as Legit Crypto Wallets, Steals Funds