Infoblox cybersecurity experts have raised a red flag on a deceptive ploy orchestrated by a DNS threat actor known as Savvy Seahorse, cautioning internet users to stay alert. The scheme, as uncovered by the California-based IT automation and security firm, involves the utilization of Facebook advertisements to lure individuals into fake investment platforms and subsequently channel their deposits to Russian state-owned banks.

The perpetrator behind the operation, Savvy Seahorse, strategically crafts counterfeit investment opportunities using renowned icons such as Tesla, Meta, and Imperial Oil to entice unsuspecting victims. With a preference for Facebook ads, Savvy Seahorse employs sophisticated methods like fake ChatGPT and WhatsApp bots to engage individuals in high-yield investment scams. Notably, these scams fall under the most expensive category of threats reported to the FBI’s Internet Crime Complaint Center.

Targeting users across various countries, including but not limited to Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English-speaking individuals, Savvy Seahorse operates with intricate precision. It is interesting to note that users in Ukraine seem to be shielded from the fraudulent activities orchestrated by this threat actor.

The utilization of DNS canonical name (CNAME) records by Savvy Seahorse enables the establishment of a traffic distribution system (TDS) for executing elaborate financial frauds. Through this mechanism, the actor can regulate access to content, update the IP addresses of malicious campaigns, and evade detection by the security sector. It is imperative to mention that Savvy Seahorse, operational since 2021, marks the first reported instance of a threat actor exploiting DNS CNAME records for sophisticated scam initiatives.

In a detailed blog post, Infoblox researchers have outlined several warning signals associated with the Savvy Seahorse deception. These indicators include short-lived campaigns lasting merely 5-10 days, the adoption of a phased deployment system, frequent alterations in IP addresses to thwart tracking efforts, and the deployment of wildcard DNS entries. These entries create a multitude of subdomains, potentially baffling passive DNS analysis and impeding the tracking and blocking of malicious infrastructure.

Savvy Seahorse utilizes approximately 4.2k base domains with CNAME records to host its campaigns, as confirmed by Infoblox researchers. The perpetrators generate subdomains for each Second-Level Domain (SLD) using a domain generation algorithm that incorporates pseudo-random hostnames. Gathering victim information through registration forms, the scammers validate the data before redirecting users to the counterfeit trading platform. Continuous monitoring is conducted to avert security threats and maintain control over the illicit operations.

The fraudulent scheme orchestrated by Savvy Seahorse poses severe risks to individuals, including financial losses, data breaches, and exposure to malware. Users who fall victim to the fake platform could stand to lose their investments, while their personal and financial information might be pilfered by the scammers. Hence, it is crucial for consumers to exercise vigilance and discretion when selecting sources for depositing funds, considering the substantial financial losses incurred due to investment scams, which amounted to over $4.6 billion in the United States in 2023.

In light of these alarming developments, internet users are strongly advised to remain cautious and scrutinize investment opportunities thoroughly to safeguard their assets and personal information. Stay informed, stay safe.

Source link