A newly uncovered threat actor is carrying out an investment scam through a sophisticated traffic distribution system (TDS) that leverages the Domain Name System (DNS) to maintain its malicious domains ever-changing and resistant to takedowns. Known as “Savvy Seahorse,” this group impersonates well-known brands like Meta and Tesla, enticing victims through Facebook ads in nine languages to create accounts on a fraudulent investing platform. Once victims deposit funds into their accounts, the money is redirected to an account at a Russian state-owned bank presumably controlled by the attacker.
This type of scam is not uncommon, with US consumers reporting losses of 4.6 billion dollars to investment scams in 2023 alone, according to the Federal Trade Commission (FTC). This makes it the most lucrative form of scam, with almost half of the total reported losses attributed to all forms of scams amounting to $10 billion. However, what sets Savvy Seahorse apart is the infrastructure supporting its operation.
As outlined in a recent report by Infoblox, Savvy Seahorse runs a TDS with thousands of dynamic domains. The key element that holds this system together is a Canonical Name (CNAME) record, a regular feature of DNS that enables the TDS to continuously cycle through new and discarded domains without altering the core of the campaign itself.
According to Renée Burton, the head of threat intelligence at Infoblox, the conventional understanding of TDS is limited to the HTTP realm, where connections are fingerprinted to determine whether to redirect users to malicious or fraudulent content. However, there is a whole concept of traffic distribution systems that operate within DNS, outside of HTTP.
While Savvy Seahorse has been active since at least August 2021 and is not entirely unique, its use of DNS-based traffic distribution sets it apart from other groups engaging in similar activities. By utilizing CNAME records, Savvy Seahorse can rapidly scale and relocate its operations, making it resilient and evasive to detection and takedowns.
CNAME records enable Savvy Seahorse to create mirrors of their content across multiple domains, allowing them to swiftly transition when one of their phishing sites is shut down. This flexibility also extends to their hosting infrastructure, enabling them to quickly redirect traffic to different IP addresses. This adaptability makes it challenging for defenders to track and dismantle their operations effectively.
Unlike other threat actors who typically register all their domains through a single registrar and use a single ISP for management, Savvy Seahorse diversifies its operations across multiple registrars and ISPs. However, the reliance on a single base domain through CNAME poses a vulnerability that defenders can exploit. By blocking the base domain, all related malicious domains associated with CNAME can be neutralized in one fell swoop.
While attackers could use multiple CNAMEs to build out malicious networks, they tend to aggregate to a smaller set, likely to evade detection. This aggregation presents a target for defenders aiming to disrupt the threat actor’s infrastructure and thwart their operations effectively.
In conclusion, Savvy Seahorse’s innovative use of CNAME records within DNS for traffic distribution represents a new challenge for defenders combating investment scams and fraudulent activities. By understanding and addressing the vulnerabilities inherent in this method, cybersecurity professionals can better protect consumers from falling victim to these malicious schemes.