A brand new DNS menace actor dubbed Savvy Seahorse is leveraging refined methods to entice targets into pretend funding platforms and steal funds.
“Savvy Seahorse is a DNS menace actor who convinces victims to create accounts on pretend funding platforms, make deposits to a private account, after which transfers these deposits to a financial institution in Russia,” Infoblox stated in a report revealed final week.
Targets of the campaigns embody Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English audio system, indicating that the menace actors are casting a large internet of their assaults.
Customers are lured by way of advertisements on social media platforms like Fb, whereas additionally tricking them into parting with their private data in return for alleged high-return funding alternatives via pretend ChatGPT and WhatsApp bots.
The monetary rip-off campaigns are notable for utilizing DNS canonical title (CNAME) information to create a site visitors distribution system (TDS), thereby permitting menace actors to evade detection since at the very least August 2021.
A CNAME report is used to map a website or subdomain to a different area (i.e., an alias) as an alternative of pointing to an IP tackle. One benefit with this method is that when the IP tackle of the host adjustments, solely the DNS A report for the foundation area must be up to date.
Savvy Seahorse leverages this method to its benefit by registering a number of short-lived subdomains that share a CNAME report (and thus an IP tackle). These particular subdomains are created utilizing a website technology algorithm (DGA) and are related to the first marketing campaign area.
The ever-changing nature of the domains and IP addresses additionally makes the infrastructure proof against takedown efforts, permitting the menace actors to constantly create new domains or alter their CNAME information to a special IP tackle as their phishing websites are disrupted.
Whereas menace actors like VexTrio have used DNS as a TDS, the invention marks the primary time CNAME information have been used for such functions.
Victims who find yourself clicking the hyperlinks embedded on Fb advertisements are urged to supply their names, electronic mail addresses, and telephone numbers, after which they’re redirected to the bogus buying and selling platform for including funds to their wallets.
“An necessary element to notice is the actor validates the consumer’s data to exclude site visitors from a predefined checklist of nations, together with Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova, though their reasoning for selecting these particular international locations is unclear,” Infoblox famous.
The event comes as Guardio Labs revealed that 1000’s of domains belonging to respectable manufacturers and establishments have been hijacked utilizing a way known as CNAME takeover to propagate spam campaigns.
