A brand new DNS menace actor dubbed Savvy Seahorse is leveraging subtle strategies to entice targets into faux funding platforms and steal funds.
“Savvy Seahorse is a DNS menace actor who convinces victims to create accounts on faux funding platforms, make deposits to a private account, after which transfers these deposits to a financial institution in Russia,” Infoblox mentioned in a report printed final week.
Targets of the campaigns embrace Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English audio system, indicating that the menace actors are casting a large web of their assaults.
Customers are lured through advertisements on social media platforms like Fb, whereas additionally tricking them into parting with their private data in return for alleged high-return funding alternatives by means of faux ChatGPT and WhatsApp bots.
The monetary rip-off campaigns are notable for utilizing DNS canonical title (CNAME) information to create a site visitors distribution system (TDS), thereby permitting menace actors to evade detection since not less than August 2021.
A CNAME file is used to map a site or subdomain to a different area (i.e., an alias) as a substitute of pointing to an IP handle. One benefit with this method is that when the IP handle of the host modifications, solely the DNS A file for the foundation area must be up to date.
Savvy Seahorse leverages this system to its benefit by registering a number of short-lived subdomains that share a CNAME file (and thus an IP handle). These particular subdomains are created utilizing a site technology algorithm (DGA) and are related to the first marketing campaign area.
The ever-changing nature of the domains and IP addresses additionally makes the infrastructure immune to takedown efforts, permitting the menace actors to repeatedly create new domains or alter their CNAME information to a special IP handle as their phishing websites are disrupted.
Whereas menace actors like VexTrio have used DNS as a TDS, the invention marks the primary time CNAME information have been used for such functions.
Victims who find yourself clicking the hyperlinks embedded on Fb advertisements are urged to supply their names, electronic mail addresses, and telephone numbers, after which they’re redirected to the bogus buying and selling platform for including funds to their wallets.
“An vital element to notice is the actor validates the person’s data to exclude site visitors from a predefined record of nations, together with Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova, though their reasoning for selecting these particular international locations is unclear,” Infoblox famous.
The event comes as Guardio Labs revealed that 1000’s of domains belonging to reputable manufacturers and establishments have been hijacked utilizing a method known as CNAME takeover to propagate spam campaigns.
