A brand new DNS risk actor dubbed Savvy Seahorse is leveraging subtle strategies to entice targets into pretend funding platforms and steal funds.
“Savvy Seahorse is a DNS risk actor who convinces victims to create accounts on pretend funding platforms, make deposits to a private account, after which transfers these deposits to a financial institution in Russia,” Infoblox mentioned in a report revealed final week.
Targets of the campaigns embody Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English audio system, indicating that the risk actors are casting a large web of their assaults.
Customers are lured through adverts on social media platforms like Fb, whereas additionally tricking them into parting with their private data in return for alleged high-return funding alternatives via pretend ChatGPT and WhatsApp bots.
The monetary rip-off campaigns are notable for utilizing DNS canonical identify (CNAME) data to create a visitors distribution system (TDS), thereby permitting risk actors to evade detection since a minimum of August 2021.
A CNAME report is used to map a website or subdomain to a different area (i.e., an alias) as an alternative of pointing to an IP handle. One benefit with this method is that when the IP handle of the host adjustments, solely the DNS A report for the foundation area must be up to date.
Savvy Seahorse leverages this system to its benefit by registering a number of short-lived subdomains that share a CNAME report (and thus an IP handle). These particular subdomains are created utilizing a website technology algorithm (DGA) and are related to the first marketing campaign area.
The ever-changing nature of the domains and IP addresses additionally makes the infrastructure proof against takedown efforts, permitting the risk actors to repeatedly create new domains or alter their CNAME data to a distinct IP handle as their phishing websites are disrupted.
Whereas risk actors like VexTrio have used DNS as a TDS, the invention marks the primary time CNAME data have been used for such functions.
Victims who find yourself clicking the hyperlinks embedded on Fb adverts are urged to offer their names, e-mail addresses, and telephone numbers, after which they’re redirected to the bogus buying and selling platform for including funds to their wallets.
“An vital element to notice is the actor validates the consumer’s data to exclude visitors from a predefined checklist of nations, together with Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova, though their reasoning for selecting these particular international locations is unclear,” Infoblox famous.
The event comes as Guardio Labs revealed that hundreds of domains belonging to reputable manufacturers and establishments have been hijacked utilizing a way referred to as CNAME takeover to propagate spam campaigns.